Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ_GGMC-Ref 12-01-2022.exe

Overview

General Information

Sample Name:RFQ_GGMC-Ref 12-01-2022.exe
Analysis ID:551470
MD5:9fd45110bad75cda6de67232014aeb6e
SHA1:a43016fa816afd1693fb7f266dd032fd7f061c35
SHA256:b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
Tags:AsyncRATexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla AsyncRAT Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Nanocore RAT
Sigma detected: Suspicious Script Execution From Temp Folder
Bypasses PowerShell execution policy
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Sigma detected: Suspicius Add Task From User AppData Temp
Suspicious powershell command line found
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • RFQ_GGMC-Ref 12-01-2022.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
    • powershell.exe (PID: 6080 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6136 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RFQ_GGMC-Ref 12-01-2022.exe (PID: 7000 cmdline: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
    • RFQ_GGMC-Ref 12-01-2022.exe (PID: 6948 cmdline: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
      • cmd.exe (PID: 5684 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5580 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 3868 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • conhost.exe (PID: 2532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 2292 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • mozille.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\mozille.exe" MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
          • powershell.exe (PID: 5452 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • mozille.exe (PID: 6316 cmdline: C:\Users\user\AppData\Local\Temp\mozille.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
    • powershell.exe (PID: 5400 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5192 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mozille.exe (PID: 6620 cmdline: C:\Users\user\AppData\Local\Temp\mozille.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
      • cmd.exe (PID: 5000 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 5648 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • jzhlgt.exe (PID: 6500 cmdline: "C:\Users\user\AppData\Local\Temp\jzhlgt.exe" MD5: 76F7AB6A302E47D7F7FDB4EA2540323E)
            • jzhlgt.exe (PID: 5964 cmdline: C:\Users\user\AppData\Local\Temp\jzhlgt.exe MD5: 76F7AB6A302E47D7F7FDB4EA2540323E)
            • jzhlgt.exe (PID: 3076 cmdline: C:\Users\user\AppData\Local\Temp\jzhlgt.exe MD5: 76F7AB6A302E47D7F7FDB4EA2540323E)
      • cmd.exe (PID: 3312 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 4636 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • dlliok.exe (PID: 2804 cmdline: "C:\Users\user\AppData\Local\Temp\dlliok.exe" MD5: 8B4D4FC3E962F26A4C74120F33BB7460)
            • powershell.exe (PID: 6276 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • schtasks.exe (PID: 4872 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pLrWNKFD" /XML "C:\Users\user\AppData\Local\Temp\tmp9C7F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
              • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • dlliok.exe (PID: 1316 cmdline: C:\Users\user\AppData\Local\Temp\dlliok.exe MD5: 8B4D4FC3E962F26A4C74120F33BB7460)
              • schtasks.exe (PID: 4412 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAD4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
                • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dlliok.exe (PID: 6844 cmdline: C:\Users\user\AppData\Local\Temp\dlliok.exe 0 MD5: 8B4D4FC3E962F26A4C74120F33BB7460)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Click to see the 64 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 6 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Script Execution From Temp FolderShow sources
                  Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5000, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' , ProcessId: 5648
                  Sigma detected: Suspicius Add Task From User AppData TempShow sources
                  Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" , ParentImage: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp, ProcessId: 6136
                  Sigma detected: Powershell Defender ExclusionShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" , ParentImage: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, ProcessId: 6080
                  Sigma detected: Non Interactive PowerShellShow sources
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" , ParentImage: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, ProcessId: 6080
                  Sigma detected: T1086 PowerShell ExecutionShow sources
                  Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864805308084968.6080.DefaultAppDomain.powershell

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: RFQ_GGMC-Ref 12-01-2022.exeVirustotal: Detection: 26%Perma Link
                  Yara detected Nanocore RATShow sources
                  Source: Yara matchFile source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 89.238.150.43:5512 -> 192.168.2.3:49720
                  Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 89.238.150.43:5512
                  Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 89.238.150.43:5512
                  Source: global trafficTCP traffic: 192.168.2.3:49720 -> 89.238.150.43:5512
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: mozille.exeString found in binary or memory: http://ati.amd.com/developer/compressonator.html
                  Source: mozille.exeString found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
                  Source: mozille.exeString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmpString found in binary or memory: http://igaeJZ.so
                  Source: mozille.exe, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/
                  Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342
                  Source: mozille.exeString found in binary or memory: http://igaeditor.sourceforge.net/wiki/
                  Source: mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmpString found in binary or memory: http://micolous.id.au
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/
                  Source: mozille.exeString found in binary or memory: http://micolous.id.au/projects/bf21
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/.
                  Source: mozille.exeString found in binary or memory: http://registry.gimp.org/plugin?id=4816
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360806225.0000000002B36000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://www.gimp.org/windows/
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
                  Source: mozille.exeString found in binary or memory: http://www.radgametools.com/bnkdown.htm
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: mozille.exeString found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: mozille.exeString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
                  Source: mozille.exeString found in binary or memory: https://sourceforge.net/svn/?group_id=181663

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected Nanocore RATShow sources
                  Source: Yara matchFile source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3E721
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3E730
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3C764
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1C764
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1E721
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1E730
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F87ABC
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F8827B
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0E721
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0E730
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0C764
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337279816.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000002.328182607.00000000001EE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333072613.000000000060E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.334476834.000000000040E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360214785.0000000000CEA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: lhWbLvHNlciwu.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: lhWbLvHNlciwu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: RFQ_GGMC-Ref 12-01-2022.exeVirustotal: Detection: 26%
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile read: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeJump to behavior
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe"
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp