Windows Analysis Report
Bill Of Lading.exe

Overview

General Information

Sample name: Bill Of Lading.exe
Analysis ID: 1544350
MD5: e6d942c53b473fb6f9b53a24a59d083b
SHA1: 284b60dfc554bfb5aa78717d510a4b1a702b4598
SHA256: 862a367b1e130dc47d08a2d4ce26bec8d85196f00c1a3f6c0df4fc5f099139cd
Tags: exeMassLoggeruser-Maciej8910871
Infos:

Detection

MassLogger RAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 4.2.Bill Of Lading.exe.400000.0.unpack Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}
Multi AV Scanner detection for submitted file
Source: Bill Of Lading.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Bill Of Lading.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Bill Of Lading.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: Bill Of Lading.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 016B5782h 4_2_016B5367
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 016B51B9h 4_2_016B4F08
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 016B5782h 4_2_016B56AF
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DF028h 4_2_032DED80
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D1935h 4_2_032D15F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DADC8h 4_2_032DAB20
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D3648h 4_2_032D33A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DB678h 4_2_032DB3D0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DD4E0h 4_2_032DD238
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DA518h 4_2_032DA270
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DFD30h 4_2_032DFA88
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D2D98h 4_2_032D2AF0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DEBD0h 4_2_032DE928
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D1449h 4_2_032D11A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DCC30h 4_2_032DC988
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DF480h 4_2_032DF1D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DBAD0h 4_2_032DB828
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DE320h 4_2_032DE078
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D02E9h 4_2_032D0040
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D4350h 4_2_032D40A8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D0B99h 4_2_032D08F0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DC380h 4_2_032DC0D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DB220h 4_2_032DAF78
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D31F0h 4_2_032D2F48
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D3AA0h 4_2_032D37F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DF8D8h 4_2_032DF630
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DA0C0h 4_2_032D9E18
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DD93Ah 4_2_032DD690
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DA970h 4_2_032DA6C8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DC7D8h 4_2_032DC530
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D0FF1h 4_2_032D0D48
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DD088h 4_2_032DCDE0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DDEC8h 4_2_032DDC20
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D3EF8h 4_2_032D3C50
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DBF28h 4_2_032DBC80
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032D0741h 4_2_032D0498
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4x nop then jmp 032DE778h 4_2_032DE4D0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 132.226.247.73 132.226.247.73
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 132.226.247.73:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.comd
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.0000000003362000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/d
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/q
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.orgd
Source: Bill Of Lading.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Bill Of Lading.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Bill Of Lading.exe, 00000004.00000002.2932716235.0000000006968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: Bill Of Lading.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000338B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.org
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000338B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://reallyfreegeoip.orgd
Source: Bill Of Lading.exe, 00000000.00000002.1730779079.0000000002959000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000032F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72d
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72l
Source: Bill Of Lading.exe String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, UltraSpeed.cs .Net Code: VKCodeToUnicode
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, UltraSpeed.cs .Net Code: VKCodeToUnicode

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Bill Of Lading.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07373B8C NtQueryInformationProcess, 0_2_07373B8C
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07378BB8 NtQueryInformationProcess, 0_2_07378BB8
Detected potential crypto function
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_00E1D3C4 0_2_00E1D3C4
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_072AE100 0_2_072AE100
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_072AE7D8 0_2_072AE7D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_0737E430 0_2_0737E430
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07375F00 0_2_07375F00
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07374C30 0_2_07374C30
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_0737A778 0_2_0737A778
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_0737A788 0_2_0737A788
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_0737E41F 0_2_0737E41F
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_073784D8 0_2_073784D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07378018 0_2_07378018
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07375EF2 0_2_07375EF2
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07378D88 0_2_07378D88
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07374C21 0_2_07374C21
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07377BD0 0_2_07377BD0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_0737AA10 0_2_0737AA10
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_0737A9FF 0_2_0737A9FF
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB73E8 0_2_07AB73E8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB31B1 0_2_07AB31B1
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB31C0 0_2_07AB31C0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB1138 0_2_07AB1138
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB0D00 0_2_07AB0D00
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB1570 0_2_07AB1570
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_07AB2810 0_2_07AB2810
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016BC168 4_2_016BC168
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016B19B8 4_2_016B19B8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016BCAB0 4_2_016BCAB0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016B2DD1 4_2_016B2DD1
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016B4F08 4_2_016B4F08
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016B7E68 4_2_016B7E68
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016BB9E0 4_2_016BB9E0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016BB9D0 4_2_016BB9D0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016BCA82 4_2_016BCA82
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016B7E67 4_2_016B7E67
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016B4EF8 4_2_016B4EF8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D6998 4_2_032D6998
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D7770 4_2_032D7770
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D4500 4_2_032D4500
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DED80 4_2_032DED80
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D15F8 4_2_032D15F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D1C58 4_2_032D1C58
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DAB20 4_2_032DAB20
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DAB10 4_2_032DAB10
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D1B4A 4_2_032D1B4A
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D33A0 4_2_032D33A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D3393 4_2_032D3393
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DB3C1 4_2_032DB3C1
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DB3D0 4_2_032DB3D0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DD238 4_2_032DD238
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DA261 4_2_032DA261
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DFA78 4_2_032DFA78
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DA270 4_2_032DA270
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DFA88 4_2_032DFA88
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D2AE0 4_2_032D2AE0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D2AF0 4_2_032D2AF0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DE928 4_2_032DE928
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DE91F 4_2_032DE91F
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DC97B 4_2_032DC97B
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D11A0 4_2_032D11A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D118F 4_2_032D118F
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DC988 4_2_032DC988
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DF1C8 4_2_032DF1C8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DF1D8 4_2_032DF1D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DB828 4_2_032DB828
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D0006 4_2_032D0006
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DB818 4_2_032DB818
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DE068 4_2_032DE068
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DE078 4_2_032DE078
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D0040 4_2_032D0040
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D40A8 4_2_032D40A8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D4098 4_2_032D4098
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D08F0 4_2_032D08F0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DC0CB 4_2_032DC0CB
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D08DF 4_2_032D08DF
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DC0D8 4_2_032DC0D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D2F38 4_2_032D2F38
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DAF68 4_2_032DAF68
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DAF78 4_2_032DAF78
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D2F48 4_2_032D2F48
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D37E8 4_2_032D37E8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D37F8 4_2_032D37F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DF620 4_2_032DF620
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DF630 4_2_032DF630
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D9E18 4_2_032D9E18
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DA6B9 4_2_032DA6B9
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DD683 4_2_032DD683
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DD690 4_2_032DD690
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DA6C8 4_2_032DA6C8
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DC520 4_2_032DC520
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D0D3C 4_2_032D0D3C
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DC530 4_2_032DC530
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DED70 4_2_032DED70
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D0D48 4_2_032D0D48
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D15EB 4_2_032D15EB
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DCDE0 4_2_032DCDE0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DCDD0 4_2_032DCDD0
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DDC20 4_2_032DDC20
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DDC13 4_2_032DDC13
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DBC71 4_2_032DBC71
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D3C43 4_2_032D3C43
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D3C50 4_2_032D3C50
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D048C 4_2_032D048C
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DBC80 4_2_032DBC80
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D0498 4_2_032D0498
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032D9C90 4_2_032D9C90
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DE4C3 4_2_032DE4C3
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_032DE4D0 4_2_032DE4D0
PE / OLE file has an invalid certificate
Source: Bill Of Lading.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Bill Of Lading.exe, 00000000.00000002.1730779079.0000000002959000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1734533089.000000000B570000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000000.1676963877.0000000000562000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamejGmN.exe4 vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1733884571.00000000075F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShe vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1729141781.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000004.00000002.2928664508.00000000012F7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000004.00000002.2928507944.000000000041A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCloudServices.exe< vs Bill Of Lading.exe
Source: Bill Of Lading.exe Binary or memory string: OriginalFilenamejGmN.exe4 vs Bill Of Lading.exe
Uses 32bit PE files
Source: Bill Of Lading.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Bill Of Lading.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, UltraSpeed.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, COVIDPickers.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, UltraSpeed.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, COVIDPickers.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs Security API names: _0020.SetAccessControl
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs Security API names: _0020.AddAccessRule
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs Security API names: _0020.SetAccessControl
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs Security API names: _0020.AddAccessRule
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, yYex5M0Fb9d9vCYsJy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, yYex5M0Fb9d9vCYsJy.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
Source: C:\Users\user\Desktop\Bill Of Lading.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bill Of Lading.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Bill Of Lading.exe Mutant created: \Sessions\1\BaseNamedObjects\sLOqATlyg
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1508:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lefng4a4.n3e.ps1 Jump to behavior
Source: Bill Of Lading.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Bill Of Lading.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Bill Of Lading.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000033CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Bill Of Lading.exe ReversingLabs: Detection: 39%
Source: unknown Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Bill Of Lading.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Bill Of Lading.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Bill Of Lading.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Bill Of Lading.exe.53a0000.3.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs .Net Code: t9XjiCC8h5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs .Net Code: t9XjiCC8h5 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_072AA656 push FFFFFF8Bh; iretd 0_2_072AA65A
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 0_2_072A5430 push eax; ret 0_2_072A5471
Source: Bill Of Lading.exe Static PE information: section name: .text entropy: 7.597028428709984
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, WsdF1GHByCfG39n34hG.cs High entropy of concatenated method names: 'XTs7ejQMdT', 'FEl7mXO3NH', 'Mro7is3dOB', 'AbT7qGhn8E', 'TrX7niYG7s', 'jyk75k8438', 'vKn7fCvmJL', 'OJP709tXqf', 'ney7aAyiZP', 'gx87vECJ1L'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, R1oBQEOJUT5B5BLI9I.cs High entropy of concatenated method names: 'ToString', 'ttwUJ6iNy4', 'YQmUo1r1fS', 'pMDUx9tN9F', 'VvLUDBIVmR', 'fqnUt6evvl', 'G8nUCviLYL', 'S46UQbbYtb', 'ihBUsPW470', 'xDZU83ECrS'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, yYex5M0Fb9d9vCYsJy.cs High entropy of concatenated method names: 'jPUANjhKmk', 'N0YAVqL97Z', 'EHeAO8uJRK', 'xWxAwIRwIJ', 'ebfA198WD0', 'O26A93ZG2D', 'F4FA3BGUNh', 'miiAkdJOdr', 'aUFAhBFiIr', 'BpJAIsC2E7'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, pdGFg3XTNgk33RALG8.cs High entropy of concatenated method names: 'bM5KcxW2gM', 'Lo2KAsyNSY', 'qOFKu0wo74', 'TgGKyLdXFY', 'Pt0K6ovnjM', 'Qysu1B5EaD', 'lt6u93Zvh2', 'DQBu31hpND', 'SoaukPCjQV', 'caAuhVh7Kj'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, YnvJjTAnNmihZSjDMM.cs High entropy of concatenated method names: 'Dispose', 'kEiHhWRBtb', 'MNQSo0j6YH', 'ANwRRCAKac', 'Fj2HINnvnp', 'uYOHzbchhu', 'ProcessDialogKey', 'iTaSB3F7gX', 'DgaSHOeEFO', 'xkgSSoKROH'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, d2NnvnkpGYObchhuKT.cs High entropy of concatenated method names: 'mOKgM0jeFh', 'iF9gAbm9Fl', 'g8xgr6UMHO', 'uG0gudCmpR', 'xPbgKbaX5P', 'V9rgyutwaV', 'JEUg6UYdu5', 'OAYgdfqhkM', 'BIkgpSCCgi', 'NSQgFXaa1H'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, XSaccbSuQjsahpQDZ8.cs High entropy of concatenated method names: 'rdGiA1y0t', 'kwsqDI4cw', 'Yyo5UpPIg', 'zAdfSL7P4', 'mkja6c86b', 'MeQvAvxf3', 'P1OOwf3ra2Y0tx7g2k', 'wspbugi2h03ugJuOFe', 'P44gaISDL', 'jYtY3Qphv'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, ucl6GTCKFMgIfewJUq.cs High entropy of concatenated method names: 'zftKO7MSe6', 'msPKw4iTWD', 'UPdK1IgZKl', 'ToString', 'idqK9mdK8f', 'L36K3tHX5L', 'A1OowUv03WS4MJLyC6N', 'Qip0B8vo8ZinssaMc8p', 'BSGFe7vIYdGgr28b4ye', 'vefILuvyItsMM2QuSUD'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, NBUNKKwdpFD2sRYih3.cs High entropy of concatenated method names: 'IWvEpHMvWe', 'dfIEFuK69y', 'ToString', 'ytMEM4Pd2r', 'bkQEAQ7jwg', 'NjXEraZuoM', 'pLUEu5PT55', 'HOHEKH1uCl', 'bmpEyl9AvV', 'xYQE6jXSNf'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, ap2pVR8qDlIvkU6pII.cs High entropy of concatenated method names: 'IwnyeJriJ8', 'SkeymjoAaT', 'nmVyiwfYtY', 'ACHyqp9Ox6', 'utvynUI747', 'Yhjy5Aq0br', 'hJdyfhIY37', 'eVwy0fij5L', 'Aipyaq4ucP', 'bEJyvfsKUQ'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, j60JomQwKbPv1l24XR.cs High entropy of concatenated method names: 'KWZyMM1Dj9', 'NXgyrekFIn', 'F16yKB270t', 'YtOKIouteu', 'lY0KzDMjGL', 'tODyB5dfvW', 'a7vyHxSJuZ', 'kR4yS9Ekfg', 'g3MyldQlvu', 'E5EyjrH7XX'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, E3F7gXh0gaOeEFOTkg.cs High entropy of concatenated method names: 'OnAgX9Qgp9', 'pIrgoVV3um', 'pcHgx9uBMC', 'rsygDucbsM', 'kVVgNMV2Uc', 'w5Ogt5PPxJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, LMOT6UNdReeVWoPAID.cs High entropy of concatenated method names: 'Pb5Z4wLua6', 'W7OZbtuOmM', 'jY2ZNHjCqu', 'apaZV8Fc02', 'DruZomdYKj', 'bleZxAaVlV', 'dpfZD1KQEJ', 'KUCZt1NjhZ', 'FXZZCNkKLN', 'LMRZQhig0o'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, oGYcpcvq7PRQIK6iEx.cs High entropy of concatenated method names: 'W0Eun5SKet', 'DjyufjUXwv', 'TRCrxye8QF', 'hJ0rDfY7CA', 'Y2rrtt9IKG', 'rxXrCULcxh', 'eOSrQ9kAp4', 'c7MrshZ5Ww', 'RJZr8cuda0', 'F7Er4X0UB1'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, FIrm0jHlMQoThYVr9ZY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'R4qYNwQuZ7', 'pIOYVMGDN3', 'OZrYOkBQR0', 'HMHYwxkkLK', 'bIBY1XYVgc', 'L4PY9OuoSG', 'WXwY3IFlXe'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, mFhgPy2nR54giMNkmJ.cs High entropy of concatenated method names: 'ieIP0lLGdA', 'v4EPamL9qp', 'fodPXsXfV7', 'DeoPoj4tHC', 'EYPPDOfMjq', 'Y5PPtSk8rv', 'V5hPQ9sGUp', 'WWjPslRVHN', 'KZDP4cthVx', 'lojPJN8jF0'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs High entropy of concatenated method names: 'EC1lcTh3do', 'OaHlMIhdPu', 'FKwlAsHtqR', 'nvclrmUY5B', 'KrJluifijM', 'Df6lKIClLy', 'iyMlyhnkxk', 'gW6l64Bjh5', 'NLolddIO6i', 'cpLlpCE3gZ'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, RO7QEkjQXdeu77xcCL.cs High entropy of concatenated method names: 'TvmHyYex5M', 'mb9H6d9vCY', 'Ah1Hp57xKi', 'fcIHF5ZGYc', 'i6iHZExUdG', 'mg3HUTNgk3', 'MT8xilRxCpyx8JKOcx', 'MAM1FvYujOFaHpyNGb', 'hvUHHZbfgC', 'BVkHlDqHGQ'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, g5N5xqah157xKiMcI5.cs High entropy of concatenated method names: 'XwwrqUcsCE', 'KkOr5ZQOIS', 'ATBr0AUbsF', 'UOpraXXVUZ', 'oiYrZum0iC', 'i7arUKkdPx', 'xbbrEcT9jd', 'XRMrg5yUMK', 'cXur7ffgE5', 'kRmrYxRBw0'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, HKROHvIde0F9Vhk3N4.cs High entropy of concatenated method names: 'Xjn7HC1NkA', 'LYY7lsOMkp', 'EgC7jBSJhG', 'jBK7MxDgO7', 'ufM7A7MgtH', 'TnV7usUria', 'ST17KjII7V', 'uhvg3VvjSj', 'TM5gkAq6Q5', 'ctLghaR2fT'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, qwJAvL92EgDZ8B25LL.cs High entropy of concatenated method names: 'aV4EkEn7lR', 'iXFEIyhkZp', 'Na9gBUYTvc', 'BeLgHLbgSx', 'wbFEJ0ywfe', 'KKKEbFdZwJ', 'vqcE2GpN5d', 'rnmENAyKe0', 'dOGEVPtEJ6', 'SjdEO7VelM'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, WsdF1GHByCfG39n34hG.cs High entropy of concatenated method names: 'XTs7ejQMdT', 'FEl7mXO3NH', 'Mro7is3dOB', 'AbT7qGhn8E', 'TrX7niYG7s', 'jyk75k8438', 'vKn7fCvmJL', 'OJP709tXqf', 'ney7aAyiZP', 'gx87vECJ1L'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, R1oBQEOJUT5B5BLI9I.cs High entropy of concatenated method names: 'ToString', 'ttwUJ6iNy4', 'YQmUo1r1fS', 'pMDUx9tN9F', 'VvLUDBIVmR', 'fqnUt6evvl', 'G8nUCviLYL', 'S46UQbbYtb', 'ihBUsPW470', 'xDZU83ECrS'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, yYex5M0Fb9d9vCYsJy.cs High entropy of concatenated method names: 'jPUANjhKmk', 'N0YAVqL97Z', 'EHeAO8uJRK', 'xWxAwIRwIJ', 'ebfA198WD0', 'O26A93ZG2D', 'F4FA3BGUNh', 'miiAkdJOdr', 'aUFAhBFiIr', 'BpJAIsC2E7'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, pdGFg3XTNgk33RALG8.cs High entropy of concatenated method names: 'bM5KcxW2gM', 'Lo2KAsyNSY', 'qOFKu0wo74', 'TgGKyLdXFY', 'Pt0K6ovnjM', 'Qysu1B5EaD', 'lt6u93Zvh2', 'DQBu31hpND', 'SoaukPCjQV', 'caAuhVh7Kj'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, YnvJjTAnNmihZSjDMM.cs High entropy of concatenated method names: 'Dispose', 'kEiHhWRBtb', 'MNQSo0j6YH', 'ANwRRCAKac', 'Fj2HINnvnp', 'uYOHzbchhu', 'ProcessDialogKey', 'iTaSB3F7gX', 'DgaSHOeEFO', 'xkgSSoKROH'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, d2NnvnkpGYObchhuKT.cs High entropy of concatenated method names: 'mOKgM0jeFh', 'iF9gAbm9Fl', 'g8xgr6UMHO', 'uG0gudCmpR', 'xPbgKbaX5P', 'V9rgyutwaV', 'JEUg6UYdu5', 'OAYgdfqhkM', 'BIkgpSCCgi', 'NSQgFXaa1H'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, XSaccbSuQjsahpQDZ8.cs High entropy of concatenated method names: 'rdGiA1y0t', 'kwsqDI4cw', 'Yyo5UpPIg', 'zAdfSL7P4', 'mkja6c86b', 'MeQvAvxf3', 'P1OOwf3ra2Y0tx7g2k', 'wspbugi2h03ugJuOFe', 'P44gaISDL', 'jYtY3Qphv'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, ucl6GTCKFMgIfewJUq.cs High entropy of concatenated method names: 'zftKO7MSe6', 'msPKw4iTWD', 'UPdK1IgZKl', 'ToString', 'idqK9mdK8f', 'L36K3tHX5L', 'A1OowUv03WS4MJLyC6N', 'Qip0B8vo8ZinssaMc8p', 'BSGFe7vIYdGgr28b4ye', 'vefILuvyItsMM2QuSUD'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, NBUNKKwdpFD2sRYih3.cs High entropy of concatenated method names: 'IWvEpHMvWe', 'dfIEFuK69y', 'ToString', 'ytMEM4Pd2r', 'bkQEAQ7jwg', 'NjXEraZuoM', 'pLUEu5PT55', 'HOHEKH1uCl', 'bmpEyl9AvV', 'xYQE6jXSNf'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, ap2pVR8qDlIvkU6pII.cs High entropy of concatenated method names: 'IwnyeJriJ8', 'SkeymjoAaT', 'nmVyiwfYtY', 'ACHyqp9Ox6', 'utvynUI747', 'Yhjy5Aq0br', 'hJdyfhIY37', 'eVwy0fij5L', 'Aipyaq4ucP', 'bEJyvfsKUQ'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, j60JomQwKbPv1l24XR.cs High entropy of concatenated method names: 'KWZyMM1Dj9', 'NXgyrekFIn', 'F16yKB270t', 'YtOKIouteu', 'lY0KzDMjGL', 'tODyB5dfvW', 'a7vyHxSJuZ', 'kR4yS9Ekfg', 'g3MyldQlvu', 'E5EyjrH7XX'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, E3F7gXh0gaOeEFOTkg.cs High entropy of concatenated method names: 'OnAgX9Qgp9', 'pIrgoVV3um', 'pcHgx9uBMC', 'rsygDucbsM', 'kVVgNMV2Uc', 'w5Ogt5PPxJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, LMOT6UNdReeVWoPAID.cs High entropy of concatenated method names: 'Pb5Z4wLua6', 'W7OZbtuOmM', 'jY2ZNHjCqu', 'apaZV8Fc02', 'DruZomdYKj', 'bleZxAaVlV', 'dpfZD1KQEJ', 'KUCZt1NjhZ', 'FXZZCNkKLN', 'LMRZQhig0o'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, oGYcpcvq7PRQIK6iEx.cs High entropy of concatenated method names: 'W0Eun5SKet', 'DjyufjUXwv', 'TRCrxye8QF', 'hJ0rDfY7CA', 'Y2rrtt9IKG', 'rxXrCULcxh', 'eOSrQ9kAp4', 'c7MrshZ5Ww', 'RJZr8cuda0', 'F7Er4X0UB1'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, FIrm0jHlMQoThYVr9ZY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'R4qYNwQuZ7', 'pIOYVMGDN3', 'OZrYOkBQR0', 'HMHYwxkkLK', 'bIBY1XYVgc', 'L4PY9OuoSG', 'WXwY3IFlXe'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, mFhgPy2nR54giMNkmJ.cs High entropy of concatenated method names: 'ieIP0lLGdA', 'v4EPamL9qp', 'fodPXsXfV7', 'DeoPoj4tHC', 'EYPPDOfMjq', 'Y5PPtSk8rv', 'V5hPQ9sGUp', 'WWjPslRVHN', 'KZDP4cthVx', 'lojPJN8jF0'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs High entropy of concatenated method names: 'EC1lcTh3do', 'OaHlMIhdPu', 'FKwlAsHtqR', 'nvclrmUY5B', 'KrJluifijM', 'Df6lKIClLy', 'iyMlyhnkxk', 'gW6l64Bjh5', 'NLolddIO6i', 'cpLlpCE3gZ'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, RO7QEkjQXdeu77xcCL.cs High entropy of concatenated method names: 'TvmHyYex5M', 'mb9H6d9vCY', 'Ah1Hp57xKi', 'fcIHF5ZGYc', 'i6iHZExUdG', 'mg3HUTNgk3', 'MT8xilRxCpyx8JKOcx', 'MAM1FvYujOFaHpyNGb', 'hvUHHZbfgC', 'BVkHlDqHGQ'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, g5N5xqah157xKiMcI5.cs High entropy of concatenated method names: 'XwwrqUcsCE', 'KkOr5ZQOIS', 'ATBr0AUbsF', 'UOpraXXVUZ', 'oiYrZum0iC', 'i7arUKkdPx', 'xbbrEcT9jd', 'XRMrg5yUMK', 'cXur7ffgE5', 'kRmrYxRBw0'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, HKROHvIde0F9Vhk3N4.cs High entropy of concatenated method names: 'Xjn7HC1NkA', 'LYY7lsOMkp', 'EgC7jBSJhG', 'jBK7MxDgO7', 'ufM7A7MgtH', 'TnV7usUria', 'ST17KjII7V', 'uhvg3VvjSj', 'TM5gkAq6Q5', 'ctLghaR2fT'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, qwJAvL92EgDZ8B25LL.cs High entropy of concatenated method names: 'aV4EkEn7lR', 'iXFEIyhkZp', 'Na9gBUYTvc', 'BeLgHLbgSx', 'wbFEJ0ywfe', 'KKKEbFdZwJ', 'vqcE2GpN5d', 'rnmENAyKe0', 'dOGEVPtEJ6', 'SjdEO7VelM'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 2920000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 2750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 8D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 77C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 9D20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: AD20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: B5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: C5D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 16B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 32F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: 52F0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6073 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2143 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Bill Of Lading.exe TID: 6216 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5216 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Bill Of Lading.exe, 00000004.00000002.2929525597.0000000001718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Code function: 4_2_016BC168 LdrInitializeThunk,LdrInitializeThunk, 4_2_016BC168
Enables debug privileges
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, UltraSpeed.cs Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, FFDecryptor.cs Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Bill Of Lading.exe Memory written: C:\Users\user\Desktop\Bill Of Lading.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Users\user\Desktop\Bill Of Lading.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Users\user\Desktop\Bill Of Lading.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Bill Of Lading.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Bill Of Lading.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2930568379.0000000003413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected MassLogger RAT
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544350 Sample: Bill Of Lading.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 22 reallyfreegeoip.org 2->22 24 checkip.dyndns.org 2->24 26 checkip.dyndns.com 2->26 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 40 11 other signatures 2->40 8 Bill Of Lading.exe 4 2->8         started        signatures3 38 Tries to detect the country of the analysis system (by using the IP) 22->38 process4 file5 20 C:\Users\user\...\Bill Of Lading.exe.log, ASCII 8->20 dropped 42 Adds a directory exclusion to Windows Defender 8->42 44 Injects a PE file into a foreign processes 8->44 12 Bill Of Lading.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 reallyfreegeoip.org 188.114.97.3, 443, 49737 CLOUDFLARENETUS European Union 12->28 30 checkip.dyndns.com 132.226.247.73, 49735, 80 UTMEMUS United States 12->30 46 Tries to steal Mail credentials (via file / registry access) 12->46 48 Tries to harvest and steal browser information (history, passwords, etc) 12->48 50 Loading BitLocker PowerShell Module 16->50 18 conhost.exe 16->18         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
132.226.247.73
 checkip.dyndns.com United States
16989 UTMEMUS false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
checkip.dyndns.com 132.226.247.73 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://reallyfreegeoip.org/xml/173.254.250.72 false
    		unknown
    http://checkip.dyndns.org/ false
    • URL Reputation: safe
    		 unknown