Edit tour

Windows Analysis Report
PO for fabric forecast.exe

Overview

General Information

Sample name:	PO for fabric forecast.exe
Analysis ID:	1570205
MD5:	9c0962de2a744a08f331b64edfcf83dd
SHA1:	1b063810e15c8df8db6216526d4ee20d0de98b5d
SHA256:	37f474ba024470e44cdf908de33a29657d00da334946683d4174daaaa5e71b81
Tags:	exeuser-abuse_ch
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PO for fabric forecast.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\PO for fabric forecast.exe" MD5: 9C0962DE2A744A08F331B64EDFCF83DD)

powershell.exe (PID: 7668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8144 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7752 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PO for fabric forecast.exe (PID: 7912 cmdline: "C:\Users\user\Desktop\PO for fabric forecast.exe" MD5: 9C0962DE2A744A08F331B64EDFCF83DD)

QzRJbgyEhZjA.exe (PID: 8060 cmdline: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe MD5: 9C0962DE2A744A08F331B64EDFCF83DD)

schtasks.exe (PID: 7268 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QzRJbgyEhZjA.exe (PID: 2720 cmdline: "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe" MD5: 9C0962DE2A744A08F331B64EDFCF83DD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.3001652959.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3002563146.000000000302E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1791996165.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1801879709.0000000009300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1838003802.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1790846476.00000000024FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: PO for fabric forecast.exe PID: 7480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO for fabric forecast.exe PID: 7480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO for fabric forecast.exe PID: 7480	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: PO for fabric forecast.exe PID: 7912	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: PO for fabric forecast.exe PID: 7912	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: QzRJbgyEhZjA.exe PID: 8060	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QzRJbgyEhZjA.exe PID: 8060	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: QzRJbgyEhZjA.exe PID: 8060	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: QzRJbgyEhZjA.exe PID: 2720	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: QzRJbgyEhZjA.exe PID: 2720	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 21 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO for fabric forecast.exe.9300000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO for fabric forecast.exe.3d124e8.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO for fabric forecast.exe.9300000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO for fabric forecast.exe.40dd7e0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO for fabric forecast.exe.40dd7e0.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO for fabric forecast.exe.40dd7e0.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO for fabric forecast.exe.40a2dc0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO for fabric forecast.exe.40a2dc0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO for fabric forecast.exe.40a2dc0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.PO for fabric forecast.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.PO for fabric forecast.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.PO for fabric forecast.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dceb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dde7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de79:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6dee3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df55:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfeb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e07b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6dceb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6dd5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dde7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6de79:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6dee3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6df55:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6dfeb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e07b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa870b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa877d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8807:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8899:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8903:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8975:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a0b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6deeb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa870b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6df5d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa877d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6dfe7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8807:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33659:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e079:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8899:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e0e3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8903:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33735:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e155:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8975:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e1eb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8a0b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
9.2.QzRJbgyEhZjA.exe.2e462e4.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.PO for fabric forecast.exe.2577b50.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 28 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO for fabric forecast.exe", ParentImage: C:\Users\user\Desktop\PO for fabric forecast.exe, ParentProcessId: 7480, ParentProcessName: PO for fabric forecast.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe", ProcessId: 7668, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe, ParentImage: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe, ParentProcessId: 8060, ParentProcessName: QzRJbgyEhZjA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp", ProcessId: 7268, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\PO for fabric forecast.exe, Initiated: true, ProcessId: 7912, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO for fabric forecast.exe", ParentImage: C:\Users\user\Desktop\PO for fabric forecast.exe, ParentProcessId: 7480, ParentProcessName: PO for fabric forecast.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp", ProcessId: 7752, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO for fabric forecast.exe", ParentImage: C:\Users\user\Desktop\PO for fabric forecast.exe, ParentProcessId: 7480, ParentProcessName: PO for fabric forecast.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe", ProcessId: 7668, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO for fabric forecast.exe", ParentImage: C:\Users\user\Desktop\PO for fabric forecast.exe, ParentProcessId: 7480, ParentProcessName: PO for fabric forecast.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp", ProcessId: 7752, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PO for fabric forecast.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://mail.iaa-airferight.com

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

Avira: detection malicious, Label: HEUR/AGEN.1305452

Found malware configuration

Source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

ReversingLabs: Detection: 54%

Multi AV Scanner detection for submitted file

Source: PO for fabric forecast.exe

ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO for fabric forecast.exe

Joe Sandbox ML: detected

Source: PO for fabric forecast.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO for fabric forecast.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 4x nop then jmp 0E7A0BCEh		0_2_0E7A03B9
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 4x nop then jmp 0AE3F3C6h		9_2_0AE3EBB1

Source: Joe Sandbox View

IP Address: 46.175.148.58 46.175.148.58

Source: Joe Sandbox View

ASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 46.175.148.58:25

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.iaa-airferight.com

Source: PO for fabric forecast.exe, 00000008.00000002.3002563146.0000000003036000.00000004.00000800.00020000.00000000.sdmp, QzRJbgyEhZjA.exe, 0000000D.00000002.3001652959.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.iaa-airferight.com
Source: PO for fabric forecast.exe, 00000000.00000002.1790846476.00000000027DE000.00000004.00000800.00020000.00000000.sdmp, QzRJbgyEhZjA.exe, 00000009.00000002.1838003802.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO for fabric forecast.exe, 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, PO for fabric forecast.exe, 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, QzRJbgyEhZjA.exe, 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, SKTzxzsJw.cs	.Net Code: sf6jJs8S
Source: 0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack, SKTzxzsJw.cs	.Net Code: sf6jJs8S

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO for fabric forecast.exe.40dd7e0.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.PO for fabric forecast.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_02332228	0_2_02332228
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_023373DC	0_2_023373DC
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_02332A18	0_2_02332A18
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_02330E84	0_2_02330E84
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_02333608	0_2_02333608
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_023335FA	0_2_023335FA
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_093731D8	0_2_093731D8
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09370040	0_2_09370040
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_093731D2	0_2_093731D2
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09372E70	0_2_09372E70
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09666C50	0_2_09666C50
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_096628E8	0_2_096628E8
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_096628D1	0_2_096628D1
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966BB80	0_2_0966BB80
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09666C40	0_2_09666C40
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09669C28	0_2_09669C28
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966A070	0_2_0966A070
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09660040	0_2_09660040
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09660012	0_2_09660012
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966D3B1	0_2_0966D3B1
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966A4A0	0_2_0966A4A0
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966A4A8	0_2_0966A4A8
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966B748	0_2_0966B748
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0E7A22A8	0_2_0E7A22A8
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 8_2_011D9B38	8_2_011D9B38
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 8_2_011D4A98	8_2_011D4A98
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 8_2_011DCDB0	8_2_011DCDB0
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 8_2_011D3E80	8_2_011D3E80
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 8_2_011D41C8	8_2_011D41C8
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_011721E0	9_2_011721E0
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_011773DC	9_2_011773DC
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0117A538	9_2_0117A538
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_011735F9	9_2_011735F9
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_01173608	9_2_01173608
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_093E0040	9_2_093E0040
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_093E31D8	9_2_093E31D8
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_093E31D2	9_2_093E31D2
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_093E2E70	9_2_093E2E70
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0A9005F0	9_2_0A9005F0
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE36C50	9_2_0AE36C50
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE3BB80	9_2_0AE3BB80
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE328E8	9_2_0AE328E8
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE328D1	9_2_0AE328D1
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE36C40	9_2_0AE36C40
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE39C28	9_2_0AE39C28
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE39C38	9_2_0AE39C38
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE3A070	9_2_0AE3A070
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE30040	9_2_0AE30040
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE30007	9_2_0AE30007
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE3B748	9_2_0AE3B748
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE3A4A8	9_2_0AE3A4A8
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE3A49A	9_2_0AE3A49A
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_02D29378	13_2_02D29378
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_02D24A98	13_2_02D24A98
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_02D29B38	13_2_02D29B38
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_02D23E80	13_2_02D23E80
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_02D2CDB0	13_2_02D2CDB0
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_02D241C8	13_2_02D241C8
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E56D8	13_2_062E56D8
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E2F00	13_2_062E2F00
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E3F48	13_2_062E3F48
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062EBD00	13_2_062EBD00
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062EDD10	13_2_062EDD10
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E9AE0	13_2_062E9AE0
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E8B98	13_2_062E8B98
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E0040	13_2_062E0040
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E3650	13_2_062E3650
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 13_2_062E4FF8	13_2_062E4FF8

Source: PO for fabric forecast.exe, 00000000.00000002.1789637397.000000000068E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1803538764.000000000AC60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1791996165.0000000003D32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1790846476.00000000024FC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1790846476.00000000027DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000000.1734972800.000000000013C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenlzO.exe4 vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1791996165.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000000.00000002.1801879709.0000000009300000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe, 00000008.00000002.2999216646.0000000000F58000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PO for fabric forecast.exe
Source: PO for fabric forecast.exe	Binary or memory string: OriginalFilenamenlzO.exe4 vs PO for fabric forecast.exe

Source: PO for fabric forecast.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.PO for fabric forecast.exe.40dd7e0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.PO for fabric forecast.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: PO for fabric forecast.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QzRJbgyEhZjA.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, BEht6nNGxxkendSFT6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, BEht6nNGxxkendSFT6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, BEht6nNGxxkendSFT6.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/15@1/1

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

File created: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Mutant created: \Sessions\1\BaseNamedObjects\atBVxLDejnNQhuFjeExBkWtc
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp

Jump to behavior

Source: PO for fabric forecast.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO for fabric forecast.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO for fabric forecast.exe

ReversingLabs: Detection: 54%

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

File read: C:\Users\user\Desktop\PO for fabric forecast.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO for fabric forecast.exe "C:\Users\user\Desktop\PO for fabric forecast.exe"
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Users\user\Desktop\PO for fabric forecast.exe "C:\Users\user\Desktop\PO for fabric forecast.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process created: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Users\user\Desktop\PO for fabric forecast.exe "C:\Users\user\Desktop\PO for fabric forecast.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process created: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Section loaded: fwpuclnt.dll

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: PO for fabric forecast.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO for fabric forecast.exe

Static file information: File size 1051648 > 1048576

Source: PO for fabric forecast.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	.Net Code: GWecdIE5Lh System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	.Net Code: GWecdIE5Lh System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	.Net Code: GWecdIE5Lh System.Reflection.Assembly.Load(byte[])

Source: PO for fabric forecast.exe

Static PE information: 0x800448EF [Fri Jan 22 09:14:23 2038 UTC]

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09669B28 push FFFFFFA4h; retf	0_2_09669B2A
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_09662708 push esi; retf	0_2_0966270B
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Code function: 0_2_0966263C pushad ; iretd	0_2_0966263D
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE39B21 push FFFFFFA4h; retf	9_2_0AE39B2A
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE3263C pushad ; iretd	9_2_0AE3263D
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Code function: 9_2_0AE32708 push esi; retf	9_2_0AE3270B

Source: PO for fabric forecast.exe	Static PE information: section name: .text entropy: 7.744906030867297
Source: QzRJbgyEhZjA.exe.0.dr	Static PE information: section name: .text entropy: 7.744906030867297

Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, OjOBnushuhVRoB2IcY.cs	High entropy of concatenated method names: 'oeQSUpIynx', 'eqJShLdvNq', 'vQESNJvvcc', 'eF5SsLD5gO', 'iBDSV81Yim', 'VerSw56D6i', 'AtYSiQoBm1', 'RZqSydQSti', 'EswS93IcCM', 'FHcSQR49ls'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	High entropy of concatenated method names: 'APwBWZcymM', 'DUdBK0GggF', 'NHoBmvYlCK', 'lE3BSAJpK4', 'NccBaG2p0e', 'TCRBOjovsi', 'JmpBMWPVnj', 'mpkB0X0P0U', 'vCZB3yS4YZ', 'K7ZBYaenhd'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, lRPMWv7VIL4RLsgtlc.cs	High entropy of concatenated method names: 'Ol5OW9208E', 'OlMOmv7Brn', 'iv8OagAWij', 'r6kOMi86Dr', 'numO0SpbiJ', 'JKIaXL9ByC', 'q8havhyvXi', 'DlyaZsUkZW', 'WG2a2CnKFg', 'yjnalY12GA'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, HfA1dnL1w8tvGkexIM.cs	High entropy of concatenated method names: 'WWHQSyvJ9w', 'JRWQadfqZl', 'Gr0QOIEMtr', 'WVsQMNtNw1', 'K6xQ9eOohQ', 'pndQ0mS6Th', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, GmYBUlrkE06kXVuyBJd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NwvQetoUuo', 'm0wQAit11b', 'MoQQbOHDFA', 'gIPQ4GUkkd', 'hQoQxg4oSZ', 'sAXQE5SDqI', 'Ik9QP2rUHv'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, D9qORnv59sJbIulm1L.cs	High entropy of concatenated method names: 'g1Qi2UU7g7', 'p1biLs25c3', 'wBgykAkDkE', 'bOxyr2oJ4u', 'euaieEinMF', 'vIqiAk98ib', 'Bv1ibcZhSN', 'i6li46Yf9V', 'll0ixBBSNr', 'OkOiEJEvMA'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, lCSg9Ob0nf0FhnrucK.cs	High entropy of concatenated method names: 'GNdnNP4p86', 'BilnsfIm9l', 'hiVn7sat8g', 'MPUnRW1c95', 'LcmnDUtdGq', 'FI9nqrJfQq', 'sW0nJxFs8K', 'ROOnTX5OBf', 'wO1nC8mwAi', 'FuRneqO4yx'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, Fwx0mKrrX8TCHneEHEZ.cs	High entropy of concatenated method names: 'KvOQL8w23Y', 'TpGQz5nVdF', 'Cd5GkT5GFl', 'cBwGrty9G9', 'RkGG6A9r78', 'EbXGBVV3sa', 'b2PGcjXbiG', 'v1sGWVLc8h', 'kMnGKI8Ngi', 'DUHGmSchwt'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, xRsLG9cJMxAX4AR5gt.cs	High entropy of concatenated method names: 'd31rMEht6n', 'txxr0kendS', 'ChurYhVRoB', 'WIcr5YSn2k', 'XXKrVHDYRP', 'jWvrwVIL4R', 'yXTm9L3OWi0fnt1MgC', 'yVckFwy0RKS6YJ39c6', 'Aeprrf2ch0', 'SBZrBUFbZ3'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, EInat9RUu1XJh0Z49m.cs	High entropy of concatenated method names: 'khFS2tNMjm3Um7GJoT3', 'hhXvKcNwV7wMaTtgXeq', 'NNFWNENcpkAR3Va2mrg', 'Wh2OyiDmLC', 'aEJO9tEhuT', 'SROOQylbxa', 'PNPdfiNb0RSB4L8pxar', 'otNWuDNT8k67KUFflGh'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, yfSSBJm6AgR9Eoem3q.cs	High entropy of concatenated method names: 'Dispose', 'XAdrlAVPGH', 'CMv6RD6x36', 'B1WahtVNGL', 'CymrLta4eD', 'P66rzhZatw', 'ProcessDialogKey', 'S6I6kVKw54', 'T7Z6rNPR88', 'DXb66HfA1d'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, NDfwiJPTGKRv6eiXBO.cs	High entropy of concatenated method names: 'tEfiYViYxH', 'X8yi5AqDas', 'ToString', 'HaaiKgDZN0', 'zKHimHwLI4', 'J5fiSodX4O', 'xdTia2RdCL', 'lXAiOlqf3e', 'mlxiMTpCtv', 'wKti0IoIiu'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, ss9XBZFd16DGTWXvHT.cs	High entropy of concatenated method names: 'JrfMj92VX5', 'OU5MomZq42', 'H96MdjixaR', 'OMFMUMf0ls', 'mViM1eRGtc', 'ALCMhLlNrO', 'FLNMuRERIn', 'd18MNkNYef', 'EX3MsSGF6l', 'cgDMpYCLDa'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, CworMjzNNid5afA3dk.cs	High entropy of concatenated method names: 'EjaQh2ehHI', 'NbxQNW3Ndb', 'U10Qsj5kvG', 'JusQ76MAbc', 'QAMQR3SGdl', 'DHxQDs6lbk', 'madQqHa7NP', 'LwpQfWDNtU', 'AISQjmINPt', 'gQNQo5sADO'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, KLbcNFZUp2AdAVPGHu.cs	High entropy of concatenated method names: 'jmg9VVFUiH', 'e6S9iMWq5j', 'Mxq99Rq4Ix', 'ETY9GPHaDI', 'hx19868wnP', 'xwN9f7NVjl', 'Dispose', 'qbFyKuG6nX', 'v0cym987Wg', 'JJFySYRuPs'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, vVKw54lP7ZNPR88NXb.cs	High entropy of concatenated method names: 'kS7979iHCy', 'Bw19RP60RB', 'zCj9H8hpdx', 'QLY9DrY3KL', 'TBi9qYcFHV', 'cCB9gpBlpC', 't3I9JEqRIP', 'kpK9TPYoVD', 'cij9FbJnWp', 'n269CduF61'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, mlPP6U4AIiJf9IRDX2.cs	High entropy of concatenated method names: 'GmsVCMgENQ', 'wB6VA7dvBe', 'l4LV4LnNLA', 'hR5VxSkTIZ', 'huHVRwGm9u', 'rdiVHJHnEM', 'FskVDtjbms', 'h5cVqZ5PN8', 'R1IVgAmtvA', 'sSIVJWLeWr'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, BEht6nNGxxkendSFT6.cs	High entropy of concatenated method names: 'CtQm4xCphk', 'kClmxIECaI', 'Y6LmE4mEQH', 'vm0mP9muAA', 'aSFmXYKYcf', 'RHHmvdiUUe', 'h8vmZ3FdpR', 'I05m2s63l7', 'dE4ml3vh37', 'etPmLs8lJY'
Source: 0.2.PO for fabric forecast.exe.3f42088.3.raw.unpack, FSgpVb6h2DhqWalm3A.cs	High entropy of concatenated method names: 'IDld580Ty', 'fZ3UtsxYX', 'OBnhu7L9A', 'QJYu2y3eZ', 'SNRsKub7q', 'XuapeiiWe', 'tHhWrwpjWN3gYWF9us', 'xCkcMcDsM3P3iU3hmr', 'XVayONawq', 'gaFQs8A5R'
Source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, OjOBnushuhVRoB2IcY.cs	High entropy of concatenated method names: 'oeQSUpIynx', 'eqJShLdvNq', 'vQESNJvvcc', 'eF5SsLD5gO', 'iBDSV81Yim', 'VerSw56D6i', 'AtYSiQoBm1', 'RZqSydQSti', 'EswS93IcCM', 'FHcSQR49ls'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	High entropy of concatenated method names: 'APwBWZcymM', 'DUdBK0GggF', 'NHoBmvYlCK', 'lE3BSAJpK4', 'NccBaG2p0e', 'TCRBOjovsi', 'JmpBMWPVnj', 'mpkB0X0P0U', 'vCZB3yS4YZ', 'K7ZBYaenhd'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, lRPMWv7VIL4RLsgtlc.cs	High entropy of concatenated method names: 'Ol5OW9208E', 'OlMOmv7Brn', 'iv8OagAWij', 'r6kOMi86Dr', 'numO0SpbiJ', 'JKIaXL9ByC', 'q8havhyvXi', 'DlyaZsUkZW', 'WG2a2CnKFg', 'yjnalY12GA'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, HfA1dnL1w8tvGkexIM.cs	High entropy of concatenated method names: 'WWHQSyvJ9w', 'JRWQadfqZl', 'Gr0QOIEMtr', 'WVsQMNtNw1', 'K6xQ9eOohQ', 'pndQ0mS6Th', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, GmYBUlrkE06kXVuyBJd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NwvQetoUuo', 'm0wQAit11b', 'MoQQbOHDFA', 'gIPQ4GUkkd', 'hQoQxg4oSZ', 'sAXQE5SDqI', 'Ik9QP2rUHv'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, D9qORnv59sJbIulm1L.cs	High entropy of concatenated method names: 'g1Qi2UU7g7', 'p1biLs25c3', 'wBgykAkDkE', 'bOxyr2oJ4u', 'euaieEinMF', 'vIqiAk98ib', 'Bv1ibcZhSN', 'i6li46Yf9V', 'll0ixBBSNr', 'OkOiEJEvMA'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, lCSg9Ob0nf0FhnrucK.cs	High entropy of concatenated method names: 'GNdnNP4p86', 'BilnsfIm9l', 'hiVn7sat8g', 'MPUnRW1c95', 'LcmnDUtdGq', 'FI9nqrJfQq', 'sW0nJxFs8K', 'ROOnTX5OBf', 'wO1nC8mwAi', 'FuRneqO4yx'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, Fwx0mKrrX8TCHneEHEZ.cs	High entropy of concatenated method names: 'KvOQL8w23Y', 'TpGQz5nVdF', 'Cd5GkT5GFl', 'cBwGrty9G9', 'RkGG6A9r78', 'EbXGBVV3sa', 'b2PGcjXbiG', 'v1sGWVLc8h', 'kMnGKI8Ngi', 'DUHGmSchwt'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, xRsLG9cJMxAX4AR5gt.cs	High entropy of concatenated method names: 'd31rMEht6n', 'txxr0kendS', 'ChurYhVRoB', 'WIcr5YSn2k', 'XXKrVHDYRP', 'jWvrwVIL4R', 'yXTm9L3OWi0fnt1MgC', 'yVckFwy0RKS6YJ39c6', 'Aeprrf2ch0', 'SBZrBUFbZ3'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, EInat9RUu1XJh0Z49m.cs	High entropy of concatenated method names: 'khFS2tNMjm3Um7GJoT3', 'hhXvKcNwV7wMaTtgXeq', 'NNFWNENcpkAR3Va2mrg', 'Wh2OyiDmLC', 'aEJO9tEhuT', 'SROOQylbxa', 'PNPdfiNb0RSB4L8pxar', 'otNWuDNT8k67KUFflGh'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, yfSSBJm6AgR9Eoem3q.cs	High entropy of concatenated method names: 'Dispose', 'XAdrlAVPGH', 'CMv6RD6x36', 'B1WahtVNGL', 'CymrLta4eD', 'P66rzhZatw', 'ProcessDialogKey', 'S6I6kVKw54', 'T7Z6rNPR88', 'DXb66HfA1d'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, NDfwiJPTGKRv6eiXBO.cs	High entropy of concatenated method names: 'tEfiYViYxH', 'X8yi5AqDas', 'ToString', 'HaaiKgDZN0', 'zKHimHwLI4', 'J5fiSodX4O', 'xdTia2RdCL', 'lXAiOlqf3e', 'mlxiMTpCtv', 'wKti0IoIiu'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, ss9XBZFd16DGTWXvHT.cs	High entropy of concatenated method names: 'JrfMj92VX5', 'OU5MomZq42', 'H96MdjixaR', 'OMFMUMf0ls', 'mViM1eRGtc', 'ALCMhLlNrO', 'FLNMuRERIn', 'd18MNkNYef', 'EX3MsSGF6l', 'cgDMpYCLDa'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, CworMjzNNid5afA3dk.cs	High entropy of concatenated method names: 'EjaQh2ehHI', 'NbxQNW3Ndb', 'U10Qsj5kvG', 'JusQ76MAbc', 'QAMQR3SGdl', 'DHxQDs6lbk', 'madQqHa7NP', 'LwpQfWDNtU', 'AISQjmINPt', 'gQNQo5sADO'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, KLbcNFZUp2AdAVPGHu.cs	High entropy of concatenated method names: 'jmg9VVFUiH', 'e6S9iMWq5j', 'Mxq99Rq4Ix', 'ETY9GPHaDI', 'hx19868wnP', 'xwN9f7NVjl', 'Dispose', 'qbFyKuG6nX', 'v0cym987Wg', 'JJFySYRuPs'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, vVKw54lP7ZNPR88NXb.cs	High entropy of concatenated method names: 'kS7979iHCy', 'Bw19RP60RB', 'zCj9H8hpdx', 'QLY9DrY3KL', 'TBi9qYcFHV', 'cCB9gpBlpC', 't3I9JEqRIP', 'kpK9TPYoVD', 'cij9FbJnWp', 'n269CduF61'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, mlPP6U4AIiJf9IRDX2.cs	High entropy of concatenated method names: 'GmsVCMgENQ', 'wB6VA7dvBe', 'l4LV4LnNLA', 'hR5VxSkTIZ', 'huHVRwGm9u', 'rdiVHJHnEM', 'FskVDtjbms', 'h5cVqZ5PN8', 'R1IVgAmtvA', 'sSIVJWLeWr'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, BEht6nNGxxkendSFT6.cs	High entropy of concatenated method names: 'CtQm4xCphk', 'kClmxIECaI', 'Y6LmE4mEQH', 'vm0mP9muAA', 'aSFmXYKYcf', 'RHHmvdiUUe', 'h8vmZ3FdpR', 'I05m2s63l7', 'dE4ml3vh37', 'etPmLs8lJY'
Source: 0.2.PO for fabric forecast.exe.3fc0ca8.5.raw.unpack, FSgpVb6h2DhqWalm3A.cs	High entropy of concatenated method names: 'IDld580Ty', 'fZ3UtsxYX', 'OBnhu7L9A', 'QJYu2y3eZ', 'SNRsKub7q', 'XuapeiiWe', 'tHhWrwpjWN3gYWF9us', 'xCkcMcDsM3P3iU3hmr', 'XVayONawq', 'gaFQs8A5R'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, OjOBnushuhVRoB2IcY.cs	High entropy of concatenated method names: 'oeQSUpIynx', 'eqJShLdvNq', 'vQESNJvvcc', 'eF5SsLD5gO', 'iBDSV81Yim', 'VerSw56D6i', 'AtYSiQoBm1', 'RZqSydQSti', 'EswS93IcCM', 'FHcSQR49ls'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, hFfrBx0nBbvPc4vgxD.cs	High entropy of concatenated method names: 'APwBWZcymM', 'DUdBK0GggF', 'NHoBmvYlCK', 'lE3BSAJpK4', 'NccBaG2p0e', 'TCRBOjovsi', 'JmpBMWPVnj', 'mpkB0X0P0U', 'vCZB3yS4YZ', 'K7ZBYaenhd'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, lRPMWv7VIL4RLsgtlc.cs	High entropy of concatenated method names: 'Ol5OW9208E', 'OlMOmv7Brn', 'iv8OagAWij', 'r6kOMi86Dr', 'numO0SpbiJ', 'JKIaXL9ByC', 'q8havhyvXi', 'DlyaZsUkZW', 'WG2a2CnKFg', 'yjnalY12GA'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, HfA1dnL1w8tvGkexIM.cs	High entropy of concatenated method names: 'WWHQSyvJ9w', 'JRWQadfqZl', 'Gr0QOIEMtr', 'WVsQMNtNw1', 'K6xQ9eOohQ', 'pndQ0mS6Th', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, GmYBUlrkE06kXVuyBJd.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NwvQetoUuo', 'm0wQAit11b', 'MoQQbOHDFA', 'gIPQ4GUkkd', 'hQoQxg4oSZ', 'sAXQE5SDqI', 'Ik9QP2rUHv'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, D9qORnv59sJbIulm1L.cs	High entropy of concatenated method names: 'g1Qi2UU7g7', 'p1biLs25c3', 'wBgykAkDkE', 'bOxyr2oJ4u', 'euaieEinMF', 'vIqiAk98ib', 'Bv1ibcZhSN', 'i6li46Yf9V', 'll0ixBBSNr', 'OkOiEJEvMA'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, lCSg9Ob0nf0FhnrucK.cs	High entropy of concatenated method names: 'GNdnNP4p86', 'BilnsfIm9l', 'hiVn7sat8g', 'MPUnRW1c95', 'LcmnDUtdGq', 'FI9nqrJfQq', 'sW0nJxFs8K', 'ROOnTX5OBf', 'wO1nC8mwAi', 'FuRneqO4yx'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, Fwx0mKrrX8TCHneEHEZ.cs	High entropy of concatenated method names: 'KvOQL8w23Y', 'TpGQz5nVdF', 'Cd5GkT5GFl', 'cBwGrty9G9', 'RkGG6A9r78', 'EbXGBVV3sa', 'b2PGcjXbiG', 'v1sGWVLc8h', 'kMnGKI8Ngi', 'DUHGmSchwt'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, xRsLG9cJMxAX4AR5gt.cs	High entropy of concatenated method names: 'd31rMEht6n', 'txxr0kendS', 'ChurYhVRoB', 'WIcr5YSn2k', 'XXKrVHDYRP', 'jWvrwVIL4R', 'yXTm9L3OWi0fnt1MgC', 'yVckFwy0RKS6YJ39c6', 'Aeprrf2ch0', 'SBZrBUFbZ3'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, EInat9RUu1XJh0Z49m.cs	High entropy of concatenated method names: 'khFS2tNMjm3Um7GJoT3', 'hhXvKcNwV7wMaTtgXeq', 'NNFWNENcpkAR3Va2mrg', 'Wh2OyiDmLC', 'aEJO9tEhuT', 'SROOQylbxa', 'PNPdfiNb0RSB4L8pxar', 'otNWuDNT8k67KUFflGh'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, yfSSBJm6AgR9Eoem3q.cs	High entropy of concatenated method names: 'Dispose', 'XAdrlAVPGH', 'CMv6RD6x36', 'B1WahtVNGL', 'CymrLta4eD', 'P66rzhZatw', 'ProcessDialogKey', 'S6I6kVKw54', 'T7Z6rNPR88', 'DXb66HfA1d'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, NDfwiJPTGKRv6eiXBO.cs	High entropy of concatenated method names: 'tEfiYViYxH', 'X8yi5AqDas', 'ToString', 'HaaiKgDZN0', 'zKHimHwLI4', 'J5fiSodX4O', 'xdTia2RdCL', 'lXAiOlqf3e', 'mlxiMTpCtv', 'wKti0IoIiu'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, ss9XBZFd16DGTWXvHT.cs	High entropy of concatenated method names: 'JrfMj92VX5', 'OU5MomZq42', 'H96MdjixaR', 'OMFMUMf0ls', 'mViM1eRGtc', 'ALCMhLlNrO', 'FLNMuRERIn', 'd18MNkNYef', 'EX3MsSGF6l', 'cgDMpYCLDa'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, CworMjzNNid5afA3dk.cs	High entropy of concatenated method names: 'EjaQh2ehHI', 'NbxQNW3Ndb', 'U10Qsj5kvG', 'JusQ76MAbc', 'QAMQR3SGdl', 'DHxQDs6lbk', 'madQqHa7NP', 'LwpQfWDNtU', 'AISQjmINPt', 'gQNQo5sADO'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, KLbcNFZUp2AdAVPGHu.cs	High entropy of concatenated method names: 'jmg9VVFUiH', 'e6S9iMWq5j', 'Mxq99Rq4Ix', 'ETY9GPHaDI', 'hx19868wnP', 'xwN9f7NVjl', 'Dispose', 'qbFyKuG6nX', 'v0cym987Wg', 'JJFySYRuPs'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, vVKw54lP7ZNPR88NXb.cs	High entropy of concatenated method names: 'kS7979iHCy', 'Bw19RP60RB', 'zCj9H8hpdx', 'QLY9DrY3KL', 'TBi9qYcFHV', 'cCB9gpBlpC', 't3I9JEqRIP', 'kpK9TPYoVD', 'cij9FbJnWp', 'n269CduF61'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, mlPP6U4AIiJf9IRDX2.cs	High entropy of concatenated method names: 'GmsVCMgENQ', 'wB6VA7dvBe', 'l4LV4LnNLA', 'hR5VxSkTIZ', 'huHVRwGm9u', 'rdiVHJHnEM', 'FskVDtjbms', 'h5cVqZ5PN8', 'R1IVgAmtvA', 'sSIVJWLeWr'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, BEht6nNGxxkendSFT6.cs	High entropy of concatenated method names: 'CtQm4xCphk', 'kClmxIECaI', 'Y6LmE4mEQH', 'vm0mP9muAA', 'aSFmXYKYcf', 'RHHmvdiUUe', 'h8vmZ3FdpR', 'I05m2s63l7', 'dE4ml3vh37', 'etPmLs8lJY'
Source: 0.2.PO for fabric forecast.exe.ac60000.7.raw.unpack, FSgpVb6h2DhqWalm3A.cs	High entropy of concatenated method names: 'IDld580Ty', 'fZ3UtsxYX', 'OBnhu7L9A', 'QJYu2y3eZ', 'SNRsKub7q', 'XuapeiiWe', 'tHhWrwpjWN3gYWF9us', 'xCkcMcDsM3P3iU3hmr', 'XVayONawq', 'gaFQs8A5R'

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

File created: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 8060, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 2290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 24F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 2290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 4B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 5B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 5C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 6C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: ACE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: BCE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: C170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: D170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory allocated: 14E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 5280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 6280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 63B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 73B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: BE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: C2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: D2D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 2F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory allocated: 2D50000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4869	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6631	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 361	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Window / User API: threadDelayed 4901	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Window / User API: threadDelayed 4920	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Window / User API: threadDelayed 7515
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Window / User API: threadDelayed 2341

Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8020	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8120	Thread sleep count: 4901 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8120	Thread sleep count: 4920 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99404s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98329s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98204s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -98079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97829s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97704s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97579s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97454s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97188s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -97063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -96110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -95110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -94110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe TID: 8096	Thread sleep time: -93984s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 8132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep count: 34 > 30
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 4488	Thread sleep count: 7515 > 30
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 4488	Thread sleep count: 2341 > 30
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99643s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99516s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99406s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98968s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98749s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98626s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98500s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98171s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -98063s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97938s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97828s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97719s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97594s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97484s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97372s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -97193s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96791s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96676s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96438s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96313s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96203s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -96094s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95969s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95859s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95750s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95640s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95529s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95422s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95312s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95203s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -95094s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94969s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94859s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94749s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94641s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94531s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94422s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94312s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94203s >= -30000s
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe TID: 2488	Thread sleep time: -94059s >= -30000s

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99860	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99624	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99404	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98563	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98438	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98329	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98204	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 98079	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97954	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97829	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97704	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97579	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97454	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97188	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 97063	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96938	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96813	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96594	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96469	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95985	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95860	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95735	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95610	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95485	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95360	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95235	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 95110	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94985	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94860	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94735	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94610	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94485	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94360	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94235	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 94110	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Thread delayed: delay time: 93984	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99875
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99643
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99516
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99406
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 99078
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98968
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98859
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98749
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98626
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98500
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98391
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98281
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98171
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 98063
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97938
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97828
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97719
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97594
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97484
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97372
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 97193
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96791
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96676
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96438
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96313
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96203
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 96094
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95969
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95859
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95750
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95640
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95529
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95422
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95312
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95203
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 95094
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94969
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94859
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94749
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94641
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94531
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94422
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94312
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94203
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Thread delayed: delay time: 94059

Source: QzRJbgyEhZjA.exe, 00000009.00000002.1843280541.0000000009563000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: PO for fabric forecast.exe, 00000008.00000002.3000123684.00000000012A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: QzRJbgyEhZjA.exe, 0000000D.00000002.2999786788.0000000001248000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe"
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Memory written: C:\Users\user\Desktop\PO for fabric forecast.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Memory written: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Process created: C:\Users\user\Desktop\PO for fabric forecast.exe "C:\Users\user\Desktop\PO for fabric forecast.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Process created: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Users\user\Desktop\PO for fabric forecast.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Users\user\Desktop\PO for fabric forecast.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\PO for fabric forecast.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40dd7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40a2dc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO for fabric forecast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3001652959.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3002563146.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 2720, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO for fabric forecast.exe.9300000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.3d124e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.2e462e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.2577b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1791996165.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1801879709.0000000009300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1838003802.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1790846476.00000000024FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\PO for fabric forecast.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\PO for fabric forecast.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40dd7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40a2dc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO for fabric forecast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 2720, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40dd7e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40a2dc0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.PO for fabric forecast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40dd7e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49ae3e0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.40a2dc0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.49739c0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.3001652959.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3002563146.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO for fabric forecast.exe PID: 7912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QzRJbgyEhZjA.exe PID: 2720, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.PO for fabric forecast.exe.9300000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.3d124e8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.3d124e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.9300000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.QzRJbgyEhZjA.exe.2e462e4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO for fabric forecast.exe.2577b50.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1791996165.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1801879709.0000000009300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1838003802.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1790846476.00000000024FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	24 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
PO for fabric forecast.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
PO for fabric forecast.exe	100%	Avira	HEUR/AGEN.1305452
PO for fabric forecast.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	100%	Avira	HEUR/AGEN.1305452
C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe	54%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label	Link
http://mail.iaa-airferight.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.iaa-airferight.com	46.175.148.58	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	PO for fabric forecast.exe, 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, PO for fabric forecast.exe, 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, QzRJbgyEhZjA.exe, 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.iaa-airferight.com	PO for fabric forecast.exe, 00000008.00000002.3002563146.0000000003036000.00000004.00000800.00020000.00000000.sdmp, QzRJbgyEhZjA.exe, 0000000D.00000002.3001652959.0000000002F56000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.tiro.com	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO for fabric forecast.exe, 00000000.00000002.1790846476.00000000027DE000.00000004.00000800.00020000.00000000.sdmp, QzRJbgyEhZjA.exe, 00000009.00000002.1838003802.00000000030AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	PO for fabric forecast.exe, 00000000.00000002.1800318696.0000000008B32000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.175.148.58	mail.iaa-airferight.com	Ukraine		56394	ASLAGIDKOM-NETUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1570205
Start date and time:	2024-12-06 16:38:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO for fabric forecast.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/15@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 98% Number of executed functions: 167 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PO for fabric forecast.exe, PID 7912 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO for fabric forecast.exe

Simulations

Behavior and APIs

Time	Type	Description
10:39:04	API Interceptor	175x Sleep call for process: PO for fabric forecast.exe modified
10:39:06	API Interceptor	39x Sleep call for process: powershell.exe modified
10:39:10	API Interceptor	178x Sleep call for process: QzRJbgyEhZjA.exe modified
15:39:08	Task Scheduler	Run new task: QzRJbgyEhZjA path: C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
46.175.148.58	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.iaa-airferight.com	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASLAGIDKOM-NETUA	980001672 PPR for 30887217.scr.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	lC7L7oBBMC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	OHScaqAPjt.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	46.175.148.58
	RFQ ENQ186 OI REQUIRE RATE.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	v58HgfB8Af.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	l6F8Xgr0Ov.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	SPlVyHiGOz.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	2bOizaPPDC.exe	Get hash	malicious	AgentTesla	Browse	46.175.148.58
	McEdhqMMhs.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58
	55qIbHIAZi.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	46.175.148.58

Process:	C:\Users\user\Desktop\PO for fabric forecast.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QzRJbgyEhZjA.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379736180876081
Encrypted:	false
SSDEEP:	48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZSUyus:tLHyIFKL3IZ2KRH9OugEs
MD5:	72F35C292A6859CB7CFB21D40EC3D2F8
SHA1:	96F18AB9B3CF301A61D0ABE374AB33B8EB864884
SHA-256:	9CC6A174C97D345DA67AA1F586EAF5911BE61B92B75E0FB283BE338B45BA4325
SHA-512:	B6DA5E7BE2F9D1AB05403801395524C1EFCB843747BF2C302BF8A5690A9197ED01B909852368F4A71D77EA2400085F629FF666869042A4D0A432836DF1DFD5B0
Malicious:	false
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qdeajuy.bg3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4j12ho3h.fcv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elgnizcq.znk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggutbbki.wkp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwv40ugx.pzi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlff2ck0.0yp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocez132a.lsb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wayzerjf.gjg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp

Download File

Process:	C:\Users\user\Desktop\PO for fabric forecast.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.124552106596694
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT31v
MD5:	BA4EC9E3B0C3A35E154FCDAB59AE06B5
SHA1:	E9726F8AD09D9A594A2FEEB0150192BF2683FD99
SHA-256:	982DD3D9F7A119FCDB3FAAFE89D9984B8FD827F8D38806F5E9FD97EAC74A8E78
SHA-512:	1EA01040ABA13E6837C00881B9AB2BA341A8A38DEDFE4CE4FAF969243AD7AE80AF62615E295E202156D1D32DBE3CC3A26CD055B7C893DDCAA73943FBB3C2C7BC
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpD697.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.124552106596694
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaKLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT31v
MD5:	BA4EC9E3B0C3A35E154FCDAB59AE06B5
SHA1:	E9726F8AD09D9A594A2FEEB0150192BF2683FD99
SHA-256:	982DD3D9F7A119FCDB3FAAFE89D9984B8FD827F8D38806F5E9FD97EAC74A8E78
SHA-512:	1EA01040ABA13E6837C00881B9AB2BA341A8A38DEDFE4CE4FAF969243AD7AE80AF62615E295E202156D1D32DBE3CC3A26CD055B7C893DDCAA73943FBB3C2C7BC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe

Download File

Process:	C:\Users\user\Desktop\PO for fabric forecast.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1051648
Entropy (8bit):	7.357511061191052
Encrypted:	false
SSDEEP:	24576:H/n1zGUxj/DXD08uzeE9V3FHc2ApvkmYD2TmTCItSRcbyiL:fNLNjDro1V1HGMm62CnSaPL
MD5:	9C0962DE2A744A08F331B64EDFCF83DD
SHA1:	1B063810E15C8DF8DB6216526D4EE20D0DE98B5D
SHA-256:	37F474BA024470E44CDF908DE33A29657D00DA334946683D4174DAAAA5E71B81
SHA-512:	299D58839CED879299816895F6131831739B899EE12B98ACC944C809F4828EB0A057DC068FED199B1CF2CACF7ACC2B27B81E6A3F099638594295B46F62186D86
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 54%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H................0.................. ........@.. ....................................@....................................K............................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc.......`......................@..B........................H....... ...............p..............................................\.X^..Q..YBJ.Zl.p.....z./....mQ#.9..Z......K.`.Q....7X.K6w.U.&...y....s.....'a@yR..PXe,].x.GH9$..%B...4en....8..t..WO.2.e..R......u...Tn.s..h.\|...........R.....Q#.&.....b1[...[..O.U...M..0......._.PNe....$...M+......5.l...-..m....gI.h..UYf..e.[^... ...6.9n.L\|.......a.#T..F.X.e....X...Ue.{s.U....k...O_.flny%..z>@2?...j......m.=..M...Yk..h...s.3...@...Y=...=.uQ..VJ...z....I......@.1......

C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO for fabric forecast.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.357511061191052
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO for fabric forecast.exe
File size:	1'051'648 bytes
MD5:	9c0962de2a744a08f331b64edfcf83dd
SHA1:	1b063810e15c8df8db6216526d4ee20d0de98b5d
SHA256:	37f474ba024470e44cdf908de33a29657d00da334946683d4174daaaa5e71b81
SHA512:	299d58839ced879299816895f6131831739b899ee12b98acc944c809f4828eb0a057dc068fed199b1cf2cacf7acc2b27b81e6a3f099638594295b46f62186d86
SSDEEP:	24576:H/n1zGUxj/DXD08uzeE9V3FHc2ApvkmYD2TmTCItSRcbyiL:fNLNjDro1V1HGMm62CnSaPL
TLSH:	5225CF897500B19ECC56CB304A35CD3457202CAEAB3AC21FA5E73DAB7F7E5D799140A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	c5949296969e8473

Static PE Info

General

Entrypoint:	0x4ca41e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x800448EF [Fri Jan 22 09:14:23 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xca3d0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x380e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x106000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc8424	0xc8600	e5f153da4e3af5b45acf6c14c2762f4d	False	0.8869368469276356	data	7.744906030867297	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x380e0	0x38200	43881f68e1b132e4feea170ffd9836eb	False	0.30785860940979953	data	5.197555802374114	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x106000	0xc	0x200	1b89e1a08d4adbad36c2883833bdad13	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xcc490	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	0.38353658536585367
RT_ICON	0xccaf8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.48655913978494625
RT_ICON	0xccde0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	0.5286885245901639
RT_ICON	0xccfc8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.5878378378378378
RT_ICON	0xcd0f0	0x6739	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9933017975402081
RT_ICON	0xd382c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.5578358208955224
RT_ICON	0xd46d4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.6367328519855595
RT_ICON	0xd4f7c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.6497695852534562
RT_ICON	0xd5644	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.47760115606936415
RT_ICON	0xd5bac	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.125
RT_ICON	0xe63d4	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	0.21113622030691612
RT_ICON	0xef87c	0x67e8	Device independent bitmap graphic, 80 x 160 x 32, image size 26560	0.21157894736842106
RT_ICON	0xf6064	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	0.24269870609981517
RT_ICON	0xfb4ec	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	0.22325224374114314
RT_ICON	0xff714	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.3196058091286307
RT_ICON	0x101cbc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.3642120075046904
RT_ICON	0x102d64	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.5086065573770492
RT_ICON	0x1036ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.5735815602836879
RT_GROUP_ICON	0x103b54	0x102	data	0.5697674418604651
RT_GROUP_ICON	0x103c58	0x14	data	1.05
RT_VERSION	0x103c6c	0x288	data	0.46141975308641975
RT_MANIFEST	0x103ef4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 16:39:10.720956087 CET	49733	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:11.758277893 CET	49733	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:13.713367939 CET	49736	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:13.769438028 CET	49733	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:14.883951902 CET	49736	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:16.883955002 CET	49736	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:17.774563074 CET	49733	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:20.883960009 CET	49736	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:25.790224075 CET	49733	25	192.168.2.4	46.175.148.58
Dec 6, 2024 16:39:28.899611950 CET	49736	25	192.168.2.4	46.175.148.58

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2024 16:39:10.476418972 CET	64627	53	192.168.2.4	1.1.1.1
Dec 6, 2024 16:39:10.711426020 CET	53	64627	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 6, 2024 16:39:10.476418972 CET	192.168.2.4	1.1.1.1	0x8162	Standard query (0)	mail.iaa-airferight.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 6, 2024 16:39:10.711426020 CET	1.1.1.1	192.168.2.4	0x8162	No error (0)	mail.iaa-airferight.com		46.175.148.58	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:39:03
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\PO for fabric forecast.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO for fabric forecast.exe"
Imagebase:	0x70000
File size:	1'051'648 bytes
MD5 hash:	9C0962DE2A744A08F331B64EDFCF83DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1791996165.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1801879709.0000000009300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1791996165.00000000040A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1790846476.00000000024FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:39:05
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO for fabric forecast.exe"
Imagebase:	0xb70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:39:06
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:39:06
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"
Imagebase:	0xb70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:39:06
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:39:06
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp"
Imagebase:	0x260000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:39:06
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:39:06
Start date:	06/12/2024
Path:	C:\Users\user\Desktop\PO for fabric forecast.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO for fabric forecast.exe"
Imagebase:	0xab0000
File size:	1'051'648 bytes
MD5 hash:	9C0962DE2A744A08F331B64EDFCF83DD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3002563146.000000000302E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2998685644.0000000000433000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3002563146.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:39:08
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe
Imagebase:	0x7b0000
File size:	1'051'648 bytes
MD5 hash:	9C0962DE2A744A08F331B64EDFCF83DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1840100108.0000000004973000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1838003802.0000000002DC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 54%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:39:09
Start date:	06/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:39:11
Start date:	06/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QzRJbgyEhZjA" /XML "C:\Users\user\AppData\Local\Temp\tmpD697.tmp"
Imagebase:	0x260000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:39:11
Start date:	06/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:39:11
Start date:	06/12/2024
Path:	C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\QzRJbgyEhZjA.exe"
Imagebase:	0x9a0000
File size:	1'051'648 bytes
MD5 hash:	9C0962DE2A744A08F331B64EDFCF83DD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3001652959.0000000002F4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3001652959.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	181
Total number of Limit Nodes:	9

Executed Functions

Function 09370040 Relevance: 7.7, Strings: 4, Instructions: 2700COMMON

Download Yara Rule

Strings

4'^q, xrefs: 09370EA3
(o^q, xrefs: 09370116
4'^q, xrefs: 09371F11
4'^q, xrefs: 0937102B

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q
API String ID: 0-183542557
Opcode ID: ecc6795c32bcae1dbf3d25bc0eb9cba79732e519ea5bc80b1ad567eb52e876d6
Instruction ID: 80ea0047ff1690a043051bf1d27a9d91555689ee135fa83ece724c3a6108bc27
Opcode Fuzzy Hash: ecc6795c32bcae1dbf3d25bc0eb9cba79732e519ea5bc80b1ad567eb52e876d6
Instruction Fuzzy Hash: C553D575A01219CFCB68DF68C888A9EF7B2BF49310F158599E459AB361CB34ED81CF50

Function 093731D8 Relevance: 6.9, Strings: 5, Instructions: 624
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 09373737
Hbq, xrefs: 093739DF
(o^q, xrefs: 09373765
,bq, xrefs: 09373743
(o^q, xrefs: 09373771

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: b43aecdd3aa48547b984603d93043398b634a97fb3dd9eb608945c7b33426294
Instruction ID: 80993e1cfcf0c91d1f152582dd48c0af9604079656ad6ba3bf3338ed686d8034
Opcode Fuzzy Hash: b43aecdd3aa48547b984603d93043398b634a97fb3dd9eb608945c7b33426294
Instruction Fuzzy Hash: D232B031A002188FCB24CF69E994A6EFBF6AF88350B14846AE456DB3A5CB34DC45DF51

Function 02330E84 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02330F23
Te^q, xrefs: 02331032

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: Te^q$Te^q
API String ID: 0-3743469327
Opcode ID: 6d0fad6ada25b8ab83532928d37ef568cb637ed40f1f1b5a064f2333dd0f4b4c
Instruction ID: e4f6eee68e8fa02f3f59d0d9c75b83105d66824e6a6041a58778c45e4c6e0be8
Opcode Fuzzy Hash: 6d0fad6ada25b8ab83532928d37ef568cb637ed40f1f1b5a064f2333dd0f4b4c
Instruction Fuzzy Hash: B451D175B102558FCB09CFA9C8947AEFBF2FF8A704F1444AAD445EB215CB309A02CB91

Function 0E7A22A8 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1804772952.000000000E7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E7A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7a0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84dbc2b98ce08bf690189e036c6156dd26580936ec6cd810f372da2b8b2aadd0
Instruction ID: 2599c272063d2b1d3256cbdf26344ea87556d1455feb98312611fcea3e52d215
Opcode Fuzzy Hash: 84dbc2b98ce08bf690189e036c6156dd26580936ec6cd810f372da2b8b2aadd0
Instruction Fuzzy Hash: 83E1FC317022448FEB2ADB69C520BAEB7FAAFC8700F18456CD2459B6A5DB34ED01CB51

Function 02332228 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ec3630275bf2e78dfa61d496e625d893806f7ffc987b33345b128b85ae2d271
Instruction ID: fdc73ced3bac5b79bcf6f0e4f56a66fa7f2da47259b569eff8d4ae7432903223
Opcode Fuzzy Hash: 3ec3630275bf2e78dfa61d496e625d893806f7ffc987b33345b128b85ae2d271
Instruction Fuzzy Hash: E07102B1624605CFC346CF68C880626B7B9FF49310B138456ED22DFA62C734EE62CB95

Function 0966D3B1 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faa8c50c3dea0bd2acd7d95963467abce7f5f1b44f39f03f8aa547e62783b289
Instruction ID: 545317a4b32ffc2172098a4a4ec33bd76a98442a2f84d95e36cddaa1f44ee0f9
Opcode Fuzzy Hash: faa8c50c3dea0bd2acd7d95963467abce7f5f1b44f39f03f8aa547e62783b289
Instruction Fuzzy Hash: A2413875E09248CBDB14CFA6D9647EDBBF9AF8E344F10E029D009A32A1DB345946CE41

Function 023373DC Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6c3bf54f9617a5c75016eb3b248cd00e808487e10631d5ba53b2f3ec191938
Instruction ID: 65f6cc7769f4bbf79988c5251fe47ed7479f06402a8010346dd9812d883aa7d4
Opcode Fuzzy Hash: 2c6c3bf54f9617a5c75016eb3b248cd00e808487e10631d5ba53b2f3ec191938
Instruction Fuzzy Hash: 5E212C32B142195BDB0DAA784A5923F69DFDBC8244F10883EE04BDB799CD78DE028791

Function 09666C40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77efd6c50efbf82a0a8188d3924a261d78ba45ec05a47942503855c13f53646c
Instruction ID: 35bcb4f5946be27fe4a9c8be7f0ff91726069e589adea69602b38bac1eb36954
Opcode Fuzzy Hash: 77efd6c50efbf82a0a8188d3924a261d78ba45ec05a47942503855c13f53646c
Instruction Fuzzy Hash: D421F4B0D046588BDB18CFA7C8147EEBFFAAF89344F04C0AAD419A6264DB750906CF91

Function 09666C50 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2acfb32139a9f74a4a05ed76473593fc016ab7bbe1a6f85bc47a4fdb8c5997
Instruction ID: dc6ccd424c26af0c3824b5c1d50bdbff2d4a78781b5f195d3e5b636d9b9de68c
Opcode Fuzzy Hash: 0f2acfb32139a9f74a4a05ed76473593fc016ab7bbe1a6f85bc47a4fdb8c5997
Instruction Fuzzy Hash: 892108B0D046188BEB18CF9BD9447EEFAFBAFC8344F04C069D41976264DB740A468F90

Function 0E7A03B9 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1804772952.000000000E7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E7A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7a0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c15271a38db761733349107c7f60c6a2c8d5e26f00d727aae28669508d420b1
Instruction ID: 9a2b91ba166f989fe0b86c1e5095922a7bbdab46e0af0409804c9416314f2f1c
Opcode Fuzzy Hash: 5c15271a38db761733349107c7f60c6a2c8d5e26f00d727aae28669508d420b1
Instruction Fuzzy Hash: 04A001049CF005C0C0005C164E311F8C02C528F648FCC7F04531E262B208D0D840120D

Function 0937EA91 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 0937EB1F

Strings

pi, xrefs: 0937EAD4

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID: FromMonitorPoint
String ID: pi
API String ID: 1566494148-451671704
Opcode ID: 8fbad5809feedb3b5e8405a2ee8167e431c648989eb043f8f13be74d1f162f2a
Instruction ID: 94dd674a2a25aa2a080a33c52c8a35090b4e50e62bf3e3f7312aff47f4613e59
Opcode Fuzzy Hash: 8fbad5809feedb3b5e8405a2ee8167e431c648989eb043f8f13be74d1f162f2a
Instruction Fuzzy Hash: 782187759043489FCB24DFA9D445BEEBFF5EF88310F10805AE856AB291C738A944CFA1

Function 0966C86C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0966CAAE

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1a1e4f9c0381ff23e2700a2ea7d87127b90dbd5b2aa7eee9bb9c916e2373a7a2
Instruction ID: 80ded0ab9a31b2c2dbb5d00da269b5a76396b43fb89afb1add2cd890b2ba5403
Opcode Fuzzy Hash: 1a1e4f9c0381ff23e2700a2ea7d87127b90dbd5b2aa7eee9bb9c916e2373a7a2
Instruction Fuzzy Hash: DAA18C71D006199FDB20CF68C841BEDBBB2BF49314F1481AAE999E7250DB789981CF91

Function 0966C878 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0966CAAE

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f26853125c098d9626cd4ebd15a317206c85c2af5ebd47db64209a70a100f6a0
Instruction ID: e7f54cbf328fb3cc7a78c65d2d614f56c5a2431c2030c9e123fafa8e4dc73e3c
Opcode Fuzzy Hash: f26853125c098d9626cd4ebd15a317206c85c2af5ebd47db64209a70a100f6a0
Instruction Fuzzy Hash: FC918C71D006199FDB20CF68C840BEDBBB2BF49314F1481AAE998E7350DB789985CF91

Function 02338EE4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02338FA1

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4f9136a29e2d38b31bdfb8c23f7dddc99d158431c9afe9cb57e491a38ebabf7
Instruction ID: 38e213a511443dee5f56dd5c9fbbfe6256b4697dde7f596aad74f7966ac9da63
Opcode Fuzzy Hash: f4f9136a29e2d38b31bdfb8c23f7dddc99d158431c9afe9cb57e491a38ebabf7
Instruction Fuzzy Hash: 214104B0C00619CFDB25CFA9C9447DDBBB5FF48304F2480AAD448AB255DB75698ACF90

Function 02337AAC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02338FA1

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d988fba8ec59130b694faf27c81c255073e30b8e037125eec2c26fb54780488a
Instruction ID: e41c2b30dd02a8d857c14f6540e2e7038cd167058a07b9f393ab5294eb489d71
Opcode Fuzzy Hash: d988fba8ec59130b694faf27c81c255073e30b8e037125eec2c26fb54780488a
Instruction Fuzzy Hash: EA41D1B0C00719CBDB25CFA9C944BDEBBF5BF48304F20806AD448AB255DBB56985CF91

Function 0966C5E8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0966C680

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e7e657bd1f0378133a65fede476b39543643e40f0642d57ea5489dcd0b86fdca
Instruction ID: 3dfb626ec744174f881654590799a97071837491716b26d54656c816ca9a0d79
Opcode Fuzzy Hash: e7e657bd1f0378133a65fede476b39543643e40f0642d57ea5489dcd0b86fdca
Instruction Fuzzy Hash: 732157B1900309DFCB10DFA9C885BDEBBF4FF48310F108429E598A7250D7789944CBA4

Function 0937AE39 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0937AED7

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 3c4107be7dd34c7677b4a8160beecc67cdea8d34c8b034181b3d8e0abfe4a938
Instruction ID: 5ff6ac2cbe5e1080e111bcea8fc2c1d7ff92a13772fa3d1cb86d8b4c12eceb3a
Opcode Fuzzy Hash: 3c4107be7dd34c7677b4a8160beecc67cdea8d34c8b034181b3d8e0abfe4a938
Instruction Fuzzy Hash: 8031C2B59003499FDB10CF9AD884AEEFBF5EF48320F14842AE559A7610D775A944CFA0

Function 0937AE40 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0937AED7

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 57c8dead19391f75f290b697987044e69ea5d158462c5333a0131568457da1c0
Instruction ID: 3060c0b7338b7bf94f5487ceaefa5b7ed04bb063ec3ed249a1e93cf5d82c57e2
Opcode Fuzzy Hash: 57c8dead19391f75f290b697987044e69ea5d158462c5333a0131568457da1c0
Instruction Fuzzy Hash: 9A21CEB59003099FDB10CF9AD884AEEFBF5FB48320F14842AE919A7610D774A944CFA0

Function 0966C5F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0966C680

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dcc7dbb7714d580fa43713feef9a29d19b06c8826ae5fa08abbd9d2370272dd4
Instruction ID: 2862fcbfb4e78de6cbbaa3d168786492551bc44b4f45a06ea5db7ea5a9ea7075
Opcode Fuzzy Hash: dcc7dbb7714d580fa43713feef9a29d19b06c8826ae5fa08abbd9d2370272dd4
Instruction Fuzzy Hash: 762125B19003599FCB10CFA9C985BDEBBF5FF48310F10842AE998A7250C7789954CBA4

Function 0966C451 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0966C4D6

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e6ffe77a7516882357c3a616b354b7d3645700abb678e32d1bf3cda8a742c34d
Instruction ID: b9a8e077949f4aa344c167137f3bdc8efdfdf188bf709b39ec23d9c30a742340
Opcode Fuzzy Hash: e6ffe77a7516882357c3a616b354b7d3645700abb678e32d1bf3cda8a742c34d
Instruction Fuzzy Hash: D82139719006098FDB14DFAAC5857EEBBF4EF48314F10C42AD559A7351CB789944CFA4

Function 0966C6D9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0966C760

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8d1fd14e1aa956c10e4809a59e03941bf559a0eb907422dafcd865c99628d9e2
Instruction ID: 6fcb6cc2e3c2895f628009ae727e7d8370f1f3be2a19e6aba0468d991421f0c8
Opcode Fuzzy Hash: 8d1fd14e1aa956c10e4809a59e03941bf559a0eb907422dafcd865c99628d9e2
Instruction Fuzzy Hash: A92128B1C007599FCB10DFAAC885ADEFBF5FF48320F10842AE559A7250C7789954CBA4

Function 0966C458 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0966C4D6

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9c5f35acb888afd7fbc735c29625a74889f08469d0e91855234abf8f4d2860b7
Instruction ID: e24e4f797615974d7c912ecf1a6af73ad70d80567e69e47ad65a9a26af424bfd
Opcode Fuzzy Hash: 9c5f35acb888afd7fbc735c29625a74889f08469d0e91855234abf8f4d2860b7
Instruction Fuzzy Hash: 862138B19002098FDB10DFAAC4857EEBBF4EF48324F10842AD599A7350CB78A944CFA4

Function 0966C6E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0966C760

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 38a3771dd1cf37134b3d0212a0da0d547ebb59942899a986d0fe4dbd02e20a6e
Instruction ID: f0938d015fb663ca876fafb44c822bb0810f42fa39fa61b8308995dd5a80e4fc
Opcode Fuzzy Hash: 38a3771dd1cf37134b3d0212a0da0d547ebb59942899a986d0fe4dbd02e20a6e
Instruction Fuzzy Hash: 6E2139B1C003599FCB10DFAAC884ADEFBF5FF48310F108429E558A7250C7389544CBA4

Function 0966C528 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0966C59E

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27dadd2720eb2f901fa3af2fd55630a3d72ea1b5ce127211945d3481533c1277
Instruction ID: 9b19f800bcae67c246c1e8a4f98ef928681cbcbe03610d6a939190c80a000169
Opcode Fuzzy Hash: 27dadd2720eb2f901fa3af2fd55630a3d72ea1b5ce127211945d3481533c1277
Instruction Fuzzy Hash: 96215976900249DFCB24CFA9C845BEEBFF5EF88324F20842AE555A7260C7399554CFA0

Function 0966C3A0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0966C40A

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: dfcb1f0f78c5d12a2bddc0d2d2eb04ea1801fdef7de0d35c6d46cdb4a326de95
Instruction ID: 8b5ffc8aab8d0d141f6e6adb9203cf12794da486e6e7ad481fd71792953b093f
Opcode Fuzzy Hash: dfcb1f0f78c5d12a2bddc0d2d2eb04ea1801fdef7de0d35c6d46cdb4a326de95
Instruction Fuzzy Hash: E71179B1900748CBCB20DFAAC4457EEFBF4EB88324F208829D559A7250C738A840CFA5

Function 0966C530 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0966C59E

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d02e5b6d2e8370e49a9fbb9d24449af612a9cbf5f2e1060568bf586d517aac91
Instruction ID: ae5b02ae16b9418504b7af18a66f7a531d2e0c68c00b7917962f601be22bdc81
Opcode Fuzzy Hash: d02e5b6d2e8370e49a9fbb9d24449af612a9cbf5f2e1060568bf586d517aac91
Instruction Fuzzy Hash: 561137719002499FCB20DFAAC844BDEBFF5EF88324F20841AE559A7260C775A554CFA4

Function 0966C3A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0966C40A

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 438e20e66771da8b4cb0a69db92ac17731cabec075095ce930b527d058322f1c
Instruction ID: 547e4e10af62c1a78f0240a229781561064557078abd3c52f24372f141e517c3
Opcode Fuzzy Hash: 438e20e66771da8b4cb0a69db92ac17731cabec075095ce930b527d058322f1c
Instruction Fuzzy Hash: 181136B19002488FDB20DFAAC4457EEFBF5EF88324F208429D559A7250CB79A944CFA5

Function 0233E560 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0233E5C6

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fa5d7068cd45ef32ac67d16b228618ed0609ac69715011b5498589a63aa2a1e5
Instruction ID: e7a7b7f7c1232a44b7b8011205382e6d1f2a4cf39c9280fdb3f647d0f642c228
Opcode Fuzzy Hash: fa5d7068cd45ef32ac67d16b228618ed0609ac69715011b5498589a63aa2a1e5
Instruction Fuzzy Hash: 561110B6C002498FDB10CF9AC444ADEFBF4EF88324F10846AD468B7210D375A645CFA1

Function 0E7A11B4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0E7A1215

Memory Dump Source

Source File: 00000000.00000002.1804772952.000000000E7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E7A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7a0000_PO for fabric forecast.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6cff6043aad839dc409615a57595c7dacf870931e3ef10f4bdd4b3e9edc16276
Instruction ID: f37238886cd561511c4ac4851b208a42dd0ca3d29ed329aacfb96f80ae5c0054
Opcode Fuzzy Hash: 6cff6043aad839dc409615a57595c7dacf870931e3ef10f4bdd4b3e9edc16276
Instruction Fuzzy Hash: A31103B5800348DFDB10DF9AD845BDEBBF8FB48324F20845AE558A7250D375A944CFA5

Function 0E7A11B8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0E7A1215

Memory Dump Source

Source File: 00000000.00000002.1804772952.000000000E7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E7A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e7a0000_PO for fabric forecast.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0eacc70497b427d1ac54af8f646f7f73efd29e557b56d758adafb130483c6326
Instruction ID: b3a29f705399cc301a87f5c935234c3b806177f9dbf196a2944f803c56e3c19e
Opcode Fuzzy Hash: 0eacc70497b427d1ac54af8f646f7f73efd29e557b56d758adafb130483c6326
Instruction Fuzzy Hash: 601103B58003489FDB10DF9AC844BDEBBF8EB48320F108459D558A7250C375A944CFA5

Function 00A4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790051286.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b4d0fcf00ecd5da7eb57ff706d34bd7295b9bc9c7b8e60e7f8b968690f3975
Instruction ID: 7818775bbe1259fc9fb875e126f525ffa561f6a0b17aa5c4ec787aab247eabe5
Opcode Fuzzy Hash: c9b4d0fcf00ecd5da7eb57ff706d34bd7295b9bc9c7b8e60e7f8b968690f3975
Instruction Fuzzy Hash: 1F212279600240EFCB05DF14D9C0B2ABF75FBD8318F20C669E9094B256C736D856CAA2

Function 00A5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790086437.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fccd532b1a4df3bbd0d338044d2f3c79a33376bd65fa99f27ae149533e1d3eb
Instruction ID: 23c3b9683e145bf9ba8f958a5ca7c7331a5a3f26708de26e666f23ce2599fe5c
Opcode Fuzzy Hash: 2fccd532b1a4df3bbd0d338044d2f3c79a33376bd65fa99f27ae149533e1d3eb
Instruction Fuzzy Hash: 60210471504200EFDB25DF14D9C0B6ABBA5FB94315F20C66DEC094F296C376D84ACA61

Function 00A5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790086437.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b09fc1fb5a6329ddb2ff87a601da4467ab0850adc47de665bc93c1dfd39812
Instruction ID: 020f7cf1f47f6aa603eb309c8513cc1805744686629c0a8be2520b05336fa88b
Opcode Fuzzy Hash: 83b09fc1fb5a6329ddb2ff87a601da4467ab0850adc47de665bc93c1dfd39812
Instruction Fuzzy Hash: A921F271604200DFDB24DF14D9C4B26BFA5FB84315F20C569DC0A4B296C33AD84BCA61

Function 00A5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790086437.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4195e0cba8c41e714700f05f623120e5f34804ccc855c88902452412edd767e6
Instruction ID: 4e175e546a77385e466f072b887381eb1a060e9efc5fbb9936eda9187e1756a8
Opcode Fuzzy Hash: 4195e0cba8c41e714700f05f623120e5f34804ccc855c88902452412edd767e6
Instruction Fuzzy Hash: A72162755093808FDB16CF24D994715BF71FB46314F28C5DAD8498B6A7C33A980ACB62

Function 00A4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790051286.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 8f0a0d0e40f41c100cf43f3e30d81de8cff070b6269a82bc22eced743a225701
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: DB11D376504280CFCB16CF14D5C4B16BF71FB94318F24C6A9D8494B656C336D85ACBA2

Function 00A5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790086437.0000000000A5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a5d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: a20ebfd68490568579c7b36fabef9317655208f4222cd8fcfa133738c98c8ac7
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 49118B75504280DFDB16CF14D5C4B59BBA1FB84314F24C6AEDC494B696C33AD84ACB61

Function 00A4D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790051286.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e33eb9480b59c685fcf7f0ef1f54048a11751b89cd21cc456047f940756008a
Instruction ID: 1afeaf76bfae1e7632582559ffb0f7b267fbe9114dc5be0776bd305d93e16109
Opcode Fuzzy Hash: 4e33eb9480b59c685fcf7f0ef1f54048a11751b89cd21cc456047f940756008a
Instruction Fuzzy Hash: 2401D6750083409AE7109F29CD88B67BFACEFC1324F18C56AED094E296D679D841CBB1

Function 00A4D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790051286.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a4d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e6530b0905ffa05d04cf40e583216878465528d9d2ecbae83c8349bd9181b2
Instruction ID: 0305870288cffed57c315579f18d2689b2b7187979f1be81b4ade7818f1d19fb
Opcode Fuzzy Hash: f4e6530b0905ffa05d04cf40e583216878465528d9d2ecbae83c8349bd9181b2
Instruction Fuzzy Hash: 44F06D75408344AAEB108F1ACC88B62FFA8EF91735F18C45AED084E296C6799844CBB1

Non-executed Functions

Function 09660040 Relevance: 7.3, Strings: 5, Instructions: 1028COMMON

Download Yara Rule

Strings

pbq, xrefs: 09660D13
TJcq, xrefs: 096601E6
Te^q, xrefs: 09660897
4'^q, xrefs: 09660C3C
xbaq, xrefs: 09660171

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: 4'^q$TJcq$Te^q$pbq$xbaq
API String ID: 0-2576840827
Opcode ID: 5ac3498a3d5721bad2f5c65fb1fb9eed82b041561deb5a80670ece1444333cc5
Instruction ID: 15140ba42bca5112535e4569da306f9b530bdb2b61b2ae0a12855448a5dec3c9
Opcode Fuzzy Hash: 5ac3498a3d5721bad2f5c65fb1fb9eed82b041561deb5a80670ece1444333cc5
Instruction Fuzzy Hash: BAB2A475A00628DFDB64CF69C984AD9BBB2FF89304F1581E9D509AB325DB319E81CF40

Function 09660012 Relevance: 4.0, Strings: 3, Instructions: 254COMMON

Download Yara Rule

Strings

TJcq, xrefs: 096601E6
Te^q, xrefs: 09660897
xbaq, xrefs: 09660171

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: TJcq$Te^q$xbaq
API String ID: 0-3225726259
Opcode ID: 459e0b54ca97e24fd79ab2dcb829a5898f6762947f8286adf0a6430aa8c1ed56
Instruction ID: 2de0569fe7a8692556adc0a26101cc008a8f3933505446f20e68287ec053fff4
Opcode Fuzzy Hash: 459e0b54ca97e24fd79ab2dcb829a5898f6762947f8286adf0a6430aa8c1ed56
Instruction Fuzzy Hash: E3C17475E016588FDB69CF6AC944AD9BBF2BF89300F14C1EAD409AB325DB305A85CF50

Function 0966A070 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

|6d, xrefs: 0966A23B

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: |6d
API String ID: 0-1476808477
Opcode ID: 5fb0a3e629579c278929887b3621ef0c4422855ff9ff930477f8cd2daf2be3c8
Instruction ID: 3c0908ea3369f7ad595cf9fb27447cfd733b02a5951fe1281322f089d0cc20cc
Opcode Fuzzy Hash: 5fb0a3e629579c278929887b3621ef0c4422855ff9ff930477f8cd2daf2be3c8
Instruction Fuzzy Hash: B4E1D774E001598FCB14DFA9C5849AEFBB2FF89304F248169E415AB35AD731AD42CFA1

Function 0966A4A8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

@8d, xrefs: 0966A673

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: @8d
API String ID: 0-3898942734
Opcode ID: e186ad89bca240d9f869ce71d8c977b722f255fba72d99a9e018c074bca1cbaf
Instruction ID: c00ab5605301d7df65dd0625eb177e0450447d0ddb99d8b718298bb2ee95248b
Opcode Fuzzy Hash: e186ad89bca240d9f869ce71d8c977b722f255fba72d99a9e018c074bca1cbaf
Instruction Fuzzy Hash: C8E1DA74E101198FCB14DFA9C5849AEFBB2FF89304F248169E415AB35AD731AD42CFA1

Function 02332A18 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

0p, xrefs: 02332A8E

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: 0p
API String ID: 0-1471970917
Opcode ID: d8255ddec58ceac5021f0364b59c192116265f665cdfc6981a816b2dfca51c5e
Instruction ID: 7d7dfeb7520b0ace97abe25651852ec1beef476fc8b1924f2133e54afb348604
Opcode Fuzzy Hash: d8255ddec58ceac5021f0364b59c192116265f665cdfc6981a816b2dfca51c5e
Instruction Fuzzy Hash: 9C6158316142458FC726CF39C880A5B7FF6FF85300B44C8AAE99ACB666D630EE51CB51

Function 09669C28 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77a19262e5d01a051fd33717893c78984f410d2650671cad54ac9496359c0017
Instruction ID: ab2a03e8d36690b16ff9f51947dbe743e8febe6b56b999e5d68bb01b05da6e0c
Opcode Fuzzy Hash: 77a19262e5d01a051fd33717893c78984f410d2650671cad54ac9496359c0017
Instruction Fuzzy Hash: 46E1DC74E041198FCB14DFA9C5849AEFBB2FF49304F248169E819AB35AD731AD41CF61

Function 0966BB80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17137bfba359f03ba88327d0003ba2eae621cef65ee5748299228df3a835b70
Instruction ID: fad486b6610e3a5bba1a977dae44e719c3735ccee2f324ddd0d40333304589f1
Opcode Fuzzy Hash: a17137bfba359f03ba88327d0003ba2eae621cef65ee5748299228df3a835b70
Instruction Fuzzy Hash: 5AE1E974E041198FDB14DFA9C584AAEBBB2FF89304F248169E415EB35AD731AD42CF60

Function 0966B748 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 370da0682802948e0d8c8ff5179ea414d6b52296d14e3eae4b8d32c00bd47ce1
Instruction ID: 243750b5e1f4b4388a87a56f9ecaa33a4d9df25d9779e0f4970af7d8392cf6cc
Opcode Fuzzy Hash: 370da0682802948e0d8c8ff5179ea414d6b52296d14e3eae4b8d32c00bd47ce1
Instruction Fuzzy Hash: 58E1C774E14119CFCB14DFA9C580AAEBBB2FF89304F248169E415AB35ADB31AD41CF61

Function 09372E70 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2013adbae333e59e8abec23060b4842ea8fc7e102e7b974b5feef5dc75a960
Instruction ID: 2624a77fdba7116a15d009325658a9fdc10f1c2cde10164bb1c2821fa725ee17
Opcode Fuzzy Hash: ac2013adbae333e59e8abec23060b4842ea8fc7e102e7b974b5feef5dc75a960
Instruction Fuzzy Hash: F8A10531B043018FCB39DF28D494A6AFBA2AF85300B158469E415DB765CB39EC81CFA2

Function 093731D2 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1802026159.0000000009370000.00000040.00000800.00020000.00000000.sdmp, Offset: 09370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9370000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3995c13b26222af5404e15a4f8e29aad10ce5c6a197f9521bd7c2ac0db023884
Instruction ID: 2e6e98d53f1bb9263e05011837a3459f98993f3ad6303e440d3414e931b3c87f
Opcode Fuzzy Hash: 3995c13b26222af5404e15a4f8e29aad10ce5c6a197f9521bd7c2ac0db023884
Instruction Fuzzy Hash: 7BA11231B142188BCB65CB28D58197EFBF6EFC9350B18C82AE066DB664C638ED45DF50

Function 096628D1 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e212c441868d5766004e9998cce9acc56658225f45d2c9966768c428875eb708
Instruction ID: b97627c958eac9ebff4654c1e1e841b48b61b4ff78bc97d5119531e47402be10
Opcode Fuzzy Hash: e212c441868d5766004e9998cce9acc56658225f45d2c9966768c428875eb708
Instruction Fuzzy Hash: 46A1D374D05218CFDB18CFA6C8547EDBBF6BF8A340F1091AAD419A7261DB745986CF40

Function 096628E8 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f4e4093c928a626539786d463f0cbfec311bc85a7a3c11969a03b80c2ea196
Instruction ID: 2ed07cedcfb6b0395f275f39a0a02ea51997908bb0e43b63d44e615257e84bec
Opcode Fuzzy Hash: e1f4e4093c928a626539786d463f0cbfec311bc85a7a3c11969a03b80c2ea196
Instruction Fuzzy Hash: 8CA1E274D09228CFDB18CFA6C8547EDBBF6BF8A340F10916AD419A7261DB745A86CF40

Function 0966A4A0 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1803489394.0000000009660000.00000040.00000800.00020000.00000000.sdmp, Offset: 09660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9660000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a3ae957a0cffb3df5a02e504cc1d47e354c0a75d90efaf9e9f1829eec35419
Instruction ID: e6e13d66649c82102e631b699651adb063a1b358b6598379010082fd0982498c
Opcode Fuzzy Hash: 03a3ae957a0cffb3df5a02e504cc1d47e354c0a75d90efaf9e9f1829eec35419
Instruction Fuzzy Hash: F251EAB5E002198BDB14DFA9C5845AEFBB2FF89304F24C169D418A7356D731AA42CFA1

Function 023335FA Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfe8cc356474d7e60016c929dc50d1ee14be1e2286553465c6222ed3f9d66556
Instruction ID: 7a5932b035782fc810e51d12ea7e5953a77d3888afc60332157f31396ce83571
Opcode Fuzzy Hash: dfe8cc356474d7e60016c929dc50d1ee14be1e2286553465c6222ed3f9d66556
Instruction Fuzzy Hash: B731D6B5F1810A8FCB45CF69C8C556EFBF5AB84200F16C16AE506E7752D234CA40CBD1

Function 02333608 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1790349191.0000000002330000.00000040.00000800.00020000.00000000.sdmp, Offset: 02330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2330000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c8966931caddb8cb0126d021a8806c5d45ad01fc3c45847a7a3a209e8bd617
Instruction ID: 553e56073413271155f6085acbdc1d7c88e1826d941381d9116373ec53d21614
Opcode Fuzzy Hash: c8c8966931caddb8cb0126d021a8806c5d45ad01fc3c45847a7a3a209e8bd617
Instruction Fuzzy Hash: 6031C6B5F1420ACFCB45CF69C88556EFBB5EB88200F12D16AE906EB752D235DA40CBD1

Analysis Process: PO for fabric forecast.exePID: 7912, Parent PID: 7480COMMON

Executed Functions

Function 011D9B38 Relevance: 2.8, Instructions: 2815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ee3b7d72514f7df545616ea595b6fb2564ab71d8e130c0ebb02b61d17398cd
Instruction ID: b06ae970e4223585f5d9ee02148110a46a094d9a76f70acddfa181d42e22d096
Opcode Fuzzy Hash: e4ee3b7d72514f7df545616ea595b6fb2564ab71d8e130c0ebb02b61d17398cd
Instruction Fuzzy Hash: A353F831C10B1A8ACB55EF68C8805A9F7B1FF99300F15D79AE45977221FB70AAD4CB81

Function 011DCDB0 Relevance: 2.3, Instructions: 2304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f69aca6e4c214a87504789fda1e1402f8544bc2325a374660c10a00cc760db
Instruction ID: 70dd6b51ae241f7985a23bd8fa63fb67a4512d5bb337bc7953bba7481a8d4e09
Opcode Fuzzy Hash: b0f69aca6e4c214a87504789fda1e1402f8544bc2325a374660c10a00cc760db
Instruction Fuzzy Hash: 11334031D107198ECB15DF68C8906ADF7B1FF99300F15C79AE459AB211EB70AAC5CB81

Function 011D3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VXm, xrefs: 011D40CB

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: \VXm
API String ID: 0-2312107965
Opcode ID: 16dc85aad3e740778038d2f613b462c9d68fe6cab9a45b966e94b4e08cc3db75
Instruction ID: 5816596d525603c08bb8f77a1fe78965e15a6bbb8727c88b14930f1f1d6809c2
Opcode Fuzzy Hash: 16dc85aad3e740778038d2f613b462c9d68fe6cab9a45b966e94b4e08cc3db75
Instruction Fuzzy Hash: AC915EB0E10209CFDF18CFA9D9957DEBBF2BF88314F148129E415A7654EB749845CB82

Function 011D4A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 303161e5cc0acd2e663757ad2f86d2ce0d7ac83f2171b69ea15bc76e3a319429
Instruction ID: 53f1340e76f803b979e391e103317b3817aebd5f21c66297e069d2b1d9cf3370
Opcode Fuzzy Hash: 303161e5cc0acd2e663757ad2f86d2ce0d7ac83f2171b69ea15bc76e3a319429
Instruction Fuzzy Hash: D0B18070E006098FDF18CFA8C8917EDBBF2BF98314F148129D859E7A94EB749845CB81

Function 011D4804 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

\VXm, xrefs: 011D487F
\VXm, xrefs: 011D49D2

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: \VXm$\VXm
API String ID: 0-3652994748
Opcode ID: 81773d02059612fcd03ab709eaf8c297e97acaddb35ef03965410627051ee70b
Instruction ID: c0c91a1d3dc4fda4a1ff7c681e32a5879a228d9aff4ebef0469250cc6dcdd6a9
Opcode Fuzzy Hash: 81773d02059612fcd03ab709eaf8c297e97acaddb35ef03965410627051ee70b
Instruction Fuzzy Hash: B7716CB0D00249CFDF18CFA9C9857DDBBF1AF48314F148129E419ABA54EB749846CF96

Function 011D4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

\VXm, xrefs: 011D487F
\VXm, xrefs: 011D49D2

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: \VXm$\VXm
API String ID: 0-3652994748
Opcode ID: 1ecc90df2b1240f7129eb561cc3a8bb15ab4fd7e654e72aa81f8c190646a55f8
Instruction ID: 151976b2b1fb1a9d1e6750aa0cf489db7ef3093029fcdea40a91643c4f7eeca1
Opcode Fuzzy Hash: 1ecc90df2b1240f7129eb561cc3a8bb15ab4fd7e654e72aa81f8c190646a55f8
Instruction Fuzzy Hash: C8714FB0E00249CFDF18CFA9C98579DBBF2EF48314F148129E419A7A54EB749845CB96

Function 011D6ED8 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

LR^q, xrefs: 011D6FE5
LR^q, xrefs: 011D6F0E

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 67450a961be8f17eccda1dbaf95e0543347c8018354f25a6bc8511bc7d8ec9bc
Instruction ID: dc996811cdc38b80eba196133f989c85b6b0403e76f267309e3dbd16ba25a427
Opcode Fuzzy Hash: 67450a961be8f17eccda1dbaf95e0543347c8018354f25a6bc8511bc7d8ec9bc
Instruction Fuzzy Hash: 6851D230B002158FDB1ADF78D8507AEB7B1FF86314F10852AE415EB281DB759C46CB92

Function 011D3E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

\VXm, xrefs: 011D40CB

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: \VXm
API String ID: 0-2312107965
Opcode ID: ac933cf79a8d786fe7ec07691d3ec6182ece9cb92168711fc0aff324d25fa5e4
Instruction ID: 959d7caca844d46600ba92bcb33bfb2bcc0c721d7620388b89da6f449bfe3a41
Opcode Fuzzy Hash: ac933cf79a8d786fe7ec07691d3ec6182ece9cb92168711fc0aff324d25fa5e4
Instruction Fuzzy Hash: C7A15BB0E10209CFDF18CFA8D9857DEBBF1BF48314F148129E459A7654EB749886CB82

Function 011DF2ED Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

PH^q, xrefs: 011DF43B

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 8ebb988dc3953951157819a45531f84fce8cbf2ac9321291287ecf8dea274b2d
Instruction ID: 642a7da3f1c8bc877d28063c6f0d870ddd46769e0abec8d3ade8221877556537
Opcode Fuzzy Hash: 8ebb988dc3953951157819a45531f84fce8cbf2ac9321291287ecf8dea274b2d
Instruction Fuzzy Hash: FE41FF30B042029FCB1AAB38C5546AE7BE2ABC8210F144478D006DB395EF79DE87CB91

Function 011D6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR^q, xrefs: 011D6FE5

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: d94e83927091140f65638cc10a71c676fa9d38262e27928ab517df3597e79b66
Instruction ID: 2b5285a2b01e10bbbcccb7e91fa2ff2c380a667c3d294ff7f6fd0c27253daa2b
Opcode Fuzzy Hash: d94e83927091140f65638cc10a71c676fa9d38262e27928ab517df3597e79b66
Instruction Fuzzy Hash: 3331B335E102198BDF19DFA9D45079EB7B1FF8A304F108525E815FB280EB71A846CB81

Function 011D6B9F Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

LR^q, xrefs: 011D6BD7

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: e2660f2edcd0bf0c5cb61991b5ddaeca650eb31604fb9e0a36aced2da27d453d
Instruction ID: 410fd3beabb958fd28b6df887dfe032793227ba5708b0406175963786acc5a86
Opcode Fuzzy Hash: e2660f2edcd0bf0c5cb61991b5ddaeca650eb31604fb9e0a36aced2da27d453d
Instruction Fuzzy Hash: C821F5316143415FC30AEB3D90602AEBBB1FF86314B1045AFC049CB396DB798C46C792

Function 011D7908 Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c5b05df52c6c3e25a2bd038f651a14061380cf868675d05e19438c7c357663
Instruction ID: 91767202c4da650f87adba5146f5d29a44d7312ac84e96b035897ec885012815
Opcode Fuzzy Hash: 73c5b05df52c6c3e25a2bd038f651a14061380cf868675d05e19438c7c357663
Instruction Fuzzy Hash: 591260317102069FCB5EAB3CE4956AC7AA6FB8A244F50893AE005CF356DF71DC46DB81

Function 011D9364 Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd38a8a86a9becd21e6a24dafbcc60e7c79994490d53087dfe731d21419fc8dc
Instruction ID: 2f33836ad5d7e3dfc7385443f83cc653aa619064e43b984ff55b4cadc004c9b1
Opcode Fuzzy Hash: dd38a8a86a9becd21e6a24dafbcc60e7c79994490d53087dfe731d21419fc8dc
Instruction Fuzzy Hash: 7EE18034B002099FDB19DF68D594AAEBBB2FF88318F144469E50AE7395DB35DC42CB81

Function 011D96E0 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6212c7f5d056ede6a222ac5d82ba43a5e7381d59eccd543154d41ef9780124d4
Instruction ID: abb21b08b68d1fe4b6061c307d59d921645648af9186beac4b99c2310f3de854
Opcode Fuzzy Hash: 6212c7f5d056ede6a222ac5d82ba43a5e7381d59eccd543154d41ef9780124d4
Instruction Fuzzy Hash: 22C1BE75B002098FDB18CF68D9807AEBBB2FF88318F208569E509EB395D775D845CB91

Function 011D4A8E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba003623418a7afca1a2a47dc906ae73ef38418d39046c294c58e64b66c7c499
Instruction ID: dcf4fbc6fee742a36a2b2302a72190ba3906703ca7bcf13286b1ac61f0ca18cf
Opcode Fuzzy Hash: ba003623418a7afca1a2a47dc906ae73ef38418d39046c294c58e64b66c7c499
Instruction Fuzzy Hash: 96B16D70E006098FDF18CFA8D9957DDBBF1BF58314F148129D858EBA94EB749885CB81

Function 011D6CDE Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eda7584e91882d13597c02eeb3ea86b891db9984c0be5e894499fd26b5036bc
Instruction ID: f69f3bec28c171a1feb0dcf90a4c5fe3171c9b1756253c7e8ca07cd410c15c2d
Opcode Fuzzy Hash: 8eda7584e91882d13597c02eeb3ea86b891db9984c0be5e894499fd26b5036bc
Instruction Fuzzy Hash: 9B512470D002288FDB18CFA9D844B9DFBB1BF48314F14812AE859BB391D7789845CF95

Function 011D6CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8962e3a1cb6da3e2346cd5643a2f574b6911c220b48b5aadcbca8fe5355ae6e
Instruction ID: c251b38aaad4b15b7e533d8b959a214df02066567081b4588b95ee8c9c69ea91
Opcode Fuzzy Hash: b8962e3a1cb6da3e2346cd5643a2f574b6911c220b48b5aadcbca8fe5355ae6e
Instruction Fuzzy Hash: 50510471D002288FDB18CFA9D888B9DFBB1BF48714F148129E859BB391D774A845CF95

Function 011D1128 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d310c277d8729fecf11ffc0bd02200421f503d6643ee032e07d2240b791a658
Instruction ID: 4a60416b31d2903c0a24e6dffa7b3bca388d73308836e2d5385559d1efed691a
Opcode Fuzzy Hash: 8d310c277d8729fecf11ffc0bd02200421f503d6643ee032e07d2240b791a658
Instruction Fuzzy Hash: B0510C3154124A9FC71AFB68F9A4A587BB6FB5630430499BAD0108F73EFB606989CF50

Function 011D1138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 589f4cb79dc9303b3ec0de58fdf41156874cab549524686da9ee197fb57f3eee
Instruction ID: 7a42be60bb3e036d44aeb286d7eefbf8bc3f95cf3d079a8f4a1b6e6384b39ca0
Opcode Fuzzy Hash: 589f4cb79dc9303b3ec0de58fdf41156874cab549524686da9ee197fb57f3eee
Instruction Fuzzy Hash: 3051EB3164124A9FC71AFB68F9A0A587BB6F7953043049979D0108F73DFF606989CF90

Function 011DF1B0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05503cda0dc7035c7e9db9ca87d42d2ca99343d24c415b69c8a7b69275cedb3
Instruction ID: 2301ef2760b394c5c1d48727ae9cae8361211b0f0c5c21b942fc6594b881593d
Opcode Fuzzy Hash: b05503cda0dc7035c7e9db9ca87d42d2ca99343d24c415b69c8a7b69275cedb3
Instruction Fuzzy Hash: C7315235E106069BCB49DFA8D45469EB7B2FF89300F14851AE816EB754EB70ED47CB40

Function 011D26DC Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b2bc0394405458b647b233abf70f658aba7267a7a63b0da6b4bd49d76197af4
Instruction ID: 5e55f99da5d1e885af0e3a77f9e71ff83e317a5cf9a0009c0ecd868f2e244eea
Opcode Fuzzy Hash: 5b2bc0394405458b647b233abf70f658aba7267a7a63b0da6b4bd49d76197af4
Instruction Fuzzy Hash: EF41E0B1D00349DFDB14CFA9C584ADEBFF5EF48314F24812AE419AB254DB35994ACB90

Function 011DF1C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c104782478824195df9eb89bdf3d063964be0d2eea32060fd06138791ba43b
Instruction ID: 65ef52f3e442ac18344270d90aeb823ed1de349b8e4dfd659dd16118c466390b
Opcode Fuzzy Hash: e7c104782478824195df9eb89bdf3d063964be0d2eea32060fd06138791ba43b
Instruction Fuzzy Hash: 88316035E1020A9BCB19DFA9D85469EBBB2FF89300F148519E816E7754EB70ED47CB40

Function 011D26E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5167a8ff5d6ce623a95fd4687a693bf1767cdcdac33e4216ceb3b484d269740
Instruction ID: ac8b95946a122a45b1b836751b2fc6f98e8d313df838dadaa22f6e3f9955c737
Opcode Fuzzy Hash: d5167a8ff5d6ce623a95fd4687a693bf1767cdcdac33e4216ceb3b484d269740
Instruction Fuzzy Hash: C441EDB0D002499FDB14DFA9C584ADEBFF5FF48310F24802AE819AB254DB75A945CB90

Function 011D9250 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5a516f1239b518486a0a6535ddd982231e10df9617af62e79c7c2e8f20494d
Instruction ID: 3211096d833134c1c96b6d3c261aa44939e3ed5d783325e819f232bfdee3e67a
Opcode Fuzzy Hash: 8b5a516f1239b518486a0a6535ddd982231e10df9617af62e79c7c2e8f20494d
Instruction Fuzzy Hash: D931A031E0020A9BDB09CFA9D4846DEF7B2FF89304F14851AE405EB351DBB09846CB80

Function 011D9260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c57010efdf8351b9d4dca155714fb37d6860af21f085ece6b472d6960a69f9
Instruction ID: 932c38b7d4725e53a5ad13b6a95b86ab0fc728a3fe46cffe085c4ca0e3e0c3a9
Opcode Fuzzy Hash: 85c57010efdf8351b9d4dca155714fb37d6860af21f085ece6b472d6960a69f9
Instruction Fuzzy Hash: 93219131E0020A9BDF09DFA9D5946DEF7B2FF89304F14851AE805EB341DB709846CB91

Function 011D9150 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c39d010cdfecc75ebf28faf3ae673ce344a8b144074a9612e1990efea46c26
Instruction ID: 0b86c5ae66b8571afdad235b26099c6493831197393a9eb495cf24219450ced2
Opcode Fuzzy Hash: 69c39d010cdfecc75ebf28faf3ae673ce344a8b144074a9612e1990efea46c26
Instruction Fuzzy Hash: 76219235E0420A9BDB1DCFA8D4446DEB7B2AF89314F14861AE815B7340DB709946CB51

Function 011D16A0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f0c6d34fe004f89f0271de8ac9df3b5671a2c5e07f24314c87a1f460e287993
Instruction ID: 014b2f042d40ee1fd71ec798400326ac2ddfda31315faac5fffdd0321cd3d9d4
Opcode Fuzzy Hash: 7f0c6d34fe004f89f0271de8ac9df3b5671a2c5e07f24314c87a1f460e287993
Instruction Fuzzy Hash: 8921B0382002469FDF27EB28E85876D7765EB41314F115A76D016CF36AEB74C8898B82

Function 011D4F88 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7e00cc1cc5befd273f8e26a853c498cdb9e9b8d0d5bedafc49c02e5d4765f8
Instruction ID: f3154b0f1e57c53d923cf7c8668079351cf4d52fb5f4580209132dc5184cac32
Opcode Fuzzy Hash: 3f7e00cc1cc5befd273f8e26a853c498cdb9e9b8d0d5bedafc49c02e5d4765f8
Instruction Fuzzy Hash: 6D212D30700209CFCB58EF78C558AAD7BF6BF4D244B2444A9E406EB365DB769D41CB91

Function 011D1380 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4724c7133b49f5a331f8982dd4dd276340a6aa7f83abea8605fa966cde4c4912
Instruction ID: 9dd9c7505b60f555694b8395aca121a4476b5aaadf1ea52075489e6f0e63900f
Opcode Fuzzy Hash: 4724c7133b49f5a331f8982dd4dd276340a6aa7f83abea8605fa966cde4c4912
Instruction Fuzzy Hash: 5621E470A00301AFDB3A666CE4587BD3761EB82325F11183AD426DF78ADF29C885C742

Function 0118D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2999677872.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_118d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ef23baf5aca27d92ea6b9d82c6832827150752d01cdee522728bc0b318c55d
Instruction ID: 5075f4c21df7637e5a3374d742b2b5bb0fd6a393ae3aad96678a5fb2235b9080
Opcode Fuzzy Hash: 83ef23baf5aca27d92ea6b9d82c6832827150752d01cdee522728bc0b318c55d
Instruction Fuzzy Hash: 0C212271604300DFDF19EF98E9C4B26BFA5EB84314F20C66DD80A4B296C33AD447CA62

Function 011D9160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d4f17089cbd714070028db60d935a92095c237c0f4b47ec0c4e79c4cd08c84
Instruction ID: 197e0d9e874dbb7f8ac4265d06cb01b1e24b441089df50230abcec53f333be54
Opcode Fuzzy Hash: 37d4f17089cbd714070028db60d935a92095c237c0f4b47ec0c4e79c4cd08c84
Instruction Fuzzy Hash: EF216235E0020A9BDF1DCFA9D8546DEF7B2AF89318F14862AE815F7340DB709946CB51

Function 011D1888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3e4282fa7bbc6610c1b3606e27b51e4746cda19c6f6c77525ac286655c6df7
Instruction ID: 5dd0fd0ec1b7596d4d956641d52ecb98ad5f15cb0098bb087d902f507a8b931b
Opcode Fuzzy Hash: 1c3e4282fa7bbc6610c1b3606e27b51e4746cda19c6f6c77525ac286655c6df7
Instruction Fuzzy Hash: B6211A30B042199FDF1CEB78C5647AE7BF6AF89245F100868D506EB395EB369D40CBA1

Function 011D16B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce4b37a47afe91f86738382f367e25598baa78fa3c8e2d1ed3a7b6f66ed31d6f
Instruction ID: 87c07c745d9003526f9cfa1e117d6bff5080203b3343ae3b8027b14aab35f972
Opcode Fuzzy Hash: ce4b37a47afe91f86738382f367e25598baa78fa3c8e2d1ed3a7b6f66ed31d6f
Instruction Fuzzy Hash: BC21A5342002065FDF26EB2CE898B6D7765E744304F115A32D01ACF36EEB74D8898F92

Function 011D187A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1333b83483e202c53851090e1bbb5e70570c02577493042fcf376e2d1e03d4d
Instruction ID: fa3734855f2486c1fcec454e343b092423f2243f79261162d7853483d17543f1
Opcode Fuzzy Hash: d1333b83483e202c53851090e1bbb5e70570c02577493042fcf376e2d1e03d4d
Instruction Fuzzy Hash: 8B215930B00215DFEB1CEB78C5647AE77F6AF89245F200469D506EB3A5EB368D40CB91

Function 011D4F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4df0576cdaadcafa26ac7265e4345d5575089e067d4e840dffc15294825769
Instruction ID: ebb379d01271fe5dea45a5a6cff8888a011fb7ff51d21a48710f86e7b29a9d74
Opcode Fuzzy Hash: 8d4df0576cdaadcafa26ac7265e4345d5575089e067d4e840dffc15294825769
Instruction Fuzzy Hash: 17210930700219CFDB58EB78C558AAE7BF6BF4D244F104468E406EB3A5EB369D40CB91

Function 011D0838 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c144e3b6ebf1e368781a6ba678c4621d82b6a9db11d48598761e2af6fe03a79
Instruction ID: 991768e3713e3f6dc60e1b34a613e672244072caa6e8a1fb0aeafb8859ec004c
Opcode Fuzzy Hash: 5c144e3b6ebf1e368781a6ba678c4621d82b6a9db11d48598761e2af6fe03a79
Instruction Fuzzy Hash: 43112330E013058FDF2E567CD40137E77A1EB8A220F11497AF002DF242EB64C8868BD2

Function 011D0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fce43c66aac3811d47e8b5af7150fb03685ddc4a326a391e96391077ee6bcfc
Instruction ID: accc9738eedc7f8ec5a6102d443a101d17363fde82cd69a022d7bb6afdbd2d9a
Opcode Fuzzy Hash: 4fce43c66aac3811d47e8b5af7150fb03685ddc4a326a391e96391077ee6bcfc
Instruction Fuzzy Hash: F511BF30F002098FDF2E9A7CD40532E76A1EB49210F118939E006DF346DB61DC858BD1

Function 011D80F1 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a970cb2b686c0f2cb6243c62ceafdd02b7f7a4d24405a7f17ed1df71860d4e5c
Instruction ID: c34464b372a32fb7d96cafa97fdad27817c1797c732ff5c6aa7bead1e5a3569e
Opcode Fuzzy Hash: a970cb2b686c0f2cb6243c62ceafdd02b7f7a4d24405a7f17ed1df71860d4e5c
Instruction Fuzzy Hash: BE11B234A0020AEFDF45EB68F994ADDBBB5EB84304F10457AC408DB369EB31DE458B81

Function 011D148A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34517c22d0f80796ed5a1d5d003cb6c71e21dcf9bc52ebf83c9c6616c7e3ea0d
Instruction ID: d257ca7f89278b197594193726d11d01da343fc74ba4dfe91e393c988f84063e
Opcode Fuzzy Hash: 34517c22d0f80796ed5a1d5d003cb6c71e21dcf9bc52ebf83c9c6616c7e3ea0d
Instruction Fuzzy Hash: 6F112A31A003159FDB69EFB8D4501AEBBF5EF58224F2504BED805E7245E739D8828BA1

Function 011D17C2 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6c95867c0e7301f7159fbdbdf6d8a015d7a512b1f8262296feb4973eb77f6a
Instruction ID: 944fd5b694d9cb3190e397c0643904bfaa82425d09bb11f7e467fc9f6f2c40e0
Opcode Fuzzy Hash: eb6c95867c0e7301f7159fbdbdf6d8a015d7a512b1f8262296feb4973eb77f6a
Instruction Fuzzy Hash: 4C11C236F002119FDF15AB79980826E7BE5AB88224F11452AD919E7344EB34C906CB81

Function 0118D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2999677872.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_118d000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 39721540dbbc6c72a01616421dccee5117b8e4d9e8ae0b4ede548a5f704d4717
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: B911A975504380CFDB16DF58E584B16BBA2FB84214F24C6AAD8494B696C33AD40BCFA2

Function 011D1498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a11959b9d289709e54ad327be58563430f2b31d2240e063e90e39a161c2364
Instruction ID: 964891f3684fbcd040224fd39a40cf84ff0632c21793180e1ae9de400fda4200
Opcode Fuzzy Hash: b8a11959b9d289709e54ad327be58563430f2b31d2240e063e90e39a161c2364
Instruction Fuzzy Hash: 0A015231A002159FCF29EFB884541AEBBF5EF49214F2504BAE805E7305E735D9418BA1

Function 011D1524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e098093039093750054cd99209b358eed74c79542827349065e9c454f178643
Instruction ID: d390bcba199c7d799bfb293da26f70702ebbad1221e3d2b23a84048f0ab76c53
Opcode Fuzzy Hash: 7e098093039093750054cd99209b358eed74c79542827349065e9c454f178643
Instruction Fuzzy Hash: BEF0BB37A04150EFD72A9BA894901ACBFA1FEA9111B5D00D7D406DB215D735D542C752

Function 011D7090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e4b5acd2d1ecef011a181d6d977df37ea21ad1772afeb5c8f010bb80fb1426
Instruction ID: 45f016777ed20017500e2041c2607cee612d43a0086639e01bf7ded5e64eefb6
Opcode Fuzzy Hash: 48e4b5acd2d1ecef011a181d6d977df37ea21ad1772afeb5c8f010bb80fb1426
Instruction Fuzzy Hash: 8EF0EC39700108CFC714EB78D598B6D77B2EF88719F114069E5069B3A4DB35AD43CB41

Function 011D8100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3000016181.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_11d0000_PO for fabric forecast.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc8d177d55886b6c9a855719d7ee608ce808093ab7deafd5825b0ba4268fd06
Instruction ID: 3e78c07274c0de7e9d565cb2ff2ba2ccd7ded766897d5197f4c976a671b8a41c
Opcode Fuzzy Hash: 1dc8d177d55886b6c9a855719d7ee608ce808093ab7deafd5825b0ba4268fd06
Instruction Fuzzy Hash: 62F03C3494020EEFCB45FBB8FA9099DBBB5EB40304F504679C4189B368EB316E499B81

Analysis Process: QzRJbgyEhZjA.exePID: 8060, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	252
Total number of Limit Nodes:	16

Executed Functions

Function 0A9005F0 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1843559304.000000000A900000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a900000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f2e84cd06e3f06ea442c8d808b80a799b20114954162e513e6a1f7f254404d2
Instruction ID: ecc211572b35002f9d9f973938bf4c7626113596423e6573d6d4428742c372c2
Opcode Fuzzy Hash: 3f2e84cd06e3f06ea442c8d808b80a799b20114954162e513e6a1f7f254404d2
Instruction Fuzzy Hash: 6922DB70B012048FDB18DBA8D550BAEB7FAAF89744F2444A9E146EB3E1DB35ED01CB51

Function 0AE3C86C Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AE3CAAE

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 533bb188f8965987b361021ed1dd2c666f120dcdab1fbefc7e7e859ccb5ff023
Instruction ID: 414a3156bfc798a0f59cd5029dde3d93820c3c89681b96b0b70bed9a52edbeb7
Opcode Fuzzy Hash: 533bb188f8965987b361021ed1dd2c666f120dcdab1fbefc7e7e859ccb5ff023
Instruction Fuzzy Hash: ECA1AE72D00219DFDB20CF68C8457EDBBB2BF88314F1585A9D849B7240DB759989CF91

Function 0AE3C878 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0AE3CAAE

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c5e8e854db624a64e2e0fd9f54a5223332e9c1391a7b6ce93dfaf9cf73e47c61
Instruction ID: afda0746e6f6913ca78ec17c3ff67b0f6c3cc0ce7444d3510dbfb9b94f4c71e9
Opcode Fuzzy Hash: c5e8e854db624a64e2e0fd9f54a5223332e9c1391a7b6ce93dfaf9cf73e47c61
Instruction Fuzzy Hash: 7A918E72D00219DFDB20CF69C8457EDBBB2BF88314F1585A9D849B7240DB749989CF91

Function 01178EE4 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01178FA1

Memory Dump Source

Source File: 00000009.00000002.1837214784.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1170000_QzRJbgyEhZjA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 18b402f68e479c11fd13d2a69298f6897be766f84148466addf5ba7de3247c26
Instruction ID: 93dbb019c965200d52952523618a272c6eb93f9f6f7733283a2d9534874eb464
Opcode Fuzzy Hash: 18b402f68e479c11fd13d2a69298f6897be766f84148466addf5ba7de3247c26
Instruction Fuzzy Hash: BA41F2B0C00619CFDB28CFA9C94479DBBF5BF49304F2080AAD408AB255DB756989CF91

Function 01177AAC Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01178FA1

Memory Dump Source

Source File: 00000009.00000002.1837214784.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1170000_QzRJbgyEhZjA.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f37d59b6c62dd71a250fdaaaf9098a597348954a262d1e9baf7ec28cd0c619bb
Instruction ID: 1a18192def7e0c751a5961eec7512a3d40a354c44cd1ea43273f64e5bc7bf679
Opcode Fuzzy Hash: f37d59b6c62dd71a250fdaaaf9098a597348954a262d1e9baf7ec28cd0c619bb
Instruction Fuzzy Hash: C041E4B0C0061DCFDB28CFA9C84479EBBF9BF48304F20806AD408AB255DB756989CF91

Function 0AE3FA42 Relevance: 1.6, APIs: 1, Instructions: 81
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0AE3FA0D

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c0ca81f76344fee8538be889aee1a797db832c769a864ff88d816238be62cd78
Instruction ID: 433bcc049295b09aad4c034f960f41b4556846b9da715d6b666fdb73bf6daf3e
Opcode Fuzzy Hash: c0ca81f76344fee8538be889aee1a797db832c769a864ff88d816238be62cd78
Instruction Fuzzy Hash: 5531EE72E042599FCB21CFA4D848BEEBFF0AF89304F15845AD841BB252C735A804CFA0

Function 0AE3C5E8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0AE3C680

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 97283fddd0dda572e13fed31b997c0c035e77a7acad95dc016f5f02420f71180
Instruction ID: c0cb093e1febd10e1e613662ecdd6fb4f4a440a3875cf4594b471bf950d1901b
Opcode Fuzzy Hash: 97283fddd0dda572e13fed31b997c0c035e77a7acad95dc016f5f02420f71180
Instruction Fuzzy Hash: 442128719002599FDB10CFA9C885BEEBBF1BF88314F108429E959A7251C7789558CB94

Function 093E9C84 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,093EAE25,?,?), ref: 093EAED7

Memory Dump Source

Source File: 00000009.00000002.1843073745.00000000093E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93e0000_QzRJbgyEhZjA.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 2385f644b70fdd556e01b1774c9cf7bea4e9813e9fedcb41a9e2177f212ada24
Instruction ID: f156f215ff408aa8b2dde22f8a036bac9dd5b2f1253ef847bcf70d12a2caffde
Opcode Fuzzy Hash: 2385f644b70fdd556e01b1774c9cf7bea4e9813e9fedcb41a9e2177f212ada24
Instruction Fuzzy Hash: 3A31E2B59002199FDB10CF9AD884AAEBBF4EB48320F14842AE919A7650D374A944CFA4

Function 093EAE39 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,093EAE25,?,?), ref: 093EAED7

Memory Dump Source

Source File: 00000009.00000002.1843073745.00000000093E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93e0000_QzRJbgyEhZjA.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 0e95e219cab9b29dd4380069347d288da2465e0136c8496a8ce4053641c00f44
Instruction ID: d4e9ceedd3e2c0bbe410239e45f253d32989c86366e4777588cc4683cfccf8ae
Opcode Fuzzy Hash: 0e95e219cab9b29dd4380069347d288da2465e0136c8496a8ce4053641c00f44
Instruction Fuzzy Hash: 9431CEB59002199FDB10CF9AD884AAEFBF4FF58320F14842AE819A7350D774A944CFA5

Function 0AE3C5F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0AE3C680

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 58258daad9585c83ef8e207eff0933ab9fd8b73372b6745e723bcf93b51b590c
Instruction ID: 136ff694760074b10806f68a4314d388f36fe8794c486d5073f7453e42db94bf
Opcode Fuzzy Hash: 58258daad9585c83ef8e207eff0933ab9fd8b73372b6745e723bcf93b51b590c
Instruction Fuzzy Hash: 47215AB19003099FCB10CFAAC845BDEBBF4FF48314F108429E558A7240C778A544CFA5

Function 0AE3C6D9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AE3C760

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9b21f64175a782282740e0a0e55fd163d7f05517fd49cc221c020e3ef2d5d500
Instruction ID: 4192cc9a0c7aa509a6190218017161ea2d8911cbc35ad2c40942ee70e099d716
Opcode Fuzzy Hash: 9b21f64175a782282740e0a0e55fd163d7f05517fd49cc221c020e3ef2d5d500
Instruction Fuzzy Hash: A2214AB1D003599FCB10CFA9C845AEEBBF1FF88310F108429E958A7250C7399544CFA4

Function 0AE3C451 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0AE3C4D6

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5d9e36dc1cc5e90972e9ee15dd53398752c3e40cbe54f68d557ea9d278cb40ac
Instruction ID: 6da6b9c4e1786a063246c4d271f64970dbdf38fb184c1d6a753202cd44d3985d
Opcode Fuzzy Hash: 5d9e36dc1cc5e90972e9ee15dd53398752c3e40cbe54f68d557ea9d278cb40ac
Instruction Fuzzy Hash: 1D213AB1D002099FDB10DFAAC4457EEBBF4EF88314F14C42AD459A7251C7789948CFA5

Function 093EEAA0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 093EEB1F

Memory Dump Source

Source File: 00000009.00000002.1843073745.00000000093E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_93e0000_QzRJbgyEhZjA.jbxd

Similarity

API ID: FromMonitorPoint
String ID:
API String ID: 1566494148-0
Opcode ID: 0a23bdae72c1dbcf916c73805c9adff158305766364533f22201371af1676196
Instruction ID: af31f601012b18526a69dfb8502aee5e547d768096bb730535082565b5e4ecb5
Opcode Fuzzy Hash: 0a23bdae72c1dbcf916c73805c9adff158305766364533f22201371af1676196
Instruction Fuzzy Hash: C1214AB4A042099FDB20DFA9D809BAEFBF5FB48750F108019E955B7384C774A948CFA1

Function 0AE3C6E0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0AE3C760

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 97672276c603825c6cb32b391ff8c844fc7030713047daa4749758fe140f1629
Instruction ID: 6b2153a8c345967ed2fb7098bd42df7a97308f0db847534b786006d048f3a576
Opcode Fuzzy Hash: 97672276c603825c6cb32b391ff8c844fc7030713047daa4749758fe140f1629
Instruction Fuzzy Hash: 462116B18002599FDB10DFAAC885AEEBBF5FF48310F10842AE958A7250C738A554CBA5

Function 0AE3C458 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0AE3C4D6

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4fa98ec03d8ede3ded12e29775567ec9595fbab327ae328877c84f25fbc0592b
Instruction ID: cc51103db76306555fe37e894495791c7a36345b74eaa84b378391de118d4a56
Opcode Fuzzy Hash: 4fa98ec03d8ede3ded12e29775567ec9595fbab327ae328877c84f25fbc0592b
Instruction Fuzzy Hash: D0211A71D002099FDB10DFAAC4457EEBBF4EF88314F14842AD559A7241D778A544CFA5

Function 0AE3C528 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AE3C59E

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 062e0c111018076e60cbd379cdd38ad3aee534d585803ac77c65d3e4fb719be4
Instruction ID: 5c2a297025e715426beb61ddf08e85aafcc138e9dd6b866e4fdfedc510aa0973
Opcode Fuzzy Hash: 062e0c111018076e60cbd379cdd38ad3aee534d585803ac77c65d3e4fb719be4
Instruction Fuzzy Hash: EA1189B68002499FDF20DFAAC445BEEBFF1AF88314F208419E455A7250C735A544CFA4

Function 0AE3C3A0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AE3C40A

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b26f91c6c4d4b3c6ab10dd66eb809235fb6a5b4c978fc1e471ca2e45c1ab879f
Instruction ID: 9d45b21a57470989098d9eb0ad56be58ec965c254ab5a8d7e36a4791e8b002d1
Opcode Fuzzy Hash: b26f91c6c4d4b3c6ab10dd66eb809235fb6a5b4c978fc1e471ca2e45c1ab879f
Instruction Fuzzy Hash: 5D1179B19002488EDB20DFA9C4457EEFFF1AB88314F208419C459A7250C775A848CF95

Function 0AE3C530 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0AE3C59E

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4dd0eec8ad0b942f35c7639125b0478ff574c096f60ff54353d3c84e94ed70bb
Instruction ID: ba97fa27b3b399e60d45fcf3ac5def54ef281255b8980d9290521af0c0d76187
Opcode Fuzzy Hash: 4dd0eec8ad0b942f35c7639125b0478ff574c096f60ff54353d3c84e94ed70bb
Instruction Fuzzy Hash: 9E1167728002499FCB20DFAAC845BDFBFF5EF88324F20841AE519A7250C735A544CFA4

Function 0AE3C3A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0AE3C40A

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 925acef38dd565bdfd5a4afd8b707ff54898400796910c02ecb5069d8d70c344
Instruction ID: 3aebd057b8b0d80f615c3870c85b28d7bc79074e172cdc57de49aa69bcb0019c
Opcode Fuzzy Hash: 925acef38dd565bdfd5a4afd8b707ff54898400796910c02ecb5069d8d70c344
Instruction Fuzzy Hash: A1113AB1D002498FDB20DFAAC4457EEFBF4EB88324F208419D459A7250C779A944CF95

Function 0AE39220 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0AE3FA0D

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c4a01f93898c481aef864a91f662fe4c9b41d044919d2044ffe8da03749e51c7
Instruction ID: 1843da40dd965347bdfeee95c86c95a96096907e70e67794c2520b7eda13560e
Opcode Fuzzy Hash: c4a01f93898c481aef864a91f662fe4c9b41d044919d2044ffe8da03749e51c7
Instruction Fuzzy Hash: 3F1103B6800349DFDB20DF9AD449BDEFBF8EB48324F10845AE959A7210C375A944CFA5

Function 0117E560 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0117E5C6

Memory Dump Source

Source File: 00000009.00000002.1837214784.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1170000_QzRJbgyEhZjA.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4ddea5ddffd933b8ac12740570b21fd784413c438096c8f181e3beb306d3b723
Instruction ID: 30726c2e1b85803effee53b2c28a7e39e2598f93d6b7ac10b4c61a5d4b4b1975
Opcode Fuzzy Hash: 4ddea5ddffd933b8ac12740570b21fd784413c438096c8f181e3beb306d3b723
Instruction Fuzzy Hash: B81110B5C003498FDB24CF9AC444ADEFBF4AB88324F10846AD418B7710D379A545CFA5

Function 0AE3F9A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0AE3FA0D

Memory Dump Source

Source File: 00000009.00000002.1843806315.000000000AE30000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ae30000_QzRJbgyEhZjA.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 205c26c56eb8e022a7e0c2bb132dd669019402054992889b4e4c7e3053c36e81
Instruction ID: 6edfa70ef9c92fb159022c02b5617098b538172785cf1fd7f57131ea9cd94c9e
Opcode Fuzzy Hash: 205c26c56eb8e022a7e0c2bb132dd669019402054992889b4e4c7e3053c36e81
Instruction Fuzzy Hash: F51103B6900349DFDB20DF99D489BDEFBF4EB48314F10845AE558A7210C375A984CFA5

Function 00E6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1836257744.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e6d000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300f546cf80d1c5c65ef6f1099ddafbc31d7dffb26d72027e8eedb13fad4cb94
Instruction ID: 750fde1fcdcd7eafea7ca938aa9d1004667b26decea3e3802fe6c6de153d47ce
Opcode Fuzzy Hash: 300f546cf80d1c5c65ef6f1099ddafbc31d7dffb26d72027e8eedb13fad4cb94
Instruction Fuzzy Hash: 36214571A88240DFCB01DF14EDC0B26BF65FB98368F60C169E80A5B656C336D856CAA1

Function 00E7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1836306477.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e7d000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd253ea985ce1dea066d43e13718cff94c9d6fdd54f287e9c459073cf4f303a
Instruction ID: 7abb06dc384d5a8af82410d465da350f4373f08b3648c1c18f37a021501af43d
Opcode Fuzzy Hash: fbd253ea985ce1dea066d43e13718cff94c9d6fdd54f287e9c459073cf4f303a
Instruction Fuzzy Hash: 52210371608240DFCB01DF14D980B26BBB5FF84318F20C569D80D5B266C336D846CA61

Function 00E7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1836306477.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e7d000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd879728cee75d2d19583dc71f73a27be9a4b4ba08b13ae62b4549327fdf601
Instruction ID: 8228f9a64fa4b98f3bd07996d9def377df76e9f7b881f99c848fba1eb2bd3116
Opcode Fuzzy Hash: 8fd879728cee75d2d19583dc71f73a27be9a4b4ba08b13ae62b4549327fdf601
Instruction Fuzzy Hash: A721FF75608200DFCB14DF24DD84B26BBB6EF88318F24D56DE80E5B296C33AD847CA61

Function 00E7D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1836306477.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e7d000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91278cd592affa8a3f213cc961fdcb6ce276e256415386ec003d105bbf5dc7a
Instruction ID: 87ca3bf79007df115a9c4390f8105591ac4b297ea15b24854f0e8fa41485644e
Opcode Fuzzy Hash: b91278cd592affa8a3f213cc961fdcb6ce276e256415386ec003d105bbf5dc7a
Instruction Fuzzy Hash: 832141755093808FD712CF24D994715BF71EF46214F28C5EAD8498B6A7C33A980ACB62

Function 0A90048C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1843559304.000000000A900000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a900000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe500b99d5c7aeb6eb5c5c0c56eb64c79147c1e23fc532f6e8774d4a5b60478
Instruction ID: 77db376056684f5e52ec78fa3ff27e1525fffed736caa3219e6c61e51548d1d3
Opcode Fuzzy Hash: 9fe500b99d5c7aeb6eb5c5c0c56eb64c79147c1e23fc532f6e8774d4a5b60478
Instruction Fuzzy Hash: FB11D671E0121ADFCB28DF69C444BAEF7F1AF88310F1584A9D518AB3A1DB349941CB81

Function 0A900E77 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1843559304.000000000A900000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a900000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74da142f69d97bbf0c579c78c1ccf909de6b9cffa8841ab2819843bdb04acbe7
Instruction ID: effc8d5b96ca8ce4cd47f07c2f8d433fd21c719d333d6f16f89311c289816ad2
Opcode Fuzzy Hash: 74da142f69d97bbf0c579c78c1ccf909de6b9cffa8841ab2819843bdb04acbe7
Instruction Fuzzy Hash: A411F9B0E01216CFDB18DF69C044BAEB7F2AF89200F15C4A9D818AB3A1D7759902CF40

Function 00E6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1836257744.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e6d000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 23f653437d003b9b371214d226ee3245d9242dcd0dd51a3b748d859f55e9c99d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: E411D676944280CFCB15CF14D9C4B16BF71FB94328F24C5A9D8454B656C336D456CB91

Function 00E7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1836306477.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_e7d000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 41d8439b2e8b229abd053ed7476f8840f8e31150386bbac91c028f4913d233ab
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 2011AC75508280DFCB01CF50C9C4B15BB71FB84318F24C6A9D8494B266C33AD81ACB61

Function 0A900E29 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1843559304.000000000A900000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a900000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab54297e44a0b24b2952a944fdcfcf7bd43325497943541dbe42a2ac5fc5173
Instruction ID: 789285e1a0e0d66fc4f7d22fb776f5c2c4244fbd3ff7bca23fe6cd2550101e95
Opcode Fuzzy Hash: bab54297e44a0b24b2952a944fdcfcf7bd43325497943541dbe42a2ac5fc5173
Instruction Fuzzy Hash: 27E04FB0D4424A9EDB40EF7CA5417AEBFF26B89780F108D6AC094E6241EBB541018F40

Function 0A900E38 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1843559304.000000000A900000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a900000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b6792889d079d904bc906fdbb82902b115bb8a9ead4603abe6766c6aa40764
Instruction ID: a5c82df9f2b0e1ba915d224e63157ad8692295256c7d5f6450940e15d17eaad5
Opcode Fuzzy Hash: 64b6792889d079d904bc906fdbb82902b115bb8a9ead4603abe6766c6aa40764
Instruction Fuzzy Hash: 13D012B1D4030DAEDB40EFB9954175FBBF46B44680F108975C014F3241EB7442008F91

Analysis Process: QzRJbgyEhZjA.exePID: 2720, Parent PID: 8060COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	4

Executed Functions

Function 02D29B38 Relevance: 2.8, Instructions: 2802COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc5cbff82f517e1a0c888edd320c6c80b4b45370bf567d1df22591da0184ee0
Instruction ID: 659cde8bc44886671562d6fbfbefedb4d7fdc12a19a5271632ba58ae89454f1f
Opcode Fuzzy Hash: 4cc5cbff82f517e1a0c888edd320c6c80b4b45370bf567d1df22591da0184ee0
Instruction Fuzzy Hash: 3553EA31D10B1A8ACB51EF68C89069DF7B1FF99300F11D79AE45877221EB70AAD5CB81

Function 02D2CDB0 Relevance: 2.3, Instructions: 2304COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4f8f9cfde9eb39a37bdf7dc0a7652fd20060b554a53999d3d6e3820d306fe4
Instruction ID: 2269f935ecdd2d0530d819c9ff42ced1a6dc2b3b48efea71cca88ca34dbe8058
Opcode Fuzzy Hash: ec4f8f9cfde9eb39a37bdf7dc0a7652fd20060b554a53999d3d6e3820d306fe4
Instruction Fuzzy Hash: F8333E31D107198ECB11EF68C8906ADF7B1FF99304F55C79AE458A7221EB70AAC5CB81

Function 02D23E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\VXm, xrefs: 02D240CB

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: \VXm
API String ID: 0-2312107965
Opcode ID: 5238900d0d0117d7f84530667b3d22d70208b377765026c16d9bfe1964d833db
Instruction ID: 6fb7ec076799c7dd02b934e357e26fd9f1060a5cdfc2a19ce60acb1474bc2e2e
Opcode Fuzzy Hash: 5238900d0d0117d7f84530667b3d22d70208b377765026c16d9bfe1964d833db
Instruction Fuzzy Hash: B8915070E002298FDF14CFA9D98579DBBF2AF98318F148129E815A7394DB749889CF81

Function 02D29378 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63117831ee3d235e9f7996e3d27c360fbfa8eafa32e1c1959198868cb80068f
Instruction ID: 6936285c1a5f7520181840f54dad69974814e486a9ffb251fd4a0da2fd523ca3
Opcode Fuzzy Hash: d63117831ee3d235e9f7996e3d27c360fbfa8eafa32e1c1959198868cb80068f
Instruction Fuzzy Hash: 01328F35B002148FDB14DF68D9A4BAEBBB2EF88318F248469E809DB395DB31DC45CB51

Function 02D24A98 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0841a3a744b02a817cd1b44b9d74e42f0c1cd3ba98d576cabec671a8a71c0b
Instruction ID: 91958473833661a2f4be161fc3919feb435aa5af970eb215262fec1f618bd5c3
Opcode Fuzzy Hash: 9a0841a3a744b02a817cd1b44b9d74e42f0c1cd3ba98d576cabec671a8a71c0b
Instruction Fuzzy Hash: C4B15E70E002298FDF10CFA9D89179DBBF2EF98318F149129D819E7394EB749849CB91

Function 02D24810 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VXm, xrefs: 02D2487F
\VXm, xrefs: 02D249D2

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: \VXm$\VXm
API String ID: 0-3652994748
Opcode ID: 9afb2051166cca8ea1c64c059d7c25fbf220c1b0e77ba0eeb47208383cd47b0b
Instruction ID: 0a1729db652db8e7f73758d2c9237e5a0ade6ae0d428aade0eed9d0c6e63310c
Opcode Fuzzy Hash: 9afb2051166cca8ea1c64c059d7c25fbf220c1b0e77ba0eeb47208383cd47b0b
Instruction Fuzzy Hash: 5F716EB0E04259CFDB14CFA9C98079EBBF2BF98318F148129E815A7354EB749849CF95

Function 02D24804 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VXm, xrefs: 02D2487F
\VXm, xrefs: 02D249D2

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: \VXm$\VXm
API String ID: 0-3652994748
Opcode ID: b4ccc1e5ebbd5b37239b17aa4de218c64ecff75917e1c4dc35f09a53d04a4634
Instruction ID: 40a3c16321ec19afbe70a853d7af520d7620aa9d13bc353833629f92e6de394f
Opcode Fuzzy Hash: b4ccc1e5ebbd5b37239b17aa4de218c64ecff75917e1c4dc35f09a53d04a4634
Instruction Fuzzy Hash: E4716BB0E04259CFDB14CFA9C98479EBBF1BF58318F148129E819A7354EB349849CF95

Function 02D26ED8 Relevance: 2.6, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LR^q, xrefs: 02D26F0E
LR^q, xrefs: 02D26FE5

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: LR^q$LR^q
API String ID: 0-4089051495
Opcode ID: 48304e06b8401d19de7f60034f106e4dd5691bdf844c026ef72bf4e3e7d799b8
Instruction ID: 23354704b8e4f6bb7ce18cfd463361d11fbbfa2b8b39f67c25c51708e490f9f1
Opcode Fuzzy Hash: 48304e06b8401d19de7f60034f106e4dd5691bdf844c026ef72bf4e3e7d799b8
Instruction Fuzzy Hash: F751D430E102159FDB19DF79D5547AEBBB6EF89304F208429E405EB380DB719C4ACB91

Function 062EE1A8 Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3012801926.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_62e0000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e97fc2c006ec5fb2571521ecbb700d647a7c4f408ca7b5aff26d1fefb09c96d
Instruction ID: 5f22d7fe585c892f32969a5cf06205f5eebd901f8df2ef66a51a9b1a3bd29ae7
Opcode Fuzzy Hash: 6e97fc2c006ec5fb2571521ecbb700d647a7c4f408ca7b5aff26d1fefb09c96d
Instruction Fuzzy Hash: 7C31BB32E143964FCB108F7998143DDBFA5AFC5210F0585BBD844D7682DB749884C3C1

Function 062ED364 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062EE1FA), ref: 062EE2E7

Memory Dump Source

Source File: 0000000D.00000002.3012801926.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_62e0000_QzRJbgyEhZjA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 8cb245594c8531e0ec6f5aacf68db7205961a9846f5d537d298bc872a294f5cc
Instruction ID: 800a2733ea57560275b351d2c9f7eecb94c0549337d050297601567571c7ca6b
Opcode Fuzzy Hash: 8cb245594c8531e0ec6f5aacf68db7205961a9846f5d537d298bc872a294f5cc
Instruction Fuzzy Hash: 411136B1C0025A9BCB10DF9AC444B9EFBF4AB08320F11816AD858B7250D378A940CFE5

Function 062EE278 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,062EE1FA), ref: 062EE2E7

Memory Dump Source

Source File: 0000000D.00000002.3012801926.00000000062E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_62e0000_QzRJbgyEhZjA.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 2063d5554d9fce48649961e83d5fe24c78de451f0c582174b1375a40e1ad87e4
Instruction ID: 3a825fc4832f637d08f181d9e18747a7e955a4c6046b43ef1e8876017371a49d
Opcode Fuzzy Hash: 2063d5554d9fce48649961e83d5fe24c78de451f0c582174b1375a40e1ad87e4
Instruction Fuzzy Hash: 851114B6C0026ADBCB10CFAAC5447DEFBB4AF08320F15816AD818B7650D378A940CFA5

Function 02D23E74 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

\VXm, xrefs: 02D240CB

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: \VXm
API String ID: 0-2312107965
Opcode ID: fff97f628e8633370a56143b1712ce6c274bcb9243f6551dfccc124ce323fb21
Instruction ID: 29c465ac8c7d0eda37b5a00e24ce4e29ef04aabb029ced103fbd0cd1c2988cd7
Opcode Fuzzy Hash: fff97f628e8633370a56143b1712ce6c274bcb9243f6551dfccc124ce323fb21
Instruction Fuzzy Hash: 94913EB0E00229CFDB54CFA8D9857DDBBF1AF58318F148129E819A7394DB749889CF91

Function 02D2F2ED Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02D2F43B

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 3fb0eeaa1cf966fdb2a1f7a0e360924befc97a1550c3ed36240c8495aa897487
Instruction ID: 81187cc1412f7cb3ef3a42fac545a9eb9a895ab44c400001182a80b445c6f72d
Opcode Fuzzy Hash: 3fb0eeaa1cf966fdb2a1f7a0e360924befc97a1550c3ed36240c8495aa897487
Instruction Fuzzy Hash: EB3124307042108FCB16AB34D6686AF7BF2AF89708F144869E006DB785DF79DC4ACB91

Function 02D2F300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 02D2F43B

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 94ea27ced6c977527de39eaaa07b7b32f904f9fe036c006eb66c44b64565262e
Instruction ID: e5ea50db424537bd561b4171ff1f8d86420e9902b76c9fbc2dcf9327d668d418
Opcode Fuzzy Hash: 94ea27ced6c977527de39eaaa07b7b32f904f9fe036c006eb66c44b64565262e
Instruction Fuzzy Hash: DF3104307042158FDB15AB34D66466F77F2AF88748F104829D006DB388DF79DC4ACBA1

Function 02D26F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02D26FE5

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 17b4ade5cd9d1177dcbd17c29a55d27b46cd95d44828d3e8630dfab1cdc23c85
Instruction ID: 3087747a9b7ff27298a93279fed0be547172c44788f3ae8ddb863228df739db7
Opcode Fuzzy Hash: 17b4ade5cd9d1177dcbd17c29a55d27b46cd95d44828d3e8630dfab1cdc23c85
Instruction Fuzzy Hash: 36316B31E102199BEF25CEA5D54479EF7B5FF89308F208525E805EB380EB71AD4ACB91

Function 02D26B9F Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02D26BD7

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 1eed86416a90b1004c6ec9602a01b4803eb0d3c3ca20166d3a9a5b38c894ac48
Instruction ID: 431ef00d1b55d02ca417ee01be3699a1e8761be1b52396cd6818368c75f051a2
Opcode Fuzzy Hash: 1eed86416a90b1004c6ec9602a01b4803eb0d3c3ca20166d3a9a5b38c894ac48
Instruction Fuzzy Hash: 1C0122317042405FD705AB78D42A3AD7FA2EF8A304F0448AED089CB791DE3598468B92

Function 02D27908 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fe6ac302e7f4d9ac74ec224ec624667337e29862b23ce192744c6359ea28395
Instruction ID: 4ab3186ec02cca7f1933658bdb81c2395c9a5da68821643ee772db3a3b2cd02b
Opcode Fuzzy Hash: 2fe6ac302e7f4d9ac74ec224ec624667337e29862b23ce192744c6359ea28395
Instruction Fuzzy Hash: 13128E307042029FDB25AB38E899768B7A2FF89358B604939E405CB355CF75EC5ADF90

Function 02D27918 Relevance: .6, Instructions: 550COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba7962240e6944db13e973faa923735f119a6b3fd273f581dce7b35e776cddf9
Instruction ID: f8de9c11da18c51502357d056e94c62001385e66fc8b8d6387555f18f55457d1
Opcode Fuzzy Hash: ba7962240e6944db13e973faa923735f119a6b3fd273f581dce7b35e776cddf9
Instruction Fuzzy Hash: DD127E307042029FDB25AB38E899768B7A2FF89358B604939E405CB355CF75EC5ADF90

Function 02D24A8E Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17469b413d1b5b77c8c18f4fa26ca55fd806ebebcb60cd32baf826a4d1bebcd
Instruction ID: 707cce2111a77133213917e0e475649c8a35b2336c368fb188cc0c5039785083
Opcode Fuzzy Hash: e17469b413d1b5b77c8c18f4fa26ca55fd806ebebcb60cd32baf826a4d1bebcd
Instruction Fuzzy Hash: 7BA14CB0E00229CFDB10CFA8D89579DBBF1EF58318F149129D859E7394EB749889CB91

Function 02D29364 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712c8f70299a1843b4a108ac75d2324068f65ddd38c532072fa44900c24c485b
Instruction ID: b738aecb7a823435b37fd9399e5e0def0e21efa2bcc9efcb9f199dbcc77d97e6
Opcode Fuzzy Hash: 712c8f70299a1843b4a108ac75d2324068f65ddd38c532072fa44900c24c485b
Instruction Fuzzy Hash: B3917234B042549FCB14DF68D5A4AADBBF2EF88315F248469E805E73A4DB31EC46CB50

Function 02D26CDE Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6172965e9cb27dfb511ca8d8191406847bfc7aa10bb3504029209d0a809f46db
Instruction ID: dbe6edcc994efced31f58ccfb845c49591f00f5d0e4cd03aa0b5e83355d4a1a7
Opcode Fuzzy Hash: 6172965e9cb27dfb511ca8d8191406847bfc7aa10bb3504029209d0a809f46db
Instruction Fuzzy Hash: 5851F2B4D003288FDB14CFA9C884B9DBBB5FF58318F148129E819AB355D774A849CF95

Function 02D26CE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce77279519037bb8555abcf0e4901264a92d561fc4e1bec6fff11cdeb003437
Instruction ID: cf6756c2f04ca0eb2662ff2ac04d2766bce71cf6b98b3ad799d07d6647b058fd
Opcode Fuzzy Hash: cce77279519037bb8555abcf0e4901264a92d561fc4e1bec6fff11cdeb003437
Instruction Fuzzy Hash: 9251F2B0D003288FDB14CFA9C884B9DBBB5FF58718F148119E819AB350D774A849CF95

Function 02D21128 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faea65a88076f4cdc6101dddde92ab574e90245509510e25875ccecfd60d81c6
Instruction ID: 8e6180a5717ea84218aa5a8def19e30c8363f76c0481f750170f2878f8c15804
Opcode Fuzzy Hash: faea65a88076f4cdc6101dddde92ab574e90245509510e25875ccecfd60d81c6
Instruction Fuzzy Hash: CE51093121114ADFC71AEB7CF9A4A547FA1F796308744997AD0048B73EEB707989CB60

Function 02D21138 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bed2685d0a10fd1afb1986328b0240a3582f5fb940e662482ffec1091ffe718
Instruction ID: 1471ddf60439f2f30c2a755f343f1372b105d032161a051557df949daa15b616
Opcode Fuzzy Hash: 8bed2685d0a10fd1afb1986328b0240a3582f5fb940e662482ffec1091ffe718
Instruction Fuzzy Hash: 8551D83121114ADFC71AEB7CF9A49547FB1F795308344997AD1008B73EEB607989CBA0

Function 02D2F1B0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8427c2c10b470b513a091cb76866670c92cce83332cea560100d145af873f7
Instruction ID: a7bf1e36266654c4cfbfd797e34806a6e2391d33e34a619a5ea033f3cba9e8c2
Opcode Fuzzy Hash: bd8427c2c10b470b513a091cb76866670c92cce83332cea560100d145af873f7
Instruction Fuzzy Hash: A8315E35E102199FCB19DFA4D854A9EBBF6FF89304F148919E806E7750DB70AC46CB90

Function 02D226DC Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79271849836aa533aa3f4b02cb2d209d8c02f325b64a1ec92353126b0b0aa54c
Instruction ID: fcf23031d17e035fea3e70ed8dc634a82a3cfbdd19579c2fd36ede83c297c136
Opcode Fuzzy Hash: 79271849836aa533aa3f4b02cb2d209d8c02f325b64a1ec92353126b0b0aa54c
Instruction Fuzzy Hash: 6E41FFB0D003599FDB10CFA9C984ADEBFB5FF48314F148029E819AB254DB75A949CF90

Function 02D25099 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957f6319b9ab6405ed5b9ef5dafd144e9a7953540f819f90782320344de4e723
Instruction ID: 37417fed0dc5449398db8cccae7d62de4ba0d2f1c0a159ae349a05342a2c8145
Opcode Fuzzy Hash: 957f6319b9ab6405ed5b9ef5dafd144e9a7953540f819f90782320344de4e723
Instruction Fuzzy Hash: C1317E306002298FDB19EB38D964AAE73B2FF5934CF604568D905AB394DB36DC45CBA1

Function 02D2F1C0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950758b9aef375ee6682daf9f4141ec5dd1be6542039d9c3b748f42aadaa029c
Instruction ID: 92cc47f2c6a0e03491fbb078389e19e0b83a9039254936327f097c3ed0fcae36
Opcode Fuzzy Hash: 950758b9aef375ee6682daf9f4141ec5dd1be6542039d9c3b748f42aadaa029c
Instruction Fuzzy Hash: 68314B35E002199FCB19DFA4D494A9EB7B6BF89304F14C929E806E7750DB70AC46CB90

Function 02D226E8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957e0268fafbe7f34eb21aab812f66475a67879b408cd4755c2c5f6d96063d6e
Instruction ID: 4302ef336a2fae7a21645a2beebb69f6c2a6d37a6da7e8afef3f7b4c8dcad096
Opcode Fuzzy Hash: 957e0268fafbe7f34eb21aab812f66475a67879b408cd4755c2c5f6d96063d6e
Instruction Fuzzy Hash: AB41EEB0D00259DFDB10DFA9C584ADEBFB5FF58314F108029E819AB254DB75A949CB90

Function 02D250A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f5151b45b74a888326d22ebef07ec9b89c74ac7b68249a06ab46ffaeeb69cd
Instruction ID: 0f07330ed252c8a394f5cc4dcdea5123d48c8186218fdf9d097717fd05adbb7b
Opcode Fuzzy Hash: f6f5151b45b74a888326d22ebef07ec9b89c74ac7b68249a06ab46ffaeeb69cd
Instruction Fuzzy Hash: 5D3160306002288FDB19EB38D564AAE77F2BB5934CF604568D405AB398DB36DC05CBA1

Function 02D29250 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ecaf06b5f878b03158ca7bd6a1078c962d680666055b7d1d5ac51c7ebcb247a
Instruction ID: d17ac15ccf7bb8c6a0962cc8074362c5d7e7447cadd48d3fcb42733b9804051c
Opcode Fuzzy Hash: 2ecaf06b5f878b03158ca7bd6a1078c962d680666055b7d1d5ac51c7ebcb247a
Instruction Fuzzy Hash: D6319F31E0021A9BCF05DFA4D5A46DEF7B2FF89308F648519E805AB340DB71AC4ACB80

Function 02D29260 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d631bd4ee437f6909c2dd18ecafce5bf0f1ebeaf771ba13cbb27f8cd7134077
Instruction ID: f1b9cc599b520f5abd2628e7f157c6dba11ca10e637272fa0c885ff9afaad8e9
Opcode Fuzzy Hash: 8d631bd4ee437f6909c2dd18ecafce5bf0f1ebeaf771ba13cbb27f8cd7134077
Instruction Fuzzy Hash: E7215E31E0021A9BDF05DFA5D5A06DEF7B2BF89318F64C519E805AB350DB71AC4ACB90

Function 02D216A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4282cb2e5d1f42b775a80d4b2379340a04e139b3fbeb7da8cbefed0907b1e0e
Instruction ID: 9809883222a3945a16f9884f2773f7ed817812e80da8a98df06eac2106ac909e
Opcode Fuzzy Hash: c4282cb2e5d1f42b775a80d4b2379340a04e139b3fbeb7da8cbefed0907b1e0e
Instruction Fuzzy Hash: 2221C5345101568FDF22EB7CE898B693725FB5531CF148A36D00AC736AEB24DC89CB91

Function 02D29150 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a4f9f401a236a82dfcf0565a1de869aac6b75f2601521a52f77344a7914949
Instruction ID: 8a92c5e39fabefa81341e9149bc6c7f03f205e228a1b1bc9e93f04461cfd5e8b
Opcode Fuzzy Hash: 79a4f9f401a236a82dfcf0565a1de869aac6b75f2601521a52f77344a7914949
Instruction Fuzzy Hash: F821A131E002268BDF19CFA5D4646DEBBB2EF99304F24861AE815BB341DB709C4ACB51

Function 011AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2999752825.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_11ad000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc679d49e5b27e3d3d8e532bb82e3876e5a6e4adb4b751ef0ba07c6cc12d2f51
Instruction ID: 79f4f3310c218cf2f7159953a14e972ab1b9e2875357a2e40001ff9995943964
Opcode Fuzzy Hash: dc679d49e5b27e3d3d8e532bb82e3876e5a6e4adb4b751ef0ba07c6cc12d2f51
Instruction Fuzzy Hash: 73216778184600DFCF19DF58EAC0B26BF61FB84314F60C56DD8094B656C336C407CA62

Function 02D21380 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e92b932cd7057bf16d099a23df26be8fc63e7a5d444c133b42f9e1f923f851
Instruction ID: 67202c4aee25fabefce373f0d357e9aa501ae3489e445a2b1a2ad7706ebe93cc
Opcode Fuzzy Hash: 53e92b932cd7057bf16d099a23df26be8fc63e7a5d444c133b42f9e1f923f851
Instruction Fuzzy Hash: 082120706002104BDF352B68E46832C3A61EF1331DF14482AE04EC73D2DB25CC8AC782

Function 02D29160 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5351970dc678a57722565080bd943a2fe964a4c90b0c987a6ec4ca5658e596a0
Instruction ID: 5b58fd8275b9a0741697b133c2bf4cd4d2df09c34d584b28446450d3e65fff33
Opcode Fuzzy Hash: 5351970dc678a57722565080bd943a2fe964a4c90b0c987a6ec4ca5658e596a0
Instruction Fuzzy Hash: B8218030E0022A9BCF19CFA5D8646DEB7B2AF99314F60851AE815B7340DB709C4ACB51

Function 02D21888 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94c3ba6cda87facf430c20eb8037a7439754cbf919999da52271515683fa329a
Instruction ID: c93cf6f954c31f4f497f3410339c386ed5a0988435ab11835d7c8f507feb7aaa
Opcode Fuzzy Hash: 94c3ba6cda87facf430c20eb8037a7439754cbf919999da52271515683fa329a
Instruction Fuzzy Hash: 442160307002258FDB14EB78C564BAE77F6AB99349F204468D40AFB355DB32DD44CBA1

Function 02D24F88 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04294a3731c066315bcb4815179c887f1238cf6563a3af04992fb4949dd5f5b0
Instruction ID: c04d07ccc04d4cb1c1c1d15da3985cde3e7625ab651fa05b3131bf9e3767af4f
Opcode Fuzzy Hash: 04294a3731c066315bcb4815179c887f1238cf6563a3af04992fb4949dd5f5b0
Instruction Fuzzy Hash: 2F212B34600215CFDB18DB78D968BAE77F1EF4D308B2048A8E406EB3A5DB359D44CBA1

Function 02D216B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9df088fef623a71c14e8c7febfb7b3ba326d79b03376ab1e1b2160b0058fd3
Instruction ID: 96de27e014b51c7c6edb7873ce7f8adfdf79128ec9d79e01bc551243ff0b9c25
Opcode Fuzzy Hash: 2e9df088fef623a71c14e8c7febfb7b3ba326d79b03376ab1e1b2160b0058fd3
Instruction Fuzzy Hash: 752154346101168FDF21E76CE898B697755FB5531CF108A36D40AC736ADB24DC89CB92

Function 02D24F98 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f06a912ffb1d0fc8b7f15dc72f7b33f999355e53e4bf54473d0eb81fe946a870
Instruction ID: 0f58147ca9b6260243a9af44ac7ea9c59182e1912a1893620de0d1318b934b25
Opcode Fuzzy Hash: f06a912ffb1d0fc8b7f15dc72f7b33f999355e53e4bf54473d0eb81fe946a870
Instruction Fuzzy Hash: 4621EB30600219CFDB18DB79D958BAE77F1AB8D748F204468E406EB3A5DB36DD04CBA5

Function 02D2187A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505699b3705060e80483a6ce528bef1eb3bfe51a4b9c73facae3cbd3b69f0e5a
Instruction ID: 6e5278ab3f84201771afa3b40a8b74a9f301d1d41aa1db6d85a6f5ed42e271b5
Opcode Fuzzy Hash: 505699b3705060e80483a6ce528bef1eb3bfe51a4b9c73facae3cbd3b69f0e5a
Instruction Fuzzy Hash: 92214A30B04225CFDB14EB78C5647AE77F2AB59249F204468D40AEB395DB36DD44CBA1

Function 011AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2999752825.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_11ad000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a23a3cc52baeac2cc78fc212fb339c6aaf4e9a1c402bfe0e31e1adbd43c6d74
Instruction ID: 3ede24d68286c1751833cbacb1b9313b1db6f5eb89f3d5a4c812a8a658becbf2
Opcode Fuzzy Hash: 9a23a3cc52baeac2cc78fc212fb339c6aaf4e9a1c402bfe0e31e1adbd43c6d74
Instruction Fuzzy Hash: EE21C2754487809FCB07CF24D994711BF71EF46214F28C5DAD8498F6A7C33A980ACB62

Function 02D20848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0c5989aacb658fa587c1a8e7c8224b06f36916cadc51f77d495823d73b21e2
Instruction ID: 96bb9d66d7415a62c29f15634075db8a0e2b7c5fac1586342393f9445745279b
Opcode Fuzzy Hash: 5b0c5989aacb658fa587c1a8e7c8224b06f36916cadc51f77d495823d73b21e2
Instruction Fuzzy Hash: 9111C131B102288FDF246A78D44433FB2A1EBB531AF108A39E006DB350DB61DC89CBD1

Function 02D20838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca56221e66ab6bf6248003eb9f1ac645a7f81a4678d8544b83f9cebd6e3849cd
Instruction ID: 785db63d136013214ee43779ab680e07563ffb50666b61bea0c448b4abf88eee
Opcode Fuzzy Hash: ca56221e66ab6bf6248003eb9f1ac645a7f81a4678d8544b83f9cebd6e3849cd
Instruction Fuzzy Hash: 2211C131A042244FDF2566B8A41437BB6A1EB7631EF144A79E042DB381DB65DC89CBC1

Function 02D280F1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee602531588de93fa8e6f11f6cb52339d6ae33be17498900b6eb16f0a22b6087
Instruction ID: f2029dc90d9ae418fd40632c5110a279cbd5071a4b055dd3f6d993a11cf97fde
Opcode Fuzzy Hash: ee602531588de93fa8e6f11f6cb52339d6ae33be17498900b6eb16f0a22b6087
Instruction Fuzzy Hash: 11115134600209EFDB01EBA8EA54A9DBBB5EF44308F104679D405D7369DB31AE49DB51

Function 02D217C2 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab024f669991ebe19787b6cf68e7f8346a0fce4898fc5535dc965516c7beb265
Instruction ID: e51c6f09cdc2d10bcb9b185c026481472cb0bf7c5f97ad3d077f743eae74dea3
Opcode Fuzzy Hash: ab024f669991ebe19787b6cf68e7f8346a0fce4898fc5535dc965516c7beb265
Instruction Fuzzy Hash: 47110232B002149BCB20AB79A85C65F7FE5FB88668F004429E949C3381EB30CC42C792

Function 02D2148A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ba91b67716e68287a90ce3bd5695dde6c9af4937d803bf998645365f6ad6621
Instruction ID: 3d7bc19cb3cb714fff44d91855af108aa61a76b38b06d7804ea82295390dd761
Opcode Fuzzy Hash: 1ba91b67716e68287a90ce3bd5695dde6c9af4937d803bf998645365f6ad6621
Instruction Fuzzy Hash: A0113031E002249FCF11EFB894502AE7BF6EB68219F1444BAD809E7346E735DD46CBA1

Function 02D21498 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 971741da5d16eeafc7edd6d8c32621033786fa19265e3ac8c95417ba5ca92f6b
Instruction ID: bff89bc707f27e2493e16eb9738f1f5026acefb87744c504bf657baf8018f0a4
Opcode Fuzzy Hash: 971741da5d16eeafc7edd6d8c32621033786fa19265e3ac8c95417ba5ca92f6b
Instruction Fuzzy Hash: 7601E131E002259FCF21EFB9845029EBBF6EB58219F1444BAD809E7345E735DD46CBA1

Function 02D21524 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8fe1c97ef5f86b0a3634dce849e1e4327a2697427b9a3e5fb2638bd6ea39ce
Instruction ID: 0dca3e8a454f755bb1e21e6c86f1aad838f2990c8a33cebea0a718967659b4ed
Opcode Fuzzy Hash: ad8fe1c97ef5f86b0a3634dce849e1e4327a2697427b9a3e5fb2638bd6ea39ce
Instruction Fuzzy Hash: E2F0F632A041708FDB228BA484902ACBB75EEB8219B5880E7C84ADB756D721DC4ACB51

Function 02D27090 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3efa47ee3832bf83833a45904f731346f2a613547ed6885531b7b0a29f4bfe48
Instruction ID: a06d513f39b8505cf904533300272b0b83ec5cf575dfbe802830070bcebe4b00
Opcode Fuzzy Hash: 3efa47ee3832bf83833a45904f731346f2a613547ed6885531b7b0a29f4bfe48
Instruction Fuzzy Hash: 42F0C439B00118CFD714DB74D5A8A6DB7B2EF88719F1040A9E6069B3A4DF35AD42CB41

Function 02D28100 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3001394229.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2d20000_QzRJbgyEhZjA.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97901bcd6a2f2dba7ef24848554c35d0dd64d81ab0b5738b686b9c868ca708f8
Instruction ID: 9f85ff73c0448cd51908305f163c957b48aca6aa2030a6592091da89e3e423d8
Opcode Fuzzy Hash: 97901bcd6a2f2dba7ef24848554c35d0dd64d81ab0b5738b686b9c868ca708f8
Instruction Fuzzy Hash: 3DF0313494010DFFCB05FBA8FA9099DB7B5FF40308F504679C40497269DB316E498B91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO for fabric forecast.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO for fabric forecast.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QzRJbgyEhZjA.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qdeajuy.bg3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4j12ho3h.fcv.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_elgnizcq.znk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggutbbki.wkp.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwv40ugx.pzi.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nlff2ck0.0yp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocez132a.lsb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wayzerjf.gjg.ps1

C:\Users\user\AppData\Local\Temp\tmpC3DA.tmp

C:\Users\user\AppData\Local\Temp\tmpD697.tmp

Windows Analysis Report
PO for fabric forecast.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre