Windows Analysis Report
ISS GLOBAL FORWARDING UAE LLC.exe

Overview

General Information

Sample name: ISS GLOBAL FORWARDING UAE LLC.exe
Analysis ID: 1437891
MD5: ee5b7ee758a6f55e9009bc34f0e3a4a8
SHA1: b16bff0f596af550370b7b56fc2992fbe0a6abf9
SHA256: 8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: ISS GLOBAL FORWARDING UAE LLC.exe ReversingLabs: Detection: 42%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ISS GLOBAL FORWARDING UAE LLC.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.2112345444.0000000000422000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.2112345444.0000000000422000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 4x nop then jmp 00B8675Ah 0_2_00B86B7A
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 4x nop then jmp 00B8675Ah 0_2_00B86B8F
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 4x nop then jmp 04D65A22h 10_2_04D65E42
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 4x nop then jmp 04D65A22h 10_2_04D65E57

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49711 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49711 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49711 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49711 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49711 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49711 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49712 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49712 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49712 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49712 -> 192.185.129.60:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49712 -> 192.185.129.60:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.raw.unpack, type: UNPACKEDPE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.185.129.60 192.185.129.60
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: mail.unitechautomations.com
Source: ISS GLOBAL FORWARDING UAE LLC.exe, rOqlzaXqJObX.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: ISS GLOBAL FORWARDING UAE LLC.exe, rOqlzaXqJObX.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 00000009.00000002.2096868576.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3221886941.000000000300A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.unitechautomations.com
Source: ISS GLOBAL FORWARDING UAE LLC.exe, rOqlzaXqJObX.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2040961917.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, rOqlzaXqJObX.exe, 0000000A.00000002.2134879689.0000000002D8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2042132144.000000000388C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2095525383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, rOqlzaXqJObX.exe, 0000000A.00000002.2138002794.0000000003FED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: ISS GLOBAL FORWARDING UAE LLC.exe, rOqlzaXqJObX.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, cPKWk.cs .Net Code: MPvOvSMQSR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.rOqlzaXqJObX.exe.4028c20.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.rOqlzaXqJObX.exe.4028c20.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: ISS GLOBAL FORWARDING UAE LLC.exe, ServerObject.cs Large array initialization: : array initializer size 680832
Detected potential crypto function
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00B88348 0_2_00B88348
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00B810B0 0_2_00B810B0
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00B80840 0_2_00B80840
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00B823A0 0_2_00B823A0
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00B82C78 0_2_00B82C78
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00B80C78 0_2_00B80C78
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00C1E144 0_2_00C1E144
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_06FDC010 0_2_06FDC010
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_06FD6A00 0_2_06FD6A00
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_06FDAB60 0_2_06FDAB60
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_06FD0040 0_2_06FD0040
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_06FD0039 0_2_06FD0039
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_07860718 0_2_07860718
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_07865AA8 0_2_07865AA8
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_0786D4C8 0_2_0786D4C8
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_0786D4D8 0_2_0786D4D8
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_07865A98 0_2_07865A98
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_0786AAA8 0_2_0786AAA8
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_07860040 0_2_07860040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E9A3E8 9_2_00E9A3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E9D668 9_2_00E9D668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E99818 9_2_00E99818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E94AD0 9_2_00E94AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E93EB8 9_2_00E93EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E94200 9_2_00E94200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_00E9EA6F 9_2_00E9EA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608B400 9_2_0608B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06089DCC 9_2_06089DCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06098EE8 9_2_06098EE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06095A38 9_2_06095A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06093258 9_2_06093258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_060942B0 9_2_060942B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06090040 9_2_06090040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0609C058 9_2_0609C058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0609E068 9_2_0609E068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_06095358 9_2_06095358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_060939B0 9_2_060939B0
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_02B9E144 10_2_02B9E144
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D67620 10_2_04D67620
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D60C78 10_2_04D60C78
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D62C78 10_2_04D62C78
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D60C68 10_2_04D60C68
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D610B0 10_2_04D610B0
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D60840 10_2_04D60840
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D60812 10_2_04D60812
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_04D623A0 10_2_04D623A0
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075F0718 10_2_075F0718
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075F5AA8 10_2_075F5AA8
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075FAAA8 10_2_075FAAA8
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075F0040 10_2_075F0040
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075FD4D8 10_2_075FD4D8
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075FD4C8 10_2_075FD4C8
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_0788C010 10_2_0788C010
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_0788AB60 10_2_0788AB60
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_07886A00 10_2_07886A00
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_07880007 10_2_07880007
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_07880040 10_2_07880040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02D2D660 14_2_02D2D660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02D2A49A 14_2_02D2A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02D24AD0 14_2_02D24AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02D23EB8 14_2_02D23EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_02D24200 14_2_02D24200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658B400 14_2_0658B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06589BB4 14_2_06589BB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06598EDA 14_2_06598EDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06593258 14_2_06593258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06595A38 14_2_06595A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_065942B0 14_2_065942B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0659C058 14_2_0659C058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06590040 14_2_06590040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0659E060 14_2_0659E060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_06595358 14_2_06595358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0659399B 14_2_0659399B
PE / OLE file has an invalid certificate
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2040961917.00000000026EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2037297541.00000000007CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000000.1959540287.00000000000B2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameoyvt.exe. vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2048374738.00000000071B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2042132144.000000000388C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2042132144.000000000388C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe, 00000000.00000002.2048776213.00000000077A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs ISS GLOBAL FORWARDING UAE LLC.exe
Source: ISS GLOBAL FORWARDING UAE LLC.exe Binary or memory string: OriginalFilenameoyvt.exe. vs ISS GLOBAL FORWARDING UAE LLC.exe
Uses 32bit PE files
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.rOqlzaXqJObX.exe.4028c20.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.rOqlzaXqJObX.exe.4028c20.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rOqlzaXqJObX.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.raw.unpack, XG.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.7840000.12.raw.unpack, -.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.7840000.12.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.7840000.12.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, Qv2GZAIILl5j2uIgWr.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, TwE9IPBORgi4t50hn8.cs Security API names: _0020.SetAccessControl
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, TwE9IPBORgi4t50hn8.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, TwE9IPBORgi4t50hn8.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@23/19@1/1
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe File created: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Mutant created: \Sessions\1\BaseNamedObjects\PgPsFcgdDfSPOwWDDOEqJmm
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe File created: C:\Users\user\AppData\Local\Temp\tmpF4E1.tmp Jump to behavior
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ISS GLOBAL FORWARDING UAE LLC.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe File read: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe "C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe"
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmpF4E1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmp14AE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmpF4E1.tmp" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmp14AE.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 0000000F.00000000.2112345444.0000000000422000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 0000000F.00000000.2112345444.0000000000422000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: ISS GLOBAL FORWARDING UAE LLC.exe, MainMenu.cs .Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{BN[0],BN[1],"Client"}}, (string[])null, (bool[])null)
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.6e90000.10.raw.unpack, XG.cs .Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
.NET source code contains potential unpacker
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, TwE9IPBORgi4t50hn8.cs .Net Code: s83rYBY1B2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.7840000.12.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_00C19DA0 pushfd ; ret 0_2_00C19DAE
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Code function: 0_2_078642D7 push ebx; ret 0_2_078642DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608F51F push es; iretd 9_2_0608F520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608F523 push es; iretd 9_2_0608F524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608F56F push es; iretd 9_2_0608F570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608F5CB push es; iretd 9_2_0608F5CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608F5CF push es; iretd 9_2_0608F5DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608F5DF push es; iretd 9_2_0608F5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 9_2_0608FB90 push es; ret 9_2_0608FBA0
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Code function: 10_2_075F42D7 push ebx; ret 10_2_075F42DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F555 push es; iretd 14_2_0658F55C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F549 push es; iretd 14_2_0658F554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F544 push es; iretd 14_2_0658F548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F57D push es; iretd 14_2_0658F588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F571 push es; iretd 14_2_0658F57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F56D push es; iretd 14_2_0658F570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F51D push es; iretd 14_2_0658F520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F510 push es; iretd 14_2_0658F51C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F521 push es; iretd 14_2_0658F524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F5DD push es; iretd 14_2_0658F5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F5C9 push es; iretd 14_2_0658F5CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F5CD push es; iretd 14_2_0658F5DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658F595 push es; iretd 14_2_0658F5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 14_2_0658FB90 push es; ret 14_2_0658FBA0
Source: ISS GLOBAL FORWARDING UAE LLC.exe Static PE information: section name: .text entropy: 7.909752441742168
Source: rOqlzaXqJObX.exe.0.dr Static PE information: section name: .text entropy: 7.909752441742168
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, ce9YWeCe6fbv5nLmlG.cs High entropy of concatenated method names: 'cMKdStPiVa', 'cXLd4d4DR2', 'fiodeQ8wP0', 'myCd2v7a3k', 'CUJdP6Nqka', 'Fqsd6D6e9n', 'k40d7fRPGq', 'kx0dZ48PRu', 'kKtdxfxELg', 'MRFdIDl3rH'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, GoJdnbxtAinOEI5PL0K.cs High entropy of concatenated method names: 'zyFoVBgsUV', 'lXno8IJPSC', 'rhroYwT6FP', 'ppSomqYi6L', 'SmpoTKVulS', 'jgiokP1usy', 'UDxoKfi2hS', 'e5VotIKZoO', 'N6toFqWX5h', 'M9GoWGjdSN'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, Mf1HFtxxtcKSY2mdTd4.cs High entropy of concatenated method names: 'ToString', 'yanhjIg7wg', 'efOhrNpSUn', 'GrJhqtFmKO', 'X0BhSPjYMP', 'KuHh4ZsEKt', 'KVkheFcXSw', 'P5Hh2u8Jd4', 'Y3iXaPEe6QSaGlCtPMx', 'hBlt00EUQNf8i3FhFKV'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, GCqee3ZtK39cafbO8N.cs High entropy of concatenated method names: 'ToString', 'FfURAE5rkL', 'gKvRB1gsU5', 'wMlRC4GOaL', 'okkRQEyrFL', 'GGKRpTi5Jk', 'MH5RueJWaD', 'hX7RaLDVyb', 'FB1Rn4t0JJ', 'heARExMyvE'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, rQ35NLMUf2T7FutQta.cs High entropy of concatenated method names: 'ybY2TZRUEw', 'nJS2KyRoIU', 'ho6eCotPnv', 'WfheQiOvyd', 'pCFep5W2UX', 'V1ueuT9iCf', 'fkbeaVxddd', 'HH1engRnRs', 'qjAeE6wejm', 'ukNegch5rI'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, YirX0ZNHqDMQ6XX7ST.cs High entropy of concatenated method names: 'xh4ciY86gw', 'si6c00UTtZ', 'z2Ld3XnOv3', 'MsVdX7ACZl', 'C8ZcAoDxl2', 'H7CcJmrpqd', 'VmmcvWKCHF', 'xGYcUeA7Ao', 'jFScfAZ9wV', 'nBNc9Cf5jm'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, lBIaSLcpxQCNwlIF2r.cs High entropy of concatenated method names: 'M1wYx7646', 'AW0mLLLj2', 'Dgwk1D7RQ', 'emdK2fvCc', 'CRZFjv3Ze', 'unMWHcwal', 'of7J7x1LafMoApAFkx', 'yqJ4NdZnbH5wgpHFlk', 'mcXdHuyQg', 'OcQhF2DBX'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, Qv2GZAIILl5j2uIgWr.cs High entropy of concatenated method names: 'EFN4UPmeoc', 'nco4fp6Wv5', 'i8C49SqEjo', 'gZ34Hq0ETD', 'JMy4NHVkfj', 'o9w45ZIuiB', 'Vy64yc9exx', 'XUP4iE9ano', 'lSD4s8bXFw', 'OiI40MIqyN'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, KYoulDJ953ljkZfSnn.cs High entropy of concatenated method names: 'YlbPqrpQSR', 'BNjP42ZPCx', 'yhlP28DBXN', 'PHUP6SqiBf', 'kgaP7nS7Uo', 'PnU2N2eZdJ', 'no9253ReCd', 'XFa2y2MIk4', 'zo52i0TFqu', 'PjD2sc6eRp'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, LRYU7Xji2TEmE7eUN4.cs High entropy of concatenated method names: 'Vq6oXnKDby', 'jMdojft4YR', 'YAqorT7bnO', 'hNxoSk8II9', 'tAho4WiMnu', 'F1fo2sPADQ', 'XNYoPWR1yj', 'IYcdyEYsaL', 'Do9diI5OAh', 'XYJdsTuIgd'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, eHfd95oFUZSwKQp3Uo.cs High entropy of concatenated method names: 'I4dwtbgP7D', 'hg7wFw140C', 'bVtwDBEHnh', 'CUswBcaeF8', 'VbkwQSrRNi', 'EMmwpFSFJU', 'wgGwaqAo5q', 'yZ0wnyOrd9', 'dOHwglTJbZ', 'zBYwAQiqRV'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, SAqHuB71UVRm48qydF.cs High entropy of concatenated method names: 'JSo6Sh7YGf', 'OXn6e9AOB1', 'gGV6PfMvZ6', 'o8rP0uuN7Z', 'bdJPz0m9wt', 'Boy63sNFuF', 'kjn6XGU3oQ', 'LXX6MBhmEJ', 'rEs6jypmHw', 'rnS6ry3p5S'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, CaOEG9LfNQgR3j7eS1.cs High entropy of concatenated method names: 'UlV6VCrfEY', 'UuE68SyqtV', 'yrK6YMffTZ', 'exl6mw2bmd', 'Xtl6TKDI50', 'Wm26k7QgfJ', 'buh6KROASE', 'SFu6tjglLx', 'wZZ6FTjIWG', 'fYp6WWXRJ8'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, FjVDLkafgQaA9t9Tdx.cs High entropy of concatenated method names: 'NbUdDhpvxC', 'VqRdBkO8Xh', 'oJLdCSadIB', 'EOhdQhEOyG', 'lEodU3MSg3', 'znMdpNaevo', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, sCLXJo1BPhypWXAf2I.cs High entropy of concatenated method names: 'yrwemQml70', 'Uxqek2Nvvf', 'JcDetjK5g5', 'PtUeFX5oaV', 'KfJel5aeCv', 'sIdeR8RhfB', 'D3nechi6ne', 'QqmedbeFiW', 'KhSeoTdUqG', 'PrjehbcSdq'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, dBCHJH2Ub3Oc0r69yS.cs High entropy of concatenated method names: 'XHbX6QoeJg', 'A3sX7oIlP3', 'VryXxaVEm4', 'hTbXINpHDw', 'W11Xlp4eGa', 'XDyXR6qhuO', 'GVrtfO58wK0jm0AN9b', 'Aq6uPP2eZ3r2318KpG', 'BC0XXAtIj6', 'cT7XjVEpls'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, b2YIfeW62FTpe6vRfw.cs High entropy of concatenated method names: 't63P9bI1Uu', 'Ip9PHhgUgK', 'xAqPNwv2Lj', 'ToString', 'CNcP5wFRsd', 'tnUPynoV7M', 'Kk7svo4bXTVi7OJjGgD', 'IOBVrh4svRNhnLmmTHw', 'HNrc6L4fUsYIOdVcLlI', 'dUB2O34IbWmVn1fO7Fx'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, HTXdDTeESNOSnVl6sr.cs High entropy of concatenated method names: 'onccx3xbkG', 'JShcIqN8hi', 'ToString', 'oARcSCwCGo', 'f7Jc4ELWL8', 'WofceB09RB', 'XBsc2jZMef', 'xERcPtNfqq', 'E3yc6Sn5OU', 'BnIc7L1V6c'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, xXoOxUVvU535kTqp2N.cs High entropy of concatenated method names: 'IALFZt4dksaI5drgjPx', 'MYw3n14pCglgDSe9SDf', 'PvnPdUZaE5', 'HtfPonlvcS', 'HEqPhScoN3', 'YM5Xen4wkZoq73HR08Q', 'iwmPh84TDRpBNfaUb6h'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, zM9bsgpCoL0qdmrT6q.cs High entropy of concatenated method names: 'Dispose', 'H8CXspSEHo', 'CVXMB1pbT5', 'zx5OORwiXL', 'daLX0WqKwi', 'iDgXzQ9KGN', 'ProcessDialogKey', 'pQuM35w33v', 'YeNMXUOxbd', 'vdlMM2kDNf'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, zC7yQNz5piFteaOoVa.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CWKowlBmOM', 'cCxoloXuya', 'VLXoRENLeC', 'KwnocMFpW9', 'icJod1dwv0', 'c3Poo4AAln', 'nJUohDsoQw'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, bnVtm5KaIBsK8E94x7.cs High entropy of concatenated method names: 'J30PakZKCX', 'VBQPEnvy1P', 'IDYPuUN7ap', 'dbYVWY4XELtp2h8XhBZ', 'On97LF4g3kATecBxWxF', 'FajJ9b4KFvar98TWk5P', 'SLXmcO4VctsRloTqolX'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, WYuMKYxHGk15nhftmwy.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EqnhUFImaN', 'NtLhfNRJwR', 'aRUh9P2qgw', 'qjDhHHLYc5', 'uANhNF6Gqs', 'Kjfh5afLiK', 'VcQhy7lid0'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.71b0000.11.raw.unpack, TwE9IPBORgi4t50hn8.cs High entropy of concatenated method names: 'ksAjqb80x2', 'xlQjSdD8EF', 'PAsj4Ao7yA', 'YVBjedU2rX', 'Np0j28yomF', 'ftBjPURRPb', 'Wikj6wrHCR', 'c5Aj7s3cAA', 'G0ajZIGL8B', 'afyjxHIQ7n'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.6e90000.10.raw.unpack, XG.cs High entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
Drops PE files
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe File created: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmpF4E1.tmp"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTme Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTme Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ISS GLOBAL FORWARDING UAE LLC.exe PID: 2928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rOqlzaXqJObX.exe PID: 7444, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: 25B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: 7880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: 8880000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: 8B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: 9B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: 2B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: 2D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: 4D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: 7C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: 8C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: 7C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 2420000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 2590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 4590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 2860000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Memory allocated: 4860000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5413 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6570 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2566 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 3655 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1715
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe TID: 5696 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7204 Thread sleep count: 5413 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192 Thread sleep count: 82 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7324 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7404 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe TID: 7492 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 7852 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 8124 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99848 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99725 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99607 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99497 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99388 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99021 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98745 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98144 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99544
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97507
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97281
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96842
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Thread delayed: delay time: 922337203685477
Source: RegSvcs.exe, 00000009.00000002.2101524491.0000000005F50000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3229289762.0000000006200000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe"
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe"
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe" Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000 Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 837008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EC8008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmpF4E1.tmp" Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rOqlzaXqJObX" /XML "C:\Users\user\AppData\Local\Temp\tmp14AE.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Queries volume information: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Queries volume information: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\rOqlzaXqJObX.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\Desktop\ISS GLOBAL FORWARDING UAE LLC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.4028c20.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.4028c20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2095525383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.000000000300A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138002794.0000000003FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2042132144.000000000388C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISS GLOBAL FORWARDING UAE LLC.exe PID: 2928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rOqlzaXqJObX.exe PID: 7444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7672, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.6e90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.6e90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.2d5d198.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.2d5d198.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.30ae8d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.294f930.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.30af8f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.2917bc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.294e918.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3077b80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2047820467.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2134879689.0000000003039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2040961917.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2134879689.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2040961917.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.4028c20.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.4028c20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2095525383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138002794.0000000003FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2042132144.000000000388C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISS GLOBAL FORWARDING UAE LLC.exe PID: 2928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rOqlzaXqJObX.exe PID: 7444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7672, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.4028c20.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.4028c20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3fedc00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.38c7f10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.388cef0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2095525383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.000000000300A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3221886941.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138002794.0000000003FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2096868576.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2042132144.000000000388C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISS GLOBAL FORWARDING UAE LLC.exe PID: 2928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rOqlzaXqJObX.exe PID: 7444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7672, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.6e90000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.6e90000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.2d5d198.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.2d5d198.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.30ae8d8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.294f930.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.25fd1cc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.30af8f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.2917bc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISS GLOBAL FORWARDING UAE LLC.exe.294e918.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rOqlzaXqJObX.exe.3077b80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2047820467.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2134879689.0000000003039000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2040961917.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2134879689.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2040961917.00000000025B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437891 Sample: ISS GLOBAL FORWARDING UAE LLC.exe Startdate: 08/05/2024 Architecture: WINDOWS Score: 100 53 mail.unitechautomations.com 2->53 57 Snort IDS alert for network traffic 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 14 other signatures 2->63 8 ISS GLOBAL FORWARDING UAE LLC.exe 7 2->8         started        12 rOqlzaXqJObX.exe 5 2->12         started        14 GUIVTme.exe 2->14         started        16 GUIVTme.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\rOqlzaXqJObX.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmpF4E1.tmp, XML 8->51 dropped 79 Writes to foreign memory regions 8->79 81 Allocates memory in foreign processes 8->81 83 Adds a directory exclusion to Windows Defender 8->83 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 89 Injects a PE file into a foreign processes 12->89 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 55 mail.unitechautomations.com 192.185.129.60, 49711, 49712, 587 UNIFIEDLAYER-AS-1US United States 18->55 47 C:\Users\user\AppData\Roaming\...behaviorgraphUIVTme.exe, PE32 18->47 dropped 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 69 Loading BitLocker PowerShell Module 23->69 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->71 73 Tries to steal Mail credentials (via file / registry access) 29->73 75 Tries to harvest and steal ftp login credentials 29->75 77 Tries to harvest and steal browser information (history, passwords, etc) 29->77 45 conhost.exe 31->45         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.129.60
 mail.unitechautomations.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mail.unitechautomations.com 192.185.129.60 true