Edit tour

Windows Analysis Report
RFQ_HB648836_Enquiry.cmd

Overview

General Information

Sample name:	RFQ_HB648836_Enquiry.cmd
Analysis ID:	1636703
MD5:	22c00ccdbab18812616ca11596d01bad
SHA1:	1bb64a238aadeab6dd86231121b60d3d4ee086d5
SHA256:	66b2852e9c3b6f98df012b7812ad72e13f234a54b4c1ad7c42258b6e62b632bd
Tags:	cmduser-qoos
Infos:

Detection

DBatLoader, PureLog Stealer, RedLine, XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7700 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

extrac32.exe (PID: 7752 cmdline: extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 41330D97BF17D07CD4308264F3032547)

x.exe (PID: 7772 cmdline: "C:\Users\user\AppData\Local\Temp\x.exe" MD5: 57C6656AE72C2C305903090B1F0ECC1A)

cmd.exe (PID: 7916 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7435.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7944 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\38797.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icqplewR.pif (PID: 8032 cmdline: C:\\Users\\user\\Links\icqplewR.pif MD5: C116D3604CEAFE7057D77FF27552C215)

powershell.exe (PID: 832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1376 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Rwelpqci.PIF (PID: 7944 cmdline: "C:\Users\user\Links\Rwelpqci.PIF" MD5: 57C6656AE72C2C305903090B1F0ECC1A)

icqplewR.pif (PID: 7444 cmdline: C:\\Users\\user\\Links\icqplewR.pif MD5: C116D3604CEAFE7057D77FF27552C215)

XClient.exe (PID: 1700 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: C116D3604CEAFE7057D77FF27552C215)

XClient.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Roaming\XClient.exe" MD5: C116D3604CEAFE7057D77FF27552C215)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.1438467684.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000001.1347456184.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.1225628768.0000000003A2E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8458:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd344:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x84f6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd3ec:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd50c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8784:$cnc4: POST / HTTP/1.1
00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000001.1214724739.0000000000400000.00000040.00000001.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000014.00000002.1417837790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
Process Memory Space: icqplewR.pif PID: 8032	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: icqplewR.pif PID: 7444	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.icqplewR.pif.1ce90f08.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1e045570.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1ce90000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.1.icqplewR.pif.400000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1cee0000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.3.icqplewR.pif.1b19f4f8.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.1.icqplewR.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.1.icqplewR.pif.4d88c8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1cd1eeae.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.1.icqplewR.pif.400000.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1cd1eeae.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1cee0000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1e046478.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.1.icqplewR.pif.436038.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2d4b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2db30:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1ce90000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.436038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
19.2.Rwelpqci.PIF.226cc348.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.1.icqplewR.pif.436038.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x4e4e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x314b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x31b30:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x501ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x4fe00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x4f2b8:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1e062d90.9.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.x.exe.3a2e118.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
3.2.x.exe.229aebd8.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.3.icqplewR.pif.1b19f4f8.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.4d88c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1e062d90.9.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1ce90f08.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1cd1fdb6.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1e046478.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
9.1.icqplewR.pif.400000.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
20.2.icqplewR.pif.1cd1fdb6.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.1e045570.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.icqplewR.pif.400000.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
9.1.icqplewR.pif.467468.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.x.exe.2297d7a8.6.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2d4b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x2db30:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
3.2.x.exe.2297d7a8.6.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x4e4e0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x314b0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x31b30:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x501ba:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x4fe00:$s5: delete[] 0x1de88:$s6: constructor or from DllMain. 0x4f2b8:$s6: constructor or from DllMain.
20.1.icqplewR.pif.436038.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 1E 88 44 24 2B 88 44 24 2F B0 9A 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.x.exe.3a2e118.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
3.2.x.exe.3f50000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 7772, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\\Users\\user\\Links\icqplewR.pif, ParentImage: C:\Users\user\Links\icqplewR.pif, ParentProcessId: 8032, ParentProcessName: icqplewR.pif, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', ProcessId: 832, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\\Users\\user\\Links\icqplewR.pif, ParentImage: C:\Users\user\Links\icqplewR.pif, ParentProcessId: 8032, ParentProcessName: icqplewR.pif, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', ProcessId: 832, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Rwelpqci.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\x.exe, ProcessId: 7772, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rwelpqci

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\icqplewR.pif, CommandLine: C:\\Users\\user\\Links\icqplewR.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\icqplewR.pif, NewProcessName: C:\Users\user\Links\icqplewR.pif, OriginalFileName: C:\Users\user\Links\icqplewR.pif, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\x.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\x.exe, ParentProcessId: 7772, ParentProcessName: x.exe, ProcessCommandLine: C:\\Users\\user\\Links\icqplewR.pif, ProcessId: 8032, ProcessName: icqplewR.pif

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\\Users\\user\\Links\icqplewR.pif, ParentImage: C:\Users\user\Links\icqplewR.pif, ParentProcessId: 8032, ParentProcessName: icqplewR.pif, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif', ProcessId: 832, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:42.148448+0100	2043234	1	A Network Trojan was detected	204.10.161.147	7082	192.168.2.4	49723	TCP

ET MALWARE Redline Stealer TCP CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:42.022946+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:48.340697+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:48.874857+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:49.026716+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:50.400028+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:50.935652+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:51.239928+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:51.579247+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:51.709999+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:51.846517+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:51.976880+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.102191+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.234487+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.364711+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.502605+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.653943+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.845045+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.925649+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:52.930632+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:53.558263+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:53.719556+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:54.167523+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:54.295416+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:54.422492+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP
2025-03-13T02:04:54.567838+0100	2043231	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:48.879876+0100	2046056	1	A Network Trojan was detected	204.10.161.147	7082	192.168.2.4	49723	TCP

ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:13.623348+0100	2036752	1	A Network Trojan was detected	204.10.161.147	7081	192.168.2.4	49721	TCP
2025-03-13T02:04:21.077181+0100	2036752	1	A Network Trojan was detected	204.10.161.147	7081	192.168.2.4	49721	TCP

ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:42.022946+0100	2046045	1	A Network Trojan was detected	192.168.2.4	49723	204.10.161.147	7082	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:08.095783+0100	2852870	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP
2025-03-13T02:04:19.178332+0100	2852870	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP
2025-03-13T02:04:32.082183+0100	2852870	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP
2025-03-13T02:04:37.094487+0100	2852870	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP
2025-03-13T02:04:44.972182+0100	2852870	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:19.180776+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49721	204.10.161.147	7081	TCP
2025-03-13T02:04:32.084192+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49721	204.10.161.147	7081	TCP
2025-03-13T02:04:44.973827+0100	2852923	1	Malware Command and Control Activity Detected	192.168.2.4	49721	204.10.161.147	7081	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:08.095783+0100	2852874	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP
2025-03-13T02:04:37.094487+0100	2852874	1	Malware Command and Control Activity Detected	204.10.161.147	7081	192.168.2.4	49721	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T02:04:19.035975+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.4	49721	204.10.161.147	7081	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Links\Rwelpqci.PIF	Avira: detection malicious, Label: HEUR/AGEN.1326111
Source: C:\Users\user\AppData\Local\Temp\x.exe	Avira: detection malicious, Label: HEUR/AGEN.1326111

Found malware configuration

Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["204.10.161.147"], "Port": 7081, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\x.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\Links\Rwelpqci.PIF	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: RFQ_HB648836_Enquiry.cmd	ReversingLabs: Detection: 26%
Source: RFQ_HB648836_Enquiry.cmd	Virustotal: Detection: 14%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 204.10.161.147
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 7081
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XWorm V5.6
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: %AppData%
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: XClient.exe

Source:	Binary string: easinvoker.pdb source: x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: icqplewR.pif, 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1381377846.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1436995878.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000003.1205441850.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1205441850.0000000001F7A000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F552F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_03F552F8
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	28_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	28_2_00401612
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	29_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	29_2_00401612

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 204.10.161.147:7081 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 204.10.161.147:7081 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49723 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49723 -> 204.10.161.147:7082
Source: Network traffic	Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 204.10.161.147:7082 -> 192.168.2.4:49723
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 204.10.161.147:7082 -> 192.168.2.4:49723
Source: Network traffic	Suricata IDS: 2036752 - Severity 1 - ET MALWARE Suspected BPFDoor TCP Magic Packet (Inbound) : 204.10.161.147:7081 -> 192.168.2.4:49721
Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49721 -> 204.10.161.147:7081
Source: Network traffic	Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49721 -> 204.10.161.147:7081

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 204.10.161.147

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.10.161.147 ports 7082,7081,0,1,7,8

Source: global traffic

TCP traffic: 192.168.2.4:49721 -> 204.10.161.147:7081

Source: powershell.exe, 00000010.00000002.1339433556.0000000006CA9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1442995880.0000000007A11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: powershell.exe, 00000018.00000002.1518126299.000000000774C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.miG
Source: powershell.exe, 00000010.00000002.1352671283.0000000007DA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000018.00000002.1522934318.0000000008558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microG?
Source: powershell.exe, 00000016.00000002.1446821632.00000000088CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000010.00000002.1331149342.000000000541F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1436029888.000000000600F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1502844796.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000010.00000002.1322465182.0000000004507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000010.00000002.1322465182.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1322465182.0000000004507000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.00000000050F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004D46000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: icqplewR.pif, 00000009.00000003.1767726638.0000000028F41000.00000004.00000800.00020000.00000000.sdmp, icqplewR.pif, 00000009.00000003.1696446755.0000000028F42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeproject.com/Articles/16009/A-Much-Easier-to-Use-ListView
Source: XClient.exe, XClient.exe, 0000001D.00000000.1798098276.0000000000416000.00000002.00000001.01000000.0000000E.sdmp, XClient.exe, 0000001D.00000002.1798764081.0000000000416000.00000002.00000001.01000000.0000000E.sdmp, XClient.exe.9.dr, icqplewR.pif.3.dr	String found in binary or memory: http://www.pmail.com
Source: powershell.exe, 00000010.00000002.1322465182.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1410483597.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1475392680.0000000004BF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1545733791.0000000005101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001A.00000002.1545733791.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000010.00000002.1331149342.000000000541F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.1436029888.000000000600F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.1502844796.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.1570453475.000000000616B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, XLogger.cs

.Net Code: KeyboardLayout

Installs a global keyboard hook

Source: C:\Users\user\Links\icqplewR.pif

Windows user hook set: 0 keyboard low level C:\Users\user\Links\icqplewR.pif

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.1.icqplewR.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.icqplewR.pif.4d88c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.icqplewR.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.436038.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 19.2.Rwelpqci.PIF.226cc348.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.229aebd8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.4d88c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.2.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 9.1.icqplewR.pif.467468.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.2297d7a8.6.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.x.exe.2297d7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 20.1.icqplewR.pif.436038.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000001.1347456184.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000001.1214724739.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000014.00000002.1417837790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63380 NtWriteVirtualMemory,	3_2_03F63380
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_03F6421C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63034 NtAllocateVirtualMemory,	3_2_03F63034
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	3_2_03F69738
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69654 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	3_2_03F69654
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F695CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_03F695CC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63B44 NtUnmapViewOfSection,	3_2_03F63B44
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F638D4 NtReadVirtualMemory,	3_2_03F638D4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	3_2_03F6421A
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63032 NtAllocateVirtualMemory,	3_2_03F63032
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	3_2_03F69578
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089738 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	19_2_04089738
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083034 NtAllocateVirtualMemory,	19_2_04083034
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_040838D4 NtReadVirtualMemory,	19_2_040838D4
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408421C GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_0408421C
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083B44 NtUnmapViewOfSection,	19_2_04083B44
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083380 NtWriteVirtualMemory,	19_2_04083380
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408341B NtWriteVirtualMemory,	19_2_0408341B
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089578 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	19_2_04089578
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_040895CC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	19_2_040895CC
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089654 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose,	19_2_04089654
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04089809 NtQueryInformationFile,NtReadFile,NtClose,	19_2_04089809
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_04083032 NtAllocateVirtualMemory,	19_2_04083032
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408396E NtReadVirtualMemory,	19_2_0408396E
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_0408421A GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	19_2_0408421A

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F6A634 InetIsOffline,Sleep,CreateProcessAsUserW,ResumeThread,CloseHandle,CloseHandle,ExitProcess,

3_2_03F6A634

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F520B4	3_2_03F520B4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00408C60	9_1_00408C60
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040DC11	9_1_0040DC11
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00407C3F	9_1_00407C3F
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00418CCC	9_1_00418CCC
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00406CA0	9_1_00406CA0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004028B0	9_1_004028B0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041A4BE	9_1_0041A4BE
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00418244	9_1_00418244
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00401650	9_1_00401650
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00402F20	9_1_00402F20
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004193C4	9_1_004193C4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00418788	9_1_00418788
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00402F89	9_1_00402F89
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00402B90	9_1_00402B90
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004073A0	9_1_004073A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00DDB490	16_2_00DDB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00DDB48B	16_2_00DDB48B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_08233EA8	16_2_08233EA8
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: 19_2_040720B4	19_2_040720B4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00408C60	20_2_00408C60
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0040DC11	20_2_0040DC11
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00407C3F	20_2_00407C3F
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00418CCC	20_2_00418CCC
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00406CA0	20_2_00406CA0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004028B0	20_2_004028B0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0041A4BE	20_2_0041A4BE
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00418244	20_2_00418244
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00401650	20_2_00401650
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00402F20	20_2_00402F20
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004193C4	20_2_004193C4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00418788	20_2_00418788
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00402F89	20_2_00402F89
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00402B90	20_2_00402B90
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004073A0	20_2_004073A0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_1CC21030	20_2_1CC21030
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00408C60	20_1_00408C60
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0040DC11	20_1_0040DC11
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00407C3F	20_1_00407C3F
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00418CCC	20_1_00418CCC
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00406CA0	20_1_00406CA0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004028B0	20_1_004028B0
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0041A4BE	20_1_0041A4BE
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00418244	20_1_00418244
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00401650	20_1_00401650
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00402F20	20_1_00402F20
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004193C4	20_1_004193C4
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00418788	20_1_00418788
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00402F89	20_1_00402F89
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00402B90	20_1_00402B90
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004073A0	20_1_004073A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04D0B4A0	22_2_04D0B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_04D0B490	22_2_04D0B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 22_2_08D83AA0	22_2_08D83AA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02F5B4A0	24_2_02F5B4A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02F5B490	24_2_02F5B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_08A73AA8	24_2_08A73AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_0340B490	26_2_0340B490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_0340B470	26_2_0340B470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 26_2_08C93A98	26_2_08C93A98
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_004057B8	28_2_004057B8
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_004057B8	29_2_004057B8

Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: String function: 0040A6C4 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F63E9C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F54414 appears 246 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F63E20 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F5457C appears 835 times
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: String function: 03F5421C appears 64 times
Source: C:\Users\user\Links\icqplewR.pif	Code function: String function: 0040D606 appears 72 times
Source: C:\Users\user\Links\icqplewR.pif	Code function: String function: 0040E1D8 appears 132 times
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: String function: 04074414 appears 154 times
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: String function: 04083E20 appears 48 times
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: String function: 0407457C appears 570 times

Source: 20.1.icqplewR.pif.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.icqplewR.pif.4d88c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.icqplewR.pif.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.436038.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 19.2.Rwelpqci.PIF.226cc348.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.436038.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.229aebd8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.4d88c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.2.icqplewR.pif.400000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 9.1.icqplewR.pif.467468.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.2297d7a8.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.x.exe.2297d7a8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 20.1.icqplewR.pif.436038.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000001.1347456184.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000001.1214724739.0000000000400000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000014.00000002.1417837790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.296c7830.0.raw.unpack, StaticNotifier.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winCMD@33/28@0/1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F5793C GetDiskFreeSpaceA,

3_2_03F5793C

Source: C:\Users\user\Links\icqplewR.pif

Code function: 9_1_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,@__unlockDebuggerData$qv,VariantClear,VariantClear,VariantClear,

9_1_004019F0

Source: C:\Users\user\Links\icqplewR.pif

9_1_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

File created: C:\Users\All Users\7435.cmd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Users\user\Links\icqplewR.pif	Mutant created: \Sessions\1\BaseNamedObjects\XoFHv1TT4hWErxRo

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\user\AppData\Local\Temp\CAB07752.TMP

Jump to behavior

Source: C:\Users\user\Links\icqplewR.pif

Command line argument: 08A

9_1_00413780

Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Links\icqplewR.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\extrac32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ_HB648836_Enquiry.cmd	ReversingLabs: Detection: 26%
Source: RFQ_HB648836_Enquiry.cmd	Virustotal: Detection: 14%

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7435.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\38797.cmd""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\Rwelpqci.PIF "C:\Users\user\Links\Rwelpqci.PIF"
Source: C:\Users\user\Links\Rwelpqci.PIF	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\XClient.exe "C:\Users\user\AppData\Roaming\XClient.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7435.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\38797.cmd""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: mscoree.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: wldp.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: amsi.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: userenv.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: profapi.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: version.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: msasn1.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: gpapi.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptsp.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: rsaenh.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: cryptbase.dll
Source: C:\Users\user\Links\icqplewR.pif	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\XClient.exe	Section loaded: apphelp.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Links\icqplewR.pif

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ_HB648836_Enquiry.cmd

Static file information: File size 1870427 > 1048576

Source:	Binary string: easinvoker.pdb source: x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: icqplewR.pif, 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000003.1381377846.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, icqplewR.pif, 00000014.00000002.1436995878.000000001B1BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: x.exe, 00000003.00000003.1205441850.0000000001FA9000.00000004.00000020.00020000.00000000.sdmp, x.exe, 00000003.00000003.1204278625.000000007ECE0000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000002.1257831764.0000000021C30000.00000004.00001000.00020000.00000000.sdmp, x.exe, 00000003.00000003.1205441850.0000000001F7A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 3.2.x.exe.3a2e118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.3a2e118.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.x.exe.3f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1225628768.0000000003A2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

.NET source code contains method to dynamically call methods (often used by packers)

Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	.Net Code: Type.GetTypeFromHandle(MIOq0J32PYx10ZCZDTi.Eh9xfRPw4r(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(MIOq0J32PYx10ZCZDTi.Eh9xfRPw4r(16777255)),Type.GetTypeFromHandle(MIOq0J32PYx10ZCZDTi.Eh9xfRPw4r(16777285))})
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	.Net Code: Type.GetTypeFromHandle(bFRlLegYq2FtqtTJBjG.CcFylhPt3u(16777356)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(bFRlLegYq2FtqtTJBjG.CcFylhPt3u(16777255)),Type.GetTypeFromHandle(bFRlLegYq2FtqtTJBjG.CcFylhPt3u(16777285))})
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 9.3.icqplewR.pif.296c7830.0.raw.unpack, ClientFactory.cs	.Net Code: RequestLogicalClient System.AppDomain.Load(byte[])
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, Messages.cs	.Net Code: Memory

Source: icqplewR.pif.3.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F63E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

3_2_03F63E20

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F762A4 push 03F7630Fh; ret	3_2_03F76307
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F53210 push eax; ret	3_2_03F5324C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F761F8 push 03F76288h; ret	3_2_03F76280
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5C1C6 push 03F5C61Eh; ret	3_2_03F5C616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5617C push 03F561BEh; ret	3_2_03F561B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5617A push 03F561BEh; ret	3_2_03F561B6
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F76144 push 03F761ECh; ret	3_2_03F761E4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F760AC push 03F76125h; ret	3_2_03F7611D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6606C push 03F660A4h; ret	3_2_03F6609C
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F6A018 push ecx; mov dword ptr [esp], edx	3_2_03F6A01D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5F600 push 03F5F64Dh; ret	3_2_03F5F645
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5F5FF push 03F5F64Dh; ret	3_2_03F5F645
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5F4F4 push 03F5F56Ah; ret	3_2_03F5F562
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5C498 push 03F5C61Eh; ret	3_2_03F5C616
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F62410 push ecx; mov dword ptr [esp], edx	3_2_03F62412
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F75854 push 03F75A3Ah; ret	3_2_03F75A32
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F69FB4 push ecx; mov dword ptr [esp], edx	3_2_03F69FB9
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63F84 push 03F63FBCh; ret	3_2_03F63FB4
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F62EDC push 03F62F87h; ret	3_2_03F62F7F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F62EDA push 03F62F87h; ret	3_2_03F62F7F
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5BE18 push ecx; mov dword ptr [esp], edx	3_2_03F5BE1D
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F5CDE0 push 03F5CE0Ch; ret	3_2_03F5CE04
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F55DA0 push 03F55DFBh; ret	3_2_03F55DF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F55D9E push 03F55DFBh; ret	3_2_03F55DF3
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F63D40 push 03F63D82h; ret	3_2_03F63D7A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041C40C push cs; iretd	9_1_0041C4E2
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00423149 push eax; ret	9_1_00423179
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041C50E push cs; iretd	9_1_0041C4E2
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004231C8 push eax; ret	9_1_00423179
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040E21D push ecx; ret	9_1_0040E230
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0041C6BE push ebx; ret	9_1_0041C6BF

Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, Hyq4Brhw78ApZ4SE3ZB.cs	High entropy of concatenated method names: 'Uqohxn7GrP', 'gbVh4r6IUF', 'cUoh8g8Vev', 'oDEhBc1I4Q', 'gFDhnAa9Q1', 'Uo9hM1GoGP', 'LhEhqSVXhg', 'kvdhzoJ6NM', 's2sLYqj9jB', 'S8KLpIli9g'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, rEkTNFLac8TI81Vwi6H.cs	High entropy of concatenated method names: 'nrmCNZJKJMZGr53L14D', 'WipnH9JguXIINcDUbYP', 'oux37lIeh3', 'vh0ry9Sq2v', 'sdL3UQoZ1A', 'tvQ3CcOtyW', 'doC3Q6AC0m', 'Jxk3G20AqH', 'm8OxmVCREy', 'fL3Lvwdva0'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, JTOrHY3Mxp4brY4ZQrs.cs	High entropy of concatenated method names: 'jiJoqIxPcB', 'oB3ozIsycD', 'CtltYiLVvQ', 'mLXtp5JLX6', 'QgRtIaU2ao', 'gmAtD0YHHv', 'Ay9t0kc90K', 'LIs5tqXOKm', 'yNEtWhS55q', 'JgCtKbEAi9'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, fGAvyepf0iGWHUqWKm4.cs	High entropy of concatenated method names: 'OexpLRBMFk', 'P0Lp34aEf1', 'MekpUpfQk3', 'fxspQSyFDA', 'e3PpsC2x6w', 'M4CptGHQcv', 'sJPpF2gFSb', 'JUbp9Rf3pq', 'tyQpOY42s6', 'FO3pA8xa3T'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, YUMqjF3jsWoBEsr5Fwg.cs	High entropy of concatenated method names: 'Jht3wYt30B', 'k0C3NuAhZj', 'hr23J9YM3D', 'eSL3PGE9cX', 'mI73r1Z0Ks', 'YhG3xENuJK', 'Pv234TXcDM', 'G6W38ALBMx', 'j5Q3BPkhX0', 'GBp3nSTTja'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, ydlZiQf84uhWGsAUM1E.cs	High entropy of concatenated method names: 'h3bhQEXMTq', 'I5YhGCQIgG', 'x3FhsRChge', 'zEciLSNOoAR4kKC3pPR', 'AUy50QNS3V1824yTsoD', 'unZfnrMvxa', 'IxOfMhgSy0', 'AWOfqqZKgD', 'DxofzdtOBP', 'RYehYqcDQC'
Source: 9.3.icqplewR.pif.299dfe70.2.raw.unpack, fZN1LTKJ207yQQiYiAB.cs	High entropy of concatenated method names: 'eAfKrNnZaQ', 'Y6YK4FbY24', 'VnCKBlkkKQ', 'IUYKMC6841', 'q5bKqBw2nI', 'Kd8Kzf5GPt', 'QrHgYhjl6F', 'P41gpvvsHK', 'squgIeAOpL', 'WH9gDxNkxx'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, OpWNa1gCsVVl3qoAEGr.cs	High entropy of concatenated method names: 'Qxsg9ucVmF', 'IK1gSG1MIe', 'HlMg38Lufs', 'khcgrhorVw', 'TqqgkedqLx', 'hIfgycSS5b', 'uJsg8pq9Js', 'sZNghq3n8i', 'DZ2gVSBEfq', 'pABg1p1h7V'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, NlEo0Ug09yCuHlkoV0l.cs	High entropy of concatenated method names: 'vH8RjFQkmZ', 'WfyRzNMIRh', 'Wqa64H27Td', 'K0v6Q6BEcv', 'MtP6LHYwWW', 'fQl6wblExn', 'Nqc6qBXiEO', 'hEPU6NGhBf', 'iXi6ZlwSgL', 'Xyk6ifa3rW'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, bLbDKIm580VmkPLDdbf.cs	High entropy of concatenated method names: 'zyQ2di3i2l6j5410ink', 'PqCaT53sOkmmaHDmiuO', 'jw7gBdoBAl', 'vh0ry9Sq2v', 'NH9gPeEyqI', 'FFxgtBNYED', 'UCZgxyWA0V', 'aNogbenbYW', 'WWSypjCpEe', 'jm8mJiO6xk'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, dei7f7QlMoqgxwoE3HV.cs	High entropy of concatenated method names: 'hdqQm8nJVr', 'O5aQgUTfIR', 'q24QPhhZsG', 'ST9QxupVWT', 'Ne4QN3uACe', 'S91Q60WuBh', 'VrnQEBWOu8', 'ItCQo3Yu40', 'W2BQuo9v4d', 'YkwQF3232R'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, cWm7ZvK9D7DKQBhU0de.cs	High entropy of concatenated method names: 'zJCKyRhTCI', 'dgYK8TFHpw', 'OfpKhWVbKY', 'IgAKVc0NcZ', 'lOtK1GP9lg', 'kVaK0Y4iuW', 'GANKjb3sKh', 'FvTKz3PvgQ', 'sY0m4PEviZ', 'wVDmQGm96h'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, CsVmIul6FDAeuEBh3ln.cs	High entropy of concatenated method names: 'M6vlF8bbVR', 'lMelYNdtW1', 'ak8ymVSlEAOv4hjo5Yy', 'T4BqefSKTHXRDLtVUGX', 'ztPlE3ZCi4', 'YotlnhPxS8', 'WOOFjgS27fN6tCf0HH1', 'UXnywpSpk0BjtoXKZVx'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, lULnMFi3tidiQoIr9Q9.cs	High entropy of concatenated method names: 'Nx6ik7o4vm', 'g2ai8E73Zr', 'vHSiVtoD5N', 'C7Bi0Cks17', 'wP3ijxQ4yX', 'wJRizVdd3a', 'in5s4KfFxC', 'NMxsQ2SPuv', 'wqRsLenUvQ', 'd7xsw7XmeS'
Source: 9.3.icqplewR.pif.292f4458.3.raw.unpack, mK7HkAlhQXehFFXaTSG.cs	High entropy of concatenated method names: 'NyDKxXomDv', 'hXMKbjw9Ed', 'a9eKNZbycU', 'MCwBA3SuaKEcIsgtsF2', 'Fo7AOMSWlooyUg6NTes', 'cTBl1bDtOv', 'mOPl065GRZ', 'tErljd8g4e', 'tVblzguIdZ', 'hOrK4baair'
Source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs	High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'BL1I6XGhq9AA4', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\icqplewR.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\Rwelpqci.PIF			Jump to dropped file

Source: C:\Users\user\Links\icqplewR.pif	File created: C:\Users\user\AppData\Roaming\XClient.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\user\AppData\Local\Temp\x.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\icqplewR.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\x.exe	File created: C:\Users\user\Links\Rwelpqci.PIF	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwelpqci			Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwelpqci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Rwelpqci	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XClient	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F664E4 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_03F664E4

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Links\icqplewR.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Links\icqplewR.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 21D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 22370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 22190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 26A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 28C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 28F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 27C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 28F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 1CC20000 memory reserve \| memory write watch
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 1D040000 memory reserve \| memory write watch
Source: C:\Users\user\Links\icqplewR.pif	Memory allocated: 1CDF0000 memory reserve \| memory write watch

Source: C:\Users\user\Links\icqplewR.pif

9_1_004019F0

Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Links\icqplewR.pif	Window / User API: threadDelayed 9605	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5847	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3902	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7625
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4039
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6454
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3269

Source: C:\Users\user\AppData\Roaming\XClient.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\Links\icqplewR.pif TID: 1548	Thread sleep time: -41505174165846465s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif TID: 1400	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7760	Thread sleep count: 7625 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4804	Thread sleep count: 2010 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6060	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep count: 5662 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep count: 4039 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8136	Thread sleep count: 6454 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8164	Thread sleep count: 3269 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5176	Thread sleep time: -6456360425798339s >= -30000s

Source: C:\Users\user\Links\icqplewR.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Links\icqplewR.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: 3_2_03F552F8 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	3_2_03F552F8
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	28_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 28_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	28_2_00401612
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_0040128D RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,FindFirstFileA,FindClose,GetLocalTime,	29_2_0040128D
Source: C:\Users\user\AppData\Roaming\XClient.exe	Code function: 29_2_00401612 RegOpenKeyA,RegQueryValueA,RegCloseKey,RegCloseKey,GetLocalTime,CreateDirectoryA,FindFirstFileA,MoveFileA,FindNextFileA,FindClose,	29_2_00401612

Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\avicap32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\MSVFW32.dll	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\MSVFW32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\en-US\avicap32.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\SysWOW64\wbem\en-US\wmiutils.dll.mui	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll	Jump to behavior

Source: icqplewR.pif, 00000009.00000003.1896768334.0000000028F41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ronIgnuQEMuCAEKH8ln
Source: x.exe, 00000003.00000002.1224081576.0000000001F46000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllssW4
Source: Rwelpqci.PIF, 00000013.00000002.1349651483.0000000001E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\x.exe	API call chain: ExitProcess graph end node	graph_3-22841
Source: C:\Users\user\Links\Rwelpqci.PIF	API call chain: ExitProcess graph end node	graph_19-24469
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\XClient.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Links\icqplewR.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F6A5B0 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

3_2_03F6A5B0

Source: C:\Users\user\AppData\Local\Temp\x.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Links\icqplewR.pif

Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

9_1_0040CE09

Source: C:\Users\user\Links\icqplewR.pif

9_1_004019F0

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F63E20 LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

3_2_03F63E20

Source: C:\Users\user\Links\icqplewR.pif

Code function: 9_1_0040ADB0 GetProcessHeap,HeapFree,

9_1_0040ADB0

Source: C:\Users\user\Links\icqplewR.pif	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040CE09
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_1_0040E61C
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_1_00416F6A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 9_1_004123F1 SetUnhandledExceptionFilter,	9_1_004123F1
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_0040CE09
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_2_0040E61C
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_00416F6A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_2_004123F1 SetUnhandledExceptionFilter,	20_2_004123F1
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_1_0040CE09
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	20_1_0040E61C
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_1_00416F6A
Source: C:\Users\user\Links\icqplewR.pif	Code function: 20_1_004123F1 SetUnhandledExceptionFilter,	20_1_004123F1

Source: C:\Users\user\Links\icqplewR.pif

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory allocated: C:\Users\user\Links\icqplewR.pif base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Memory allocated: C:\Users\user\Links\icqplewR.pif base: 400000 protect: page execute and read and write			Jump to behavior

Bypasses PowerShell execution policy

Source: C:\Users\user\Links\icqplewR.pif

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\x.exe	Section unmapped: C:\Users\user\Links\icqplewR.pif base address: 400000			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Section unmapped: C:\Users\user\Links\icqplewR.pif base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\x.exe	Memory written: C:\Users\user\Links\icqplewR.pif base: 20A008			Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Memory written: C:\Users\user\Links\icqplewR.pif base: 2C4008			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /y "C:\Users\user\Desktop\RFQ_HB648836_Enquiry.cmd" "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\x.exe "C:\Users\user\AppData\Local\Temp\x.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\x.exe	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Links\icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'icqplewR.pif'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'	Jump to behavior
Source: C:\Users\user\Links\Rwelpqci.PIF	Process created: C:\Users\user\Links\icqplewR.pif C:\\Users\\user\\Links\icqplewR.pif	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_03F554BC
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_03F5A104
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: GetLocaleInfoA,	3_2_03F5A0B8
Source: C:\Users\user\AppData\Local\Temp\x.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	3_2_03F555C8
Source: C:\Users\user\Links\icqplewR.pif	Code function: GetLocaleInfoA,	9_1_00417A20
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_040754BC
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_040755C7
Source: C:\Users\user\Links\Rwelpqci.PIF	Code function: GetLocaleInfoA,	19_2_0407A104
Source: C:\Users\user\Links\icqplewR.pif	Code function: GetLocaleInfoA,	20_2_00417A20
Source: C:\Users\user\Links\icqplewR.pif	Code function: GetLocaleInfoA,	20_1_00417A20

Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Links\icqplewR.pif	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F58B38 GetLocalTime,

3_2_03F58B38

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F69F00 GetUserNameA,

3_2_03F69F00

Source: C:\Users\user\AppData\Roaming\XClient.exe

Code function: 28_2_0040BBD4 GetTimeZoneInformation,

28_2_0040BBD4

Source: C:\Users\user\AppData\Local\Temp\x.exe

Code function: 3_2_03F5B038 GetVersionExA,

3_2_03F5B038

Source: C:\Users\user\Links\icqplewR.pif

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Links\icqplewR.pif	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438467684.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 7444, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Links\icqplewR.pif	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1eeae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cee0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.3.icqplewR.pif.1b19f4f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e062d90.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1ce90f08.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e046478.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1cd1fdb6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.icqplewR.pif.1e045570.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000003.1351645830.000000001B19F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1225845544.00000000202BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1439549690.000000001E045000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438467684.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438171646.000000001CCDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1438299753.000000001CE90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected XWorm

Source: Yara match	File source: 00000014.00000002.1438596503.000000001D0A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 8032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: icqplewR.pif PID: 7444, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	1 Valid Accounts	1 Valid Accounts	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	311 Process Injection	2 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	461 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	251 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	311 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ_HB648836_Enquiry.cmd

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
RFQ_HB648836_Enquiry.cmd