Windows Analysis Report RFQ_GGMC-Ref 12-01-2022.exe

Overview

General Information

Sample Name:	RFQ_GGMC-Ref 12-01-2022.exe
Analysis ID:	551470
MD5:	9fd45110bad75cda6de67232014aeb6e
SHA1:	a43016fa816afd1693fb7f266dd032fd7f061c35
SHA256:	b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
Tags:	AsyncRATexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla AsyncRAT Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Nanocore RAT

Sigma detected: Suspicious Script Execution From Temp Folder

Bypasses PowerShell execution policy

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Sigma detected: Suspicius Add Task From User AppData Temp

Suspicious powershell command line found

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: RFQ_GGMC-Ref 12-01-2022.exe

Virustotal: Detection: 26%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 89.238.150.43:5512 -> 192.168.2.3:49720
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 89.238.150.43:5512
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 89.238.150.43:5512

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49720 -> 89.238.150.43:5512

Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43

Source: mozille.exe	String found in binary or memory: http://ati.amd.com/developer/compressonator.html
Source: mozille.exe	String found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
Source: mozille.exe	String found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp	String found in binary or memory: http://igaeJZ.so
Source: mozille.exe, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342
Source: mozille.exe	String found in binary or memory: http://igaeditor.sourceforge.net/wiki/
Source: mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp	String found in binary or memory: http://micolous.id.au
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://micolous.id.au/
Source: mozille.exe	String found in binary or memory: http://micolous.id.au/projects/bf21
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://micolous.id.au/projects/bf2142/
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://micolous.id.au/projects/bf2142/.
Source: mozille.exe	String found in binary or memory: http://registry.gimp.org/plugin?id=4816
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360806225.0000000002B36000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://www.gimp.org/windows/
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
Source: mozille.exe	String found in binary or memory: http://www.radgametools.com/bnkdown.htm
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mozille.exe	String found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mozille.exe	String found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
Source: mozille.exe	String found in binary or memory: https://sourceforge.net/svn/?group_id=181663

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3E721	0_2_00A3E721
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3E730	0_2_00A3E730
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3C764	0_2_00A3C764
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1C764	14_2_00C1C764
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1E721	14_2_00C1E721
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1E730	14_2_00C1E730
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F87ABC	14_2_04F87ABC
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F8827B	14_2_04F8827B
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0E721	15_2_01A0E721
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0E730	15_2_01A0E730
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0C764	15_2_01A0C764

Sample file is different than original file name gathered from version info

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337279816.000000000041E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000002.328182607.00000000001EE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333072613.000000000060E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.334476834.000000000040E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360214785.0000000000CEA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe

PE file contains strange resources

Source: RFQ_GGMC-Ref 12-01-2022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lhWbLvHNlciwu.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ_GGMC-Ref 12-01-2022.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lhWbLvHNlciwu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: RFQ_GGMC-Ref 12-01-2022.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File read: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe"
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe "C:\Users\user\AppData\Local\Temp\jzhlgt.exe"
Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe "C:\Users\user\AppData\Local\Temp\dlliok.exe"
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pLrWNKFD" /XML "C:\Users\user\AppData\Local\Temp\tmp9C7F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAD4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe 0
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File created: C:\Users\user\AppData\Local\Temp\tmp71CD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@53/16@0/1

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Binary or memory string: INSERT INTO [content] ([active], [activate], [expire], [dayparts], [contentType], [descriptor], [size], [viewcount], [viewlimit], [displayafter], [props], [data]) VALUES (@active, @activate, @expire, @dayparts, @contentType, @descriptor, @size, @viewcount, @viewlimit, @displayafter, @props, @data); SELECT last_insert_rowid() AS contentId;

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""

Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Source: Yara match	File source: 00000015.00000002.582533114.0000000007400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571994209.00000000031E3000.00000004.00000001.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'

.NET source code contains potential unpacker

Source: RFQ_GGMC-Ref 12-01-2022.exe, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3C910 pushad ; retf	0_2_00A3F571
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3F572 pushad ; retf	0_2_00A3F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1C910 pushad ; retf	14_2_00C1F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1F572 pushad ; retf	14_2_00C1F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F84E40 push esp; retf	14_2_04F84E4D
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F81778 push eax; mov dword ptr [esp], ecx	14_2_04F8177C
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F81768 push eax; mov dword ptr [esp], ecx	14_2_04F8177C
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0C910 pushad ; retf	15_2_01A0F571

Source: initial sample	Static PE information: section name: .text entropy: 7.64899477975
Source: initial sample	Static PE information: section name: .text entropy: 7.64899477975

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	File created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	File created: C:\Users\user\AppData\Local\Temp\mozille.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mozille.exe.33325b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.492375897.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.538688651.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6564, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3912	Thread sleep time: -40187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 5848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 2220	Thread sleep time: -35668s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 6380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 4760	Thread sleep time: -41095s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892	Thread sleep time: -6456360425798339s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6393	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2721	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3078

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 40187	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 35668
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 41095
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mozille.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mozille.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Stealing of Sensitive Information:

Yara detected Telegram RAT

Source: Yara match

File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.487776252.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.486771579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.484899643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.564381690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.493963326.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match

File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Telegram RAT

Source: Yara match

File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.487776252.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.486771579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.484899643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.564381690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.493963326.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.238.150.43	unknown	United Kingdom		9009	M247GB	true

AV Detection:

Multi AV Scanner detection for submitted file

Source: RFQ_GGMC-Ref 12-01-2022.exe

Virustotal: Detection: 26%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 89.238.150.43:5512 -> 192.168.2.3:49720
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 89.238.150.43:5512
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 89.238.150.43:5512

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49720 -> 89.238.150.43:5512

Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43

Source: mozille.exe	String found in binary or memory: http://ati.amd.com/developer/compressonator.html
Source: mozille.exe	String found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
Source: mozille.exe	String found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp	String found in binary or memory: http://igaeJZ.so
Source: mozille.exe, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342
Source: mozille.exe	String found in binary or memory: http://igaeditor.sourceforge.net/wiki/
Source: mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp	String found in binary or memory: http://micolous.id.au
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://micolous.id.au/
Source: mozille.exe	String found in binary or memory: http://micolous.id.au/projects/bf21
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://micolous.id.au/projects/bf2142/
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://micolous.id.au/projects/bf2142/.
Source: mozille.exe	String found in binary or memory: http://registry.gimp.org/plugin?id=4816
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360806225.0000000002B36000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://www.gimp.org/windows/
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
Source: mozille.exe	String found in binary or memory: http://www.radgametools.com/bnkdown.htm
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mozille.exe	String found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mozille.exe	String found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
Source: mozille.exe	String found in binary or memory: https://sourceforge.net/svn/?group_id=181663

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3E721	0_2_00A3E721
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3E730	0_2_00A3E730
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3C764	0_2_00A3C764
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1C764	14_2_00C1C764
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1E721	14_2_00C1E721
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1E730	14_2_00C1E730
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F87ABC	14_2_04F87ABC
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F8827B	14_2_04F8827B
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0E721	15_2_01A0E721
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0E730	15_2_01A0E730
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0C764	15_2_01A0C764

Sample file is different than original file name gathered from version info

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337279816.000000000041E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000002.328182607.00000000001EE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333072613.000000000060E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.334476834.000000000040E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360214785.0000000000CEA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe

PE file contains strange resources

Source: RFQ_GGMC-Ref 12-01-2022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lhWbLvHNlciwu.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ_GGMC-Ref 12-01-2022.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lhWbLvHNlciwu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: RFQ_GGMC-Ref 12-01-2022.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File read: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe"
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe "C:\Users\user\AppData\Local\Temp\jzhlgt.exe"
Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe "C:\Users\user\AppData\Local\Temp\dlliok.exe"
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pLrWNKFD" /XML "C:\Users\user\AppData\Local\Temp\tmp9C7F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAD4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe 0
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File created: C:\Users\user\AppData\Local\Temp\tmp71CD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@53/16@0/1

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""

Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Source: Yara match	File source: 00000015.00000002.582533114.0000000007400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571994209.00000000031E3000.00000004.00000001.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'

.NET source code contains potential unpacker

Source: RFQ_GGMC-Ref 12-01-2022.exe, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3C910 pushad ; retf	0_2_00A3F571
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3F572 pushad ; retf	0_2_00A3F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1C910 pushad ; retf	14_2_00C1F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1F572 pushad ; retf	14_2_00C1F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F84E40 push esp; retf	14_2_04F84E4D
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F81778 push eax; mov dword ptr [esp], ecx	14_2_04F8177C
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F81768 push eax; mov dword ptr [esp], ecx	14_2_04F8177C
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0C910 pushad ; retf	15_2_01A0F571

Source: initial sample	Static PE information: section name: .text entropy: 7.64899477975
Source: initial sample	Static PE information: section name: .text entropy: 7.64899477975

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	File created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	File created: C:\Users\user\AppData\Local\Temp\mozille.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mozille.exe.33325b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.492375897.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.538688651.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6564, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3912	Thread sleep time: -40187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 5848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 2220	Thread sleep time: -35668s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 6380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 4760	Thread sleep time: -41095s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892	Thread sleep time: -6456360425798339s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6393	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2721	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3078

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 40187	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 35668
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 41095
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mozille.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\mozille.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Stealing of Sensitive Information:

Yara detected Telegram RAT

Source: Yara match

File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.487776252.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.486771579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.484899643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.564381690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.493963326.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

Yara detected Credential Stealer

Source: Yara match

File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Telegram RAT

Source: Yara match

File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Source: Yara match	File source: 0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.487776252.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.486771579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.484899643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.564381690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.493963326.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

ID:	551470
Product:	CloudBasic
Start time:	09:01:01
Start date:	12.01.2022
Sample:	RFQ_GGMC-Ref 12-01-2022.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9fd45110bad75cda6de67232014aeb6e
SHA1:	a43016fa816afd1693fb7f266dd032fd7f061c35
SHA256:	b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_GGMC-Ref 12-01-2022.exe.log	ASCII text, with CRLF line terminators	D918C6A765EDB90D2A227FE23A3FEC98	8BA802AD8D740F114783F0DADC407CBFD2A209B3	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mozille.exe.log	ASCII text, with CRLF line terminators	D918C6A765EDB90D2A227FE23A3FEC98	8BA802AD8D740F114783F0DADC407CBFD2A209B3	AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	2F13EF84B063265B6634CB005F4B5286	0AA0F7DC07BD5D1A12DAE304E40B70755A3F164A	638143E39E07AD1C5DAF1BE1FB96B03C42B543B790849C7716AC2AC6718F667E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2x3ucvgo.4eb.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfrruvyb.luy.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svjneimu.gkz.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqgzyu5l.f34.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\mozille.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9FD45110BAD75CDA6DE67232014AEB6E	A43016FA816AFD1693FB7F266DD032FD7F061C35	B586CA95BA9557F7AD2434D01F96FF191B77541670894DF3B78AA3A8312AE092
C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	XML 1.0 document, ASCII text	C286A082609C1C1A219FF01B51775164	F8A15ACBF3A55AD917F35566777A6EC4731DE800	8ED2C4AF8E80335DE493A0A74226839E5505BA01BFD742C9A56A296878D9D636
C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat	DOS batch file, ASCII text, with CRLF line terminators	07BDDF3468F5B8BEAFB3C3BFAA8E4C3D	92D16205F5D6F7B4CDFAD83119A5E47A8F430DB8	7704F72B9FD7E75BDD3D3C8632B4F332120E94C1B8CAD84B6F62C2B63CEADD2C
C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp	XML 1.0 document, ASCII text	C286A082609C1C1A219FF01B51775164	F8A15ACBF3A55AD917F35566777A6EC4731DE800	8ED2C4AF8E80335DE493A0A74226839E5505BA01BFD742C9A56A296878D9D636
C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9FD45110BAD75CDA6DE67232014AEB6E	A43016FA816AFD1693FB7F266DD032FD7F061C35	B586CA95BA9557F7AD2434D01F96FF191B77541670894DF3B78AA3A8312AE092
C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220112\PowerShell_transcript.138727.F_iUYR88.20220112090240.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	A60FA78FF988D57F3451E409235D01C5	ACE6418390C2687EC72117DD8A11F25FC9D830B2	DC0A2EB75B913C1FD7C28E211C0045E678AC5D659706AFBF63967569CA69ED15
C:\Users\user\Documents\20220112\PowerShell_transcript.138727.fhx+G1tL.20220112090212.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	5DB6DDA4F50FC48388AEB9886E8D92FA	1B375170354A7D83E1E9478A93C8A17ED180E735	F26C8CA471D97986F5C2DC5DA82BBCA9DA4C4EAEBC5EFB88917BD5D88403A7ED
\Device\Null	ASCII text, with CRLF line terminators, with overstriking	3DD7DD37C304E70A7316FE43B69F421F	A3754CFC33E9CA729444A95E95BCB53384CB51E4	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA

Windows Analysis Report RFQ_GGMC-Ref 12-01-2022.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs