Windows Analysis Report RFQ_GGMC-Ref 12-01-2022.exe

Overview

General Information

Sample Name:	RFQ_GGMC-Ref 12-01-2022.exe
Analysis ID:	551470
MD5:	9fd45110bad75cda6de67232014aeb6e
SHA1:	a43016fa816afd1693fb7f266dd032fd7f061c35
SHA256:	b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
Tags:	AsyncRATexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla AsyncRAT Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected Nanocore RAT

Sigma detected: Suspicious Script Execution From Temp Folder

Bypasses PowerShell execution policy

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Sigma detected: Suspicius Add Task From User AppData Temp

Suspicious powershell command line found

.NET source code contains potential unpacker

Sigma detected: Powershell Defender Exclusion

.NET source code contains method to dynamically call methods (often used by packers)

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: RFQ_GGMC-Ref 12-01-2022.exe

Virustotal: Detection: 26%

Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 89.238.150.43:5512 -> 192.168.2.3:49720
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 89.238.150.43:5512
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 89.238.150.43:5512

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49720 -> 89.238.150.43:5512

Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43
Source: unknown	TCP traffic detected without corresponding DNS query: 89.238.150.43

Source: mozille.exe	String found in binary or memory: http://ati.amd.com/developer/compressonator.html
Source: mozille.exe	String found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
Source: mozille.exe	String found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp	String found in binary or memory: http://igaeJZ.so
Source: mozille.exe, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342
Source: mozille.exe	String found in binary or memory: http://igaeditor.sourceforge.net/wiki/
Source: mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp	String found in binary or memory: http://micolous.id.au
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://micolous.id.au/
Source: mozille.exe	String found in binary or memory: http://micolous.id.au/projects/bf21
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmp	String found in binary or memory: http://micolous.id.au/projects/bf2142/
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://micolous.id.au/projects/bf2142/.
Source: mozille.exe	String found in binary or memory: http://registry.gimp.org/plugin?id=4816
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360806225.0000000002B36000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://www.gimp.org/windows/
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
Source: mozille.exe	String found in binary or memory: http://www.radgametools.com/bnkdown.htm
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mozille.exe	String found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mozille.exe	String found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp	String found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
Source: mozille.exe	String found in binary or memory: https://sourceforge.net/svn/?group_id=181663

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Uses 32bit PE files

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Detected potential crypto function

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3E721	0_2_00A3E721
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3E730	0_2_00A3E730
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3C764	0_2_00A3C764
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1C764	14_2_00C1C764
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1E721	14_2_00C1E721
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1E730	14_2_00C1E730
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F87ABC	14_2_04F87ABC
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F8827B	14_2_04F8827B
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0E721	15_2_01A0E721
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0E730	15_2_01A0E730
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0C764	15_2_01A0C764

Sample file is different than original file name gathered from version info

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337279816.000000000041E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000002.328182607.00000000001EE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333072613.000000000060E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.334476834.000000000040E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360214785.0000000000CEA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe

PE file contains strange resources

Source: RFQ_GGMC-Ref 12-01-2022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: lhWbLvHNlciwu.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ_GGMC-Ref 12-01-2022.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: lhWbLvHNlciwu.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: RFQ_GGMC-Ref 12-01-2022.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File read: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe"
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe "C:\Users\user\AppData\Local\Temp\jzhlgt.exe"
Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exe	Process created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe "C:\Users\user\AppData\Local\Temp\dlliok.exe"
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pLrWNKFD" /XML "C:\Users\user\AppData\Local\Temp\tmp9C7F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAD4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe 0
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File created: C:\Users\user\AppData\Local\Temp\tmp71CD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@53/16@0/1

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Binary or memory string: INSERT INTO [content] ([active], [activate], [expire], [dayparts], [contentType], [descriptor], [size], [viewcount], [viewlimit], [displayafter], [props], [data]) VALUES (@active, @activate, @expire, @dayparts, @contentType, @descriptor, @size, @viewcount, @viewlimit, @displayafter, @props, @data); SELECT last_insert_rowid() AS contentId;

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""

Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RFQ_GGMC-Ref 12-01-2022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

Data Obfuscation:

Yara detected Costura Assembly Loader

Source: Yara match	File source: 00000015.00000002.582533114.0000000007400000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571994209.00000000031E3000.00000004.00000001.sdmp, type: MEMORY

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'

.NET source code contains potential unpacker

Source: RFQ_GGMC-Ref 12-01-2022.exe, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, sO/j4.cs	.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3C910 pushad ; retf	0_2_00A3F571
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Code function: 0_2_00A3F572 pushad ; retf	0_2_00A3F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1C910 pushad ; retf	14_2_00C1F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_00C1F572 pushad ; retf	14_2_00C1F571
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F84E40 push esp; retf	14_2_04F84E4D
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F81778 push eax; mov dword ptr [esp], ecx	14_2_04F8177C
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 14_2_04F81768 push eax; mov dword ptr [esp], ecx	14_2_04F8177C
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Code function: 15_2_01A0C910 pushad ; retf	15_2_01A0F571

Source: initial sample	Static PE information: section name: .text entropy: 7.64899477975
Source: initial sample	Static PE information: section name: .text entropy: 7.64899477975

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	File created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	File created: C:\Users\user\AppData\Local\Temp\mozille.exe			Jump to dropped file

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.mozille.exe.33325b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.492375897.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.538688651.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6564, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3912	Thread sleep time: -40187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 5848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 2220	Thread sleep time: -35668s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 6380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 4760	Thread sleep time: -41095s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892	Thread sleep time: -6456360425798339s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6393	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2721	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3078

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 40187	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 35668
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Thread delayed: delay time: 41095
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\dlliok.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
Source: C:\Users\user\AppData\Local\Temp\mozille.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe

Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe

Windows Analysis Report RFQ_GGMC-Ref 12-01-2022.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection: