Edit tour

Windows Analysis Report
Bill Of Lading.exe

Overview

General Information

Sample name:	Bill Of Lading.exe
Analysis ID:	1544350
MD5:	e6d942c53b473fb6f9b53a24a59d083b
SHA1:	284b60dfc554bfb5aa78717d510a4b1a702b4598
SHA256:	862a367b1e130dc47d08a2d4ce26bec8d85196f00c1a3f6c0df4fc5f099139cd
Tags:	exeMassLoggeruser-Maciej8910871
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Bill Of Lading.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\Bill Of Lading.exe" MD5: E6D942C53B473FB6F9B53A24A59D083B)

powershell.exe (PID: 2108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bill Of Lading.exe (PID: 2516 cmdline: "C:\Users\user\Desktop\Bill Of Lading.exe" MD5: E6D942C53B473FB6F9B53A24A59D083B)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000004.00000002.2930568379.0000000003413000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x70d3f:$a1: get_encryptedPassword 0x87b5f:$a1: get_encryptedPassword 0x9e77f:$a1: get_encryptedPassword 0x71067:$a2: get_encryptedUsername 0x87e87:$a2: get_encryptedUsername 0x9eaa7:$a2: get_encryptedUsername 0x70ada:$a3: get_timePasswordChanged 0x878fa:$a3: get_timePasswordChanged 0x9e51a:$a3: get_timePasswordChanged 0x70bfb:$a4: get_passwordField 0x87a1b:$a4: get_passwordField 0x9e63b:$a4: get_passwordField 0x70d55:$a5: set_encryptedPassword 0x87b75:$a5: set_encryptedPassword 0x9e795:$a5: set_encryptedPassword 0x726b1:$a7: get_logins 0x894d1:$a7: get_logins 0xa00f1:$a7: get_logins 0x72362:$a8: GetOutlookPasswords 0x89182:$a8: GetOutlookPasswords 0x9fda2:$a8: GetOutlookPasswords
Process Memory Space: Bill Of Lading.exe PID: 7096	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 7096	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 7096	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 7096	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 7096	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x602f1:$a1: get_encryptedPassword 0x6060a:$a2: get_encryptedUsername 0x600a0:$a3: get_timePasswordChanged 0x601c1:$a4: get_passwordField 0x60307:$a5: set_encryptedPassword 0x61c0a:$a7: get_logins 0x618bb:$a8: GetOutlookPasswords 0x616ad:$a9: StartKeylogger 0x61b5a:$a10: KeyLoggerEventArgs 0x6170a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: Bill Of Lading.exe PID: 2516	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 2516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 2516	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Bill Of Lading.exe PID: 2516	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x41826:$a1: get_encryptedPassword 0x41b3f:$a2: get_encryptedUsername 0x415d5:$a3: get_timePasswordChanged 0x416f6:$a4: get_passwordField 0x4183c:$a5: set_encryptedPassword 0x4313f:$a7: get_logins 0x42df0:$a8: GetOutlookPasswords 0x42be2:$a9: StartKeylogger 0x4308f:$a10: KeyLoggerEventArgs 0x42c3f:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Bill Of Lading.exe.422f9b8.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bill Of Lading.exe.422f9b8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bill Of Lading.exe.422f9b8.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bill Of Lading.exe.422f9b8.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Bill Of Lading.exe.422f9b8.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.Bill Of Lading.exe.4218b98.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bill Of Lading.exe.4218b98.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bill Of Lading.exe.4218b98.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bill Of Lading.exe.4218b98.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.Bill Of Lading.exe.4218b98.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
4.2.Bill Of Lading.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
4.2.Bill Of Lading.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.Bill Of Lading.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
4.2.Bill Of Lading.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
4.2.Bill Of Lading.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
0.2.Bill Of Lading.exe.4218b98.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Bill Of Lading.exe.4218b98.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Bill Of Lading.exe.4218b98.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Bill Of Lading.exe.4218b98.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25fc7:$a1: get_encryptedPassword 0x3cbe7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x262ef:$a2: get_encryptedUsername 0x3cf0f:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25d62:$a3: get_timePasswordChanged 0x3c982:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25e83:$a4: get_passwordField 0x3caa3:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25fdd:$a5: set_encryptedPassword 0x3cbfd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27939:$a7: get_logins 0x3e559:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x275ea:$a8: GetOutlookPasswords 0x3e20a:$a8: GetOutlookPasswords
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bill Of Lading.exe", ParentImage: C:\Users\user\Desktop\Bill Of Lading.exe, ParentProcessId: 7096, ParentProcessName: Bill Of Lading.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe", ProcessId: 2108, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bill Of Lading.exe", ParentImage: C:\Users\user\Desktop\Bill Of Lading.exe, ParentProcessId: 7096, ParentProcessName: Bill Of Lading.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe", ProcessId: 2108, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-29T10:11:05.807600+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.Bill Of Lading.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Multi AV Scanner detection for submitted file

Source: Bill Of Lading.exe

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Bill Of Lading.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Bill Of Lading.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: Bill Of Lading.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 016B5782h	4_2_016B5367
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 016B51B9h	4_2_016B4F08
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 016B5782h	4_2_016B56AF
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DF028h	4_2_032DED80
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D1935h	4_2_032D15F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DADC8h	4_2_032DAB20
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D3648h	4_2_032D33A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DB678h	4_2_032DB3D0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DD4E0h	4_2_032DD238
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DA518h	4_2_032DA270
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DFD30h	4_2_032DFA88
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D2D98h	4_2_032D2AF0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DEBD0h	4_2_032DE928
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D1449h	4_2_032D11A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DCC30h	4_2_032DC988
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DF480h	4_2_032DF1D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DBAD0h	4_2_032DB828
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DE320h	4_2_032DE078
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D02E9h	4_2_032D0040
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D4350h	4_2_032D40A8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D0B99h	4_2_032D08F0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DC380h	4_2_032DC0D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DB220h	4_2_032DAF78
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D31F0h	4_2_032D2F48
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D3AA0h	4_2_032D37F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DF8D8h	4_2_032DF630
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DA0C0h	4_2_032D9E18
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DD93Ah	4_2_032DD690
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DA970h	4_2_032DA6C8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DC7D8h	4_2_032DC530
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D0FF1h	4_2_032D0D48
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DD088h	4_2_032DCDE0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DDEC8h	4_2_032DDC20
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D3EF8h	4_2_032D3C50
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DBF28h	4_2_032DBC80
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032D0741h	4_2_032D0498
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4x nop then jmp 032DE778h	4_2_032DE4D0

Source: global traffic

HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.72 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: Bill Of Lading.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Bill Of Lading.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Bill Of Lading.exe, 00000004.00000002.2932716235.0000000006968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: Bill Of Lading.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000338B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000338B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: Bill Of Lading.exe, 00000000.00000002.1730779079.0000000002959000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72d
Source: Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.72l
Source: Bill Of Lading.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Bill Of Lading.exe

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07373B8C NtQueryInformationProcess,		0_2_07373B8C
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07378BB8 NtQueryInformationProcess,		0_2_07378BB8

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_00E1D3C4	0_2_00E1D3C4
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_072AE100	0_2_072AE100
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_072AE7D8	0_2_072AE7D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_0737E430	0_2_0737E430
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07375F00	0_2_07375F00
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07374C30	0_2_07374C30
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_0737A778	0_2_0737A778
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_0737A788	0_2_0737A788
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_0737E41F	0_2_0737E41F
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_073784D8	0_2_073784D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07378018	0_2_07378018
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07375EF2	0_2_07375EF2
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07378D88	0_2_07378D88
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07374C21	0_2_07374C21
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07377BD0	0_2_07377BD0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_0737AA10	0_2_0737AA10
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_0737A9FF	0_2_0737A9FF
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB73E8	0_2_07AB73E8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB31B1	0_2_07AB31B1
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB31C0	0_2_07AB31C0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB1138	0_2_07AB1138
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB0D00	0_2_07AB0D00
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB1570	0_2_07AB1570
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_07AB2810	0_2_07AB2810
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016BC168	4_2_016BC168
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016B19B8	4_2_016B19B8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016BCAB0	4_2_016BCAB0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016B2DD1	4_2_016B2DD1
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016B4F08	4_2_016B4F08
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016B7E68	4_2_016B7E68
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016BB9E0	4_2_016BB9E0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016BB9D0	4_2_016BB9D0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016BCA82	4_2_016BCA82
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016B7E67	4_2_016B7E67
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_016B4EF8	4_2_016B4EF8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D6998	4_2_032D6998
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D7770	4_2_032D7770
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D4500	4_2_032D4500
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DED80	4_2_032DED80
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D15F8	4_2_032D15F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D1C58	4_2_032D1C58
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DAB20	4_2_032DAB20
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DAB10	4_2_032DAB10
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D1B4A	4_2_032D1B4A
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D33A0	4_2_032D33A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D3393	4_2_032D3393
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DB3C1	4_2_032DB3C1
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DB3D0	4_2_032DB3D0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DD238	4_2_032DD238
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DA261	4_2_032DA261
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DFA78	4_2_032DFA78
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DA270	4_2_032DA270
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DFA88	4_2_032DFA88
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D2AE0	4_2_032D2AE0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D2AF0	4_2_032D2AF0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DE928	4_2_032DE928
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DE91F	4_2_032DE91F
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DC97B	4_2_032DC97B
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D11A0	4_2_032D11A0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D118F	4_2_032D118F
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DC988	4_2_032DC988
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DF1C8	4_2_032DF1C8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DF1D8	4_2_032DF1D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DB828	4_2_032DB828
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D0006	4_2_032D0006
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DB818	4_2_032DB818
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DE068	4_2_032DE068
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DE078	4_2_032DE078
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D0040	4_2_032D0040
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D40A8	4_2_032D40A8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D4098	4_2_032D4098
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D08F0	4_2_032D08F0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DC0CB	4_2_032DC0CB
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D08DF	4_2_032D08DF
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DC0D8	4_2_032DC0D8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D2F38	4_2_032D2F38
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DAF68	4_2_032DAF68
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DAF78	4_2_032DAF78
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D2F48	4_2_032D2F48
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D37E8	4_2_032D37E8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D37F8	4_2_032D37F8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DF620	4_2_032DF620
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DF630	4_2_032DF630
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D9E18	4_2_032D9E18
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DA6B9	4_2_032DA6B9
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DD683	4_2_032DD683
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DD690	4_2_032DD690
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DA6C8	4_2_032DA6C8
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DC520	4_2_032DC520
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D0D3C	4_2_032D0D3C
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DC530	4_2_032DC530
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DED70	4_2_032DED70
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D0D48	4_2_032D0D48
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D15EB	4_2_032D15EB
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DCDE0	4_2_032DCDE0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DCDD0	4_2_032DCDD0
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DDC20	4_2_032DDC20
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DDC13	4_2_032DDC13
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DBC71	4_2_032DBC71
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D3C43	4_2_032D3C43
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D3C50	4_2_032D3C50
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D048C	4_2_032D048C
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DBC80	4_2_032DBC80
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D0498	4_2_032D0498
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032D9C90	4_2_032D9C90
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DE4C3	4_2_032DE4C3
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 4_2_032DE4D0	4_2_032DE4D0

Source: Bill Of Lading.exe

Static PE information: invalid certificate

Source: Bill Of Lading.exe, 00000000.00000002.1730779079.0000000002959000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1734533089.000000000B570000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000000.1676963877.0000000000562000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamejGmN.exe4 vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1733884571.00000000075F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShe vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000000.00000002.1729141781.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000004.00000002.2928664508.00000000012F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Bill Of Lading.exe
Source: Bill Of Lading.exe, 00000004.00000002.2928507944.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Bill Of Lading.exe
Source: Bill Of Lading.exe	Binary or memory string: OriginalFilenamejGmN.exe4 vs Bill Of Lading.exe

Source: Bill Of Lading.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: Bill Of Lading.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, yYex5M0Fb9d9vCYsJy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, yYex5M0Fb9d9vCYsJy.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2

Source: C:\Users\user\Desktop\Bill Of Lading.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bill Of Lading.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Mutant created: \Sessions\1\BaseNamedObjects\sLOqATlyg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1508:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lefng4a4.n3e.ps1

Jump to behavior

Source: Bill Of Lading.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bill Of Lading.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Bill Of Lading.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bill Of Lading.exe, 00000004.00000002.2930568379.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000033CE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Bill Of Lading.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bill Of Lading.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Bill Of Lading.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bill Of Lading.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Bill Of Lading.exe.53a0000.3.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs	.Net Code: t9XjiCC8h5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs	.Net Code: t9XjiCC8h5 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_072AA656 push FFFFFF8Bh; iretd		0_2_072AA65A
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Code function: 0_2_072A5430 push eax; ret		0_2_072A5471

Source: Bill Of Lading.exe

Static PE information: section name: .text entropy: 7.597028428709984

Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, WsdF1GHByCfG39n34hG.cs	High entropy of concatenated method names: 'XTs7ejQMdT', 'FEl7mXO3NH', 'Mro7is3dOB', 'AbT7qGhn8E', 'TrX7niYG7s', 'jyk75k8438', 'vKn7fCvmJL', 'OJP709tXqf', 'ney7aAyiZP', 'gx87vECJ1L'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, R1oBQEOJUT5B5BLI9I.cs	High entropy of concatenated method names: 'ToString', 'ttwUJ6iNy4', 'YQmUo1r1fS', 'pMDUx9tN9F', 'VvLUDBIVmR', 'fqnUt6evvl', 'G8nUCviLYL', 'S46UQbbYtb', 'ihBUsPW470', 'xDZU83ECrS'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, yYex5M0Fb9d9vCYsJy.cs	High entropy of concatenated method names: 'jPUANjhKmk', 'N0YAVqL97Z', 'EHeAO8uJRK', 'xWxAwIRwIJ', 'ebfA198WD0', 'O26A93ZG2D', 'F4FA3BGUNh', 'miiAkdJOdr', 'aUFAhBFiIr', 'BpJAIsC2E7'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, pdGFg3XTNgk33RALG8.cs	High entropy of concatenated method names: 'bM5KcxW2gM', 'Lo2KAsyNSY', 'qOFKu0wo74', 'TgGKyLdXFY', 'Pt0K6ovnjM', 'Qysu1B5EaD', 'lt6u93Zvh2', 'DQBu31hpND', 'SoaukPCjQV', 'caAuhVh7Kj'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, YnvJjTAnNmihZSjDMM.cs	High entropy of concatenated method names: 'Dispose', 'kEiHhWRBtb', 'MNQSo0j6YH', 'ANwRRCAKac', 'Fj2HINnvnp', 'uYOHzbchhu', 'ProcessDialogKey', 'iTaSB3F7gX', 'DgaSHOeEFO', 'xkgSSoKROH'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, d2NnvnkpGYObchhuKT.cs	High entropy of concatenated method names: 'mOKgM0jeFh', 'iF9gAbm9Fl', 'g8xgr6UMHO', 'uG0gudCmpR', 'xPbgKbaX5P', 'V9rgyutwaV', 'JEUg6UYdu5', 'OAYgdfqhkM', 'BIkgpSCCgi', 'NSQgFXaa1H'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, XSaccbSuQjsahpQDZ8.cs	High entropy of concatenated method names: 'rdGiA1y0t', 'kwsqDI4cw', 'Yyo5UpPIg', 'zAdfSL7P4', 'mkja6c86b', 'MeQvAvxf3', 'P1OOwf3ra2Y0tx7g2k', 'wspbugi2h03ugJuOFe', 'P44gaISDL', 'jYtY3Qphv'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, ucl6GTCKFMgIfewJUq.cs	High entropy of concatenated method names: 'zftKO7MSe6', 'msPKw4iTWD', 'UPdK1IgZKl', 'ToString', 'idqK9mdK8f', 'L36K3tHX5L', 'A1OowUv03WS4MJLyC6N', 'Qip0B8vo8ZinssaMc8p', 'BSGFe7vIYdGgr28b4ye', 'vefILuvyItsMM2QuSUD'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, NBUNKKwdpFD2sRYih3.cs	High entropy of concatenated method names: 'IWvEpHMvWe', 'dfIEFuK69y', 'ToString', 'ytMEM4Pd2r', 'bkQEAQ7jwg', 'NjXEraZuoM', 'pLUEu5PT55', 'HOHEKH1uCl', 'bmpEyl9AvV', 'xYQE6jXSNf'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, ap2pVR8qDlIvkU6pII.cs	High entropy of concatenated method names: 'IwnyeJriJ8', 'SkeymjoAaT', 'nmVyiwfYtY', 'ACHyqp9Ox6', 'utvynUI747', 'Yhjy5Aq0br', 'hJdyfhIY37', 'eVwy0fij5L', 'Aipyaq4ucP', 'bEJyvfsKUQ'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, j60JomQwKbPv1l24XR.cs	High entropy of concatenated method names: 'KWZyMM1Dj9', 'NXgyrekFIn', 'F16yKB270t', 'YtOKIouteu', 'lY0KzDMjGL', 'tODyB5dfvW', 'a7vyHxSJuZ', 'kR4yS9Ekfg', 'g3MyldQlvu', 'E5EyjrH7XX'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, E3F7gXh0gaOeEFOTkg.cs	High entropy of concatenated method names: 'OnAgX9Qgp9', 'pIrgoVV3um', 'pcHgx9uBMC', 'rsygDucbsM', 'kVVgNMV2Uc', 'w5Ogt5PPxJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, LMOT6UNdReeVWoPAID.cs	High entropy of concatenated method names: 'Pb5Z4wLua6', 'W7OZbtuOmM', 'jY2ZNHjCqu', 'apaZV8Fc02', 'DruZomdYKj', 'bleZxAaVlV', 'dpfZD1KQEJ', 'KUCZt1NjhZ', 'FXZZCNkKLN', 'LMRZQhig0o'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, oGYcpcvq7PRQIK6iEx.cs	High entropy of concatenated method names: 'W0Eun5SKet', 'DjyufjUXwv', 'TRCrxye8QF', 'hJ0rDfY7CA', 'Y2rrtt9IKG', 'rxXrCULcxh', 'eOSrQ9kAp4', 'c7MrshZ5Ww', 'RJZr8cuda0', 'F7Er4X0UB1'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, FIrm0jHlMQoThYVr9ZY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'R4qYNwQuZ7', 'pIOYVMGDN3', 'OZrYOkBQR0', 'HMHYwxkkLK', 'bIBY1XYVgc', 'L4PY9OuoSG', 'WXwY3IFlXe'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, mFhgPy2nR54giMNkmJ.cs	High entropy of concatenated method names: 'ieIP0lLGdA', 'v4EPamL9qp', 'fodPXsXfV7', 'DeoPoj4tHC', 'EYPPDOfMjq', 'Y5PPtSk8rv', 'V5hPQ9sGUp', 'WWjPslRVHN', 'KZDP4cthVx', 'lojPJN8jF0'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, VNK5t567Ta80gukmJr.cs	High entropy of concatenated method names: 'EC1lcTh3do', 'OaHlMIhdPu', 'FKwlAsHtqR', 'nvclrmUY5B', 'KrJluifijM', 'Df6lKIClLy', 'iyMlyhnkxk', 'gW6l64Bjh5', 'NLolddIO6i', 'cpLlpCE3gZ'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, RO7QEkjQXdeu77xcCL.cs	High entropy of concatenated method names: 'TvmHyYex5M', 'mb9H6d9vCY', 'Ah1Hp57xKi', 'fcIHF5ZGYc', 'i6iHZExUdG', 'mg3HUTNgk3', 'MT8xilRxCpyx8JKOcx', 'MAM1FvYujOFaHpyNGb', 'hvUHHZbfgC', 'BVkHlDqHGQ'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, g5N5xqah157xKiMcI5.cs	High entropy of concatenated method names: 'XwwrqUcsCE', 'KkOr5ZQOIS', 'ATBr0AUbsF', 'UOpraXXVUZ', 'oiYrZum0iC', 'i7arUKkdPx', 'xbbrEcT9jd', 'XRMrg5yUMK', 'cXur7ffgE5', 'kRmrYxRBw0'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, HKROHvIde0F9Vhk3N4.cs	High entropy of concatenated method names: 'Xjn7HC1NkA', 'LYY7lsOMkp', 'EgC7jBSJhG', 'jBK7MxDgO7', 'ufM7A7MgtH', 'TnV7usUria', 'ST17KjII7V', 'uhvg3VvjSj', 'TM5gkAq6Q5', 'ctLghaR2fT'
Source: 0.2.Bill Of Lading.exe.432b1b0.2.raw.unpack, qwJAvL92EgDZ8B25LL.cs	High entropy of concatenated method names: 'aV4EkEn7lR', 'iXFEIyhkZp', 'Na9gBUYTvc', 'BeLgHLbgSx', 'wbFEJ0ywfe', 'KKKEbFdZwJ', 'vqcE2GpN5d', 'rnmENAyKe0', 'dOGEVPtEJ6', 'SjdEO7VelM'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, WsdF1GHByCfG39n34hG.cs	High entropy of concatenated method names: 'XTs7ejQMdT', 'FEl7mXO3NH', 'Mro7is3dOB', 'AbT7qGhn8E', 'TrX7niYG7s', 'jyk75k8438', 'vKn7fCvmJL', 'OJP709tXqf', 'ney7aAyiZP', 'gx87vECJ1L'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, R1oBQEOJUT5B5BLI9I.cs	High entropy of concatenated method names: 'ToString', 'ttwUJ6iNy4', 'YQmUo1r1fS', 'pMDUx9tN9F', 'VvLUDBIVmR', 'fqnUt6evvl', 'G8nUCviLYL', 'S46UQbbYtb', 'ihBUsPW470', 'xDZU83ECrS'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, yYex5M0Fb9d9vCYsJy.cs	High entropy of concatenated method names: 'jPUANjhKmk', 'N0YAVqL97Z', 'EHeAO8uJRK', 'xWxAwIRwIJ', 'ebfA198WD0', 'O26A93ZG2D', 'F4FA3BGUNh', 'miiAkdJOdr', 'aUFAhBFiIr', 'BpJAIsC2E7'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, pdGFg3XTNgk33RALG8.cs	High entropy of concatenated method names: 'bM5KcxW2gM', 'Lo2KAsyNSY', 'qOFKu0wo74', 'TgGKyLdXFY', 'Pt0K6ovnjM', 'Qysu1B5EaD', 'lt6u93Zvh2', 'DQBu31hpND', 'SoaukPCjQV', 'caAuhVh7Kj'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, YnvJjTAnNmihZSjDMM.cs	High entropy of concatenated method names: 'Dispose', 'kEiHhWRBtb', 'MNQSo0j6YH', 'ANwRRCAKac', 'Fj2HINnvnp', 'uYOHzbchhu', 'ProcessDialogKey', 'iTaSB3F7gX', 'DgaSHOeEFO', 'xkgSSoKROH'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, d2NnvnkpGYObchhuKT.cs	High entropy of concatenated method names: 'mOKgM0jeFh', 'iF9gAbm9Fl', 'g8xgr6UMHO', 'uG0gudCmpR', 'xPbgKbaX5P', 'V9rgyutwaV', 'JEUg6UYdu5', 'OAYgdfqhkM', 'BIkgpSCCgi', 'NSQgFXaa1H'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, XSaccbSuQjsahpQDZ8.cs	High entropy of concatenated method names: 'rdGiA1y0t', 'kwsqDI4cw', 'Yyo5UpPIg', 'zAdfSL7P4', 'mkja6c86b', 'MeQvAvxf3', 'P1OOwf3ra2Y0tx7g2k', 'wspbugi2h03ugJuOFe', 'P44gaISDL', 'jYtY3Qphv'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, ucl6GTCKFMgIfewJUq.cs	High entropy of concatenated method names: 'zftKO7MSe6', 'msPKw4iTWD', 'UPdK1IgZKl', 'ToString', 'idqK9mdK8f', 'L36K3tHX5L', 'A1OowUv03WS4MJLyC6N', 'Qip0B8vo8ZinssaMc8p', 'BSGFe7vIYdGgr28b4ye', 'vefILuvyItsMM2QuSUD'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, NBUNKKwdpFD2sRYih3.cs	High entropy of concatenated method names: 'IWvEpHMvWe', 'dfIEFuK69y', 'ToString', 'ytMEM4Pd2r', 'bkQEAQ7jwg', 'NjXEraZuoM', 'pLUEu5PT55', 'HOHEKH1uCl', 'bmpEyl9AvV', 'xYQE6jXSNf'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, ap2pVR8qDlIvkU6pII.cs	High entropy of concatenated method names: 'IwnyeJriJ8', 'SkeymjoAaT', 'nmVyiwfYtY', 'ACHyqp9Ox6', 'utvynUI747', 'Yhjy5Aq0br', 'hJdyfhIY37', 'eVwy0fij5L', 'Aipyaq4ucP', 'bEJyvfsKUQ'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, j60JomQwKbPv1l24XR.cs	High entropy of concatenated method names: 'KWZyMM1Dj9', 'NXgyrekFIn', 'F16yKB270t', 'YtOKIouteu', 'lY0KzDMjGL', 'tODyB5dfvW', 'a7vyHxSJuZ', 'kR4yS9Ekfg', 'g3MyldQlvu', 'E5EyjrH7XX'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, E3F7gXh0gaOeEFOTkg.cs	High entropy of concatenated method names: 'OnAgX9Qgp9', 'pIrgoVV3um', 'pcHgx9uBMC', 'rsygDucbsM', 'kVVgNMV2Uc', 'w5Ogt5PPxJ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, LMOT6UNdReeVWoPAID.cs	High entropy of concatenated method names: 'Pb5Z4wLua6', 'W7OZbtuOmM', 'jY2ZNHjCqu', 'apaZV8Fc02', 'DruZomdYKj', 'bleZxAaVlV', 'dpfZD1KQEJ', 'KUCZt1NjhZ', 'FXZZCNkKLN', 'LMRZQhig0o'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, oGYcpcvq7PRQIK6iEx.cs	High entropy of concatenated method names: 'W0Eun5SKet', 'DjyufjUXwv', 'TRCrxye8QF', 'hJ0rDfY7CA', 'Y2rrtt9IKG', 'rxXrCULcxh', 'eOSrQ9kAp4', 'c7MrshZ5Ww', 'RJZr8cuda0', 'F7Er4X0UB1'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, FIrm0jHlMQoThYVr9ZY.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'R4qYNwQuZ7', 'pIOYVMGDN3', 'OZrYOkBQR0', 'HMHYwxkkLK', 'bIBY1XYVgc', 'L4PY9OuoSG', 'WXwY3IFlXe'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, mFhgPy2nR54giMNkmJ.cs	High entropy of concatenated method names: 'ieIP0lLGdA', 'v4EPamL9qp', 'fodPXsXfV7', 'DeoPoj4tHC', 'EYPPDOfMjq', 'Y5PPtSk8rv', 'V5hPQ9sGUp', 'WWjPslRVHN', 'KZDP4cthVx', 'lojPJN8jF0'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, VNK5t567Ta80gukmJr.cs	High entropy of concatenated method names: 'EC1lcTh3do', 'OaHlMIhdPu', 'FKwlAsHtqR', 'nvclrmUY5B', 'KrJluifijM', 'Df6lKIClLy', 'iyMlyhnkxk', 'gW6l64Bjh5', 'NLolddIO6i', 'cpLlpCE3gZ'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, RO7QEkjQXdeu77xcCL.cs	High entropy of concatenated method names: 'TvmHyYex5M', 'mb9H6d9vCY', 'Ah1Hp57xKi', 'fcIHF5ZGYc', 'i6iHZExUdG', 'mg3HUTNgk3', 'MT8xilRxCpyx8JKOcx', 'MAM1FvYujOFaHpyNGb', 'hvUHHZbfgC', 'BVkHlDqHGQ'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, g5N5xqah157xKiMcI5.cs	High entropy of concatenated method names: 'XwwrqUcsCE', 'KkOr5ZQOIS', 'ATBr0AUbsF', 'UOpraXXVUZ', 'oiYrZum0iC', 'i7arUKkdPx', 'xbbrEcT9jd', 'XRMrg5yUMK', 'cXur7ffgE5', 'kRmrYxRBw0'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, HKROHvIde0F9Vhk3N4.cs	High entropy of concatenated method names: 'Xjn7HC1NkA', 'LYY7lsOMkp', 'EgC7jBSJhG', 'jBK7MxDgO7', 'ufM7A7MgtH', 'TnV7usUria', 'ST17KjII7V', 'uhvg3VvjSj', 'TM5gkAq6Q5', 'ctLghaR2fT'
Source: 0.2.Bill Of Lading.exe.b570000.4.raw.unpack, qwJAvL92EgDZ8B25LL.cs	High entropy of concatenated method names: 'aV4EkEn7lR', 'iXFEIyhkZp', 'Na9gBUYTvc', 'BeLgHLbgSx', 'wbFEJ0ywfe', 'KKKEbFdZwJ', 'vqcE2GpN5d', 'rnmENAyKe0', 'dOGEVPtEJ6', 'SjdEO7VelM'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 2750000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 8D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 77C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 9D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: AD20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: B5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: C5D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 32F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Memory allocated: 52F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6073			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2143			Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe TID: 6216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3128	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Bill Of Lading.exe, 00000004.00000002.2929525597.0000000001718000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Code function: 4_2_016BC168 LdrInitializeThunk,LdrInitializeThunk,

4_2_016BC168

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Memory written: C:\Users\user\Desktop\Bill Of Lading.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Process created: C:\Users\user\Desktop\Bill Of Lading.exe "C:\Users\user\Desktop\Bill Of Lading.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Users\user\Desktop\Bill Of Lading.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Users\user\Desktop\Bill Of Lading.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Bill Of Lading.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Bill Of Lading.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Bill Of Lading.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2930568379.0000000003413000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bill Of Lading.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.422f9b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bill Of Lading.exe.4218b98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 7096, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bill Of Lading.exe PID: 2516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	1 Input Capture	1 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Data from Local System	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	13 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bill Of Lading.exe	39%	ReversingLabs	ByteCode-MSIL.Backdoor.njRAT
Bill Of Lading.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fontbureau.com	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.fontbureau.com/designers/cabarga.htmlN	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://crl.m	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://www.fontbureau.com/designers8	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/173.254.250.72	false		unknown
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.72d	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://reallyfreegeoip.orgd	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000338B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.tiro.com	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.0000000003362000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.72l	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kr	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Bill Of Lading.exe	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.m	Bill Of Lading.exe, 00000004.00000002.2932716235.0000000006968000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.comd	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.org	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000338B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgd	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/DPlease	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/d	Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bill Of Lading.exe, 00000000.00000002.1730779079.0000000002959000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.00000000032F1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	Bill Of Lading.exe, 00000000.00000002.1732705433.0000000006A92000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	Bill Of Lading.exe, 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2930568379.000000000336E000.00000004.00000800.00020000.00000000.sdmp, Bill Of Lading.exe, 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544350
Start date and time:	2024-10-29 10:10:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bill Of Lading.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 84 Number of non-executed functions: 48
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Bill Of Lading.exe

Simulations

Behavior and APIs

Time	Type	Description
05:10:59	API Interceptor	3x Sleep call for process: Bill Of Lading.exe modified
05:11:02	API Interceptor	10x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	rPO_28102400.exe	Get hash	malicious	Lokibot	Browse	ghcopz.shop/ClarkB/PWS/fre.php
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
	SR3JZpolPo.exe	Get hash	malicious	JohnWalkerTexasLoader	Browse	xilloolli.com/api.php?status=1&wallets=0&av=1
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	artvisions-autoinsider.com/8bkjdSdfjCe/index.php
	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
132.226.247.73	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	n#U00ba 7064-2024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	SOLICITUD URGENTE RFQ-05567.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PILNE ZAPYTANIE RFQ-05567-2024.10.25.vbs	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	#U304a#U898b#U7a4d#U308a#U4f9d#U983c.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
checkip.dyndns.com	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	RFQ_List.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Bill_Of _Lading.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	swift-copy31072024PDF.html	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ST007 SWIFT CONFIRMATION.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Transferencia.doc	Get hash	malicious	Quasar	Browse	188.114.96.3
	https://clairecarpenter.com/wp-includes/css/pbcmc.php?7112797967704b536932307466507a4373757943784b5463314a54533470796b784f7a456e567130725553383750315338317430677031416341#Email#	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://inspireelectricale.za.com/u78dq	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
UTMEMUS	Proforma-Invoice#018879TT0100..doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	z1RECONFIRMPAYMENTINVOICE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	AWB#21138700102.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	na.doc	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	na.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	dekont_001.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1O7L6jnunpKYYRy1ZXX5DN4ENeZ4pxxWF8BG0mcDdFi0/preview?pli=1ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVenbNRU0UorX7OKjJa9aCYWGEkzuOVKWWWAgOafkEScU8ZjRsxVe	Get hash	malicious	HTMLPhisher	Browse	188.114.97.3
	z74fBF2ObiS1g87mbS.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	https://docs.google.com/drawings/d/1JRNFh_1Cbzym_iLfw5aw8-eo7G0EKRf1L0-MpuWvb2k/preview?pli=1MiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqGttUWGqloBvri51h9LRErd3HWCRoBdFauRsSvK8yaHFbMiAYvqG	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://docs.google.com/drawings/d/14Q1EGmG0TWb0poSuSYwhNHZWOm-kG4Jlnk5Hg076lVI/preview?pli=132E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWlXEloAdV6HX14O32E7OVeVm3Yu5P8NzksOSE1huGfymTeBDpSWl	Get hash	malicious	Mamba2FA	Browse	188.114.97.3
	come.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	INVOICE.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	z19UrgentOrder.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fa24c148.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\Bill Of Lading.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4xymI4RfoUeW+mZ9tK8ND3
MD5:	827C68C8F65D2B0800E6791B34AB6D2E
SHA1:	151BC96F9C26C53E02D2E0DA64995A462D0C3B4E
SHA-256:	6B22A727792EC2ACE1BC27BF00BECBBD842902F2FD0FC813CF45A21A986377D5
SHA-512:	67E9E89C531B2CDF47FCBBA3F036EA66427631A8EBF287A26DD35AFB114AF6E2D945304CBF72B94358245FEED658F9BA6E19B29879AE6488D8DC7A143DCC146D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikhewcja.44a.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lefng4a4.n3e.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3sovwsg.x3n.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdss2j2m.moh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.5905964859994235
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Bill Of Lading.exe
File size:	582'152 bytes
MD5:	e6d942c53b473fb6f9b53a24a59d083b
SHA1:	284b60dfc554bfb5aa78717d510a4b1a702b4598
SHA256:	862a367b1e130dc47d08a2d4ce26bec8d85196f00c1a3f6c0df4fc5f099139cd
SHA512:	14370b89e3067f9d63696a357b94277ba0b03ab66314d4284759c2054945cee1f5c5b27560032d8708169abd9b7ccca46fbc6584db65e1dfaef7d56f78ff745c
SSDEEP:	12288:zpLrqzmjwXGrt2vBe7D0jzxZ6nvIQVg3JyyaazF9z02kR:z4zMwXGri3xgnAQq3J9zot
TLSH:	D2C4CFE03F36731ADE696934D619DDBA92B11A787004BAF269DC3B4335CC211AE1CF46
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{g g..............0.............Z.... ........@.. ....................................@................................

File Icon


Icon Hash:	4d162aaa22324d30

Static PE Info

General

Entrypoint:	0x48b35a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6720677B [Tue Oct 29 04:41:31 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8b308	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8c000	0xc20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8ac00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x89360	0x89400	7133280c875f7824f20421509594d2ba	False	0.8516656705373407	data	7.597028428709984	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8c000	0xc20	0x1000	c24774c6162b8c2fc41852af318605ac	False	0.385009765625	data	5.074407163623199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x400	b4796ad904216ecec9f465b93a434052	False	0.025390625	data	0.05585530805374581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x8c0c8	0x823	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.5583293326932309
RT_GROUP_ICON	0x8c8fc	0x14	data	1.05
RT_VERSION	0x8c920	0x2fc	data	0.4424083769633508

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-29T10:11:05.807600+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49735	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:11:03.598928928 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:11:04.588888884 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:11:04.623547077 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:11:04.623568058 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:11:04.623699903 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:11:04.624429941 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:11:04.629726887 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:11:05.497720957 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:11:05.502793074 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:11:05.508090019 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:11:05.766321898 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:11:05.778021097 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:05.778121948 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:05.778285980 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:05.797127008 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:05.797162056 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:05.807600021 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:11:06.405116081 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:06.405277014 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:06.410511971 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:06.410545111 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:06.411039114 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:06.461036921 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:06.503345966 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:06.595527887 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:06.595606089 CET	443	49737	188.114.97.3	192.168.2.4
Oct 29, 2024 10:11:06.595655918 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:11:06.602061033 CET	49737	443	192.168.2.4	188.114.97.3
Oct 29, 2024 10:12:10.906883001 CET	80	49735	132.226.247.73	192.168.2.4
Oct 29, 2024 10:12:10.906980038 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:12:45.776834011 CET	49735	80	192.168.2.4	132.226.247.73
Oct 29, 2024 10:12:45.782962084 CET	80	49735	132.226.247.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:11:03.537297010 CET	51475	53	192.168.2.4	1.1.1.1
Oct 29, 2024 10:11:03.545453072 CET	53	51475	1.1.1.1	192.168.2.4
Oct 29, 2024 10:11:05.769470930 CET	62478	53	192.168.2.4	1.1.1.1
Oct 29, 2024 10:11:05.777307034 CET	53	62478	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 10:11:03.537297010 CET	192.168.2.4	1.1.1.1	0x4035	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:05.769470930 CET	192.168.2.4	1.1.1.1	0x586f	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 10:11:03.545453072 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 29, 2024 10:11:03.545453072 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:03.545453072 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:03.545453072 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:03.545453072 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:03.545453072 CET	1.1.1.1	192.168.2.4	0x4035	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:05.777307034 CET	1.1.1.1	192.168.2.4	0x586f	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 29, 2024 10:11:05.777307034 CET	1.1.1.1	192.168.2.4	0x586f	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	132.226.247.73	80	2516	C:\Users\user\Desktop\Bill Of Lading.exe

Timestamp	Bytes transferred	Direction	Data
Oct 29, 2024 10:11:04.624429941 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 29, 2024 10:11:05.497720957 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:11:05 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 480e692a7bfcf90d4c312b371dc16c47 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>
Oct 29, 2024 10:11:05.502793074 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 29, 2024 10:11:05.766321898 CET	323	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:11:05 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 11edbd332b69cb2396ae631520a9dfa7 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.72</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	188.114.97.3	443	2516	C:\Users\user\Desktop\Bill Of Lading.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-29 09:11:06 UTC	87	OUT	GET /xml/173.254.250.72 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-29 09:11:06 UTC	887	IN	HTTP/1.1 200 OK Date: Tue, 29 Oct 2024 09:11:06 GMT Content-Type: text/xml Content-Length: 359 Connection: close apigw-requestid: AZ6gpggEPHcESXQ= Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 576 Last-Modified: Tue, 29 Oct 2024 09:01:30 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zqEza5ECcq4zh3UMvFoTwnxnXmIBzIQK9AYVUM%2Fbnln9XrZ%2F%2BVE5almMUWKSF3V13%2Bymdc5cuFO%2FKnMblGClS0bJOyl5zTpVDRcC8RJ1qgaPji0qPKefdY01mL47fEUXYNHIG0kQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8da20949cbbae81f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1174&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2851&recv_bytes=701&delivery_rate=2405315&cwnd=251&unsent_bytes=0&cid=ed398e5f8f3c2c2f&ts=207&x=0"
2024-10-29 09:11:06 UTC	359	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 32 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e Data Ascii: <Response><IP>173.254.250.72</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</TimeZone>

Target ID:	0
Start time:	05:10:58
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\Bill Of Lading.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bill Of Lading.exe"
Imagebase:	0x560000
File size:	582'152 bytes
MD5 hash:	E6D942C53B473FB6F9B53A24A59D083B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1731055909.00000000041B7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:11:01
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bill Of Lading.exe"
Imagebase:	0x720000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:11:01
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:11:01
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\Bill Of Lading.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bill Of Lading.exe"
Imagebase:	0xeb0000
File size:	582'152 bytes
MD5 hash:	E6D942C53B473FB6F9B53A24A59D083B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2928507944.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2930568379.0000000003413000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.8%
Total number of Nodes:	333
Total number of Limit Nodes:	18

Executed Functions

Function 072AE100 Relevance: 6.9, Strings: 5, Instructions: 627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 072AEE3C
Hbq, xrefs: 072AEF4D
Hbq, xrefs: 072AEDA9
Hbq, xrefs: 072AEEC3
Hbq, xrefs: 072AF00B

Memory Dump Source

Source File: 00000000.00000002.1733598354.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: Hbq$Hbq$Hbq$Hbq$Hbq
API String ID: 0-1677660839
Opcode ID: 2cc17111531de54501763e24d4e082e4849a22280c9973bfff7d8c17d15321e9
Instruction ID: d369c4081e51c38c731752169e8ed95298b47b1a8f616bc36c796ff0926b3993
Opcode Fuzzy Hash: 2cc17111531de54501763e24d4e082e4849a22280c9973bfff7d8c17d15321e9
Instruction Fuzzy Hash: EA32AE70E10218DFDB54DFB9C8917AEBBB2FF84300F1585A9D00AAB395DA349D46CB91

Function 07378BB8 Relevance: 1.6, APIs: 1, Instructions: 95nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07378C87

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 236d9ab10e3f4bfad58f659d47a8addb81be37b51827ab34974ac3ed38d8904f
Instruction ID: 7a502227f8ee497a5400573c48637e074c9ebbc21219931d5eb508675ef053fa
Opcode Fuzzy Hash: 236d9ab10e3f4bfad58f659d47a8addb81be37b51827ab34974ac3ed38d8904f
Instruction Fuzzy Hash: 263138B5905349DFCB10CFA9E984ADEFFB4FB09310F10815AE959A7350C334AA55CBA1

Function 07373B8C Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 07378C87

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 07e73ddbc6cdc6e01f77dbe0bcfc647d3e4582e01f4ff5df82673bf7f6d23e8b
Instruction ID: 2719ad2acaf046e8edf59b176f5e1d0695262fa8dee8f35bae3e91aaff8cc9c9
Opcode Fuzzy Hash: 07e73ddbc6cdc6e01f77dbe0bcfc647d3e4582e01f4ff5df82673bf7f6d23e8b
Instruction Fuzzy Hash: 70210FB5901349DFCB10CF9AD988ADEFBF4FB48310F10842AEA58A7210C374A944CFA4

Function 07375F00 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47deacf25a9ec32266681bc06a7d881816e21f7521f733840f438dcfd24176c
Instruction ID: 7c4dff320213f18164bae15f99cd1872cac0fb2a88f7e2b0055a045fa1567ed3
Opcode Fuzzy Hash: e47deacf25a9ec32266681bc06a7d881816e21f7521f733840f438dcfd24176c
Instruction Fuzzy Hash: D9428EB4E01219CFEB64CF69D994B9DBBB6FB48300F5081A9E809A7355D734AE81CF50

Function 07374C30 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147c4ab75639feac1d6d8b216e231cdd549ba87e81d3297a900d2e92dcbcbed5
Instruction ID: 91770448f680bf64a997250cf57052b4f9cd69293fd4cc2115ea73868c70b757
Opcode Fuzzy Hash: 147c4ab75639feac1d6d8b216e231cdd549ba87e81d3297a900d2e92dcbcbed5
Instruction Fuzzy Hash: 9A32E3B0901259CFEB64DF69C580A8EFBF2BF48315F55D195E408AB212DB30E981CFA4

Function 072AE7D8 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733598354.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1cd2b34fb6365440ee8bcb18705ace7da5342ccf429958e31c9b1681b02294
Instruction ID: 76c58b1b8f5ec736f2fa5d9f13940cd600d5753fc4cb8c54654bd5b2a048b84b
Opcode Fuzzy Hash: 4c1cd2b34fb6365440ee8bcb18705ace7da5342ccf429958e31c9b1681b02294
Instruction Fuzzy Hash: C4C16AB0E10219EFCB14CF69C88179EBBB2BF89300F15C5AAD409AB255DB30D986CF51

Function 07375EF2 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf35fcc46c9aedb25b9a00aea5fe11606fc645ebd880963b251f9fbd000448c
Instruction ID: 85f4a47e0e7678ae7d35b92500f9a93589822f6415a5c530f6b93aad3988c54f
Opcode Fuzzy Hash: cdf35fcc46c9aedb25b9a00aea5fe11606fc645ebd880963b251f9fbd000448c
Instruction Fuzzy Hash: 7961A3B4E01218CFEB18CF6AD994B9DBBB6FF88300F14C1AAD809A7255D735A941CF50

Function 07374C21 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2215445b88ca55d7d29fc8c72f6f6dc7fd97331115e765fe9ac4c8f3ea01cba6
Instruction ID: 0324bfb4a0ec8b31cc4577e81141195aec71ea4f58b6629ef51908fd06b8c522
Opcode Fuzzy Hash: 2215445b88ca55d7d29fc8c72f6f6dc7fd97331115e765fe9ac4c8f3ea01cba6
Instruction Fuzzy Hash: C341D9B1E006198FEB58CF6AC89179EBBB2FF89300F10C1AAD55CA7255EB341A458F51

Function 0737E41F Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e0ba62eef996d29e3c6bb5118d603ef260973b7f48e5217f500ed1dcc2a1832
Instruction ID: adf067fb93b857ff46ac33d4a7fe7916745832b93a43488a047691cb828ac9dc
Opcode Fuzzy Hash: 5e0ba62eef996d29e3c6bb5118d603ef260973b7f48e5217f500ed1dcc2a1832
Instruction Fuzzy Hash: 913145B0D086588BEB18CFA7D9443EEBFFAAFCA300F04D1AAD40D66255D7780545CB51

Function 0737E430 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0de1639b21cd6ef470d5ed7b818ea442c02f2be826931f670791a2390733fae
Instruction ID: c6f18eb31148dced088b1f3885b0b7a035217a75159ddb7901ced07b0beea45a
Opcode Fuzzy Hash: f0de1639b21cd6ef470d5ed7b818ea442c02f2be826931f670791a2390733fae
Instruction Fuzzy Hash: 8521B4B0D186188BEB18CFABD9453EEBFBAAFC9300F14D16AD40D66254DB780945CF90

Function 00E1D3F8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E1D486
GetCurrentThread.KERNEL32 ref: 00E1D4C3
GetCurrentProcess.KERNEL32 ref: 00E1D500
GetCurrentThreadId.KERNEL32 ref: 00E1D559

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 06af346f3fbc1cc671faa58a84d17032d407797fd1ad0b904e28b36439331a3c
Instruction ID: d8b3d2b190f797542edcd5667dffd97ae7a7c43b6adc3d0ec0a46f33f0a7dc3e
Opcode Fuzzy Hash: 06af346f3fbc1cc671faa58a84d17032d407797fd1ad0b904e28b36439331a3c
Instruction Fuzzy Hash: 755159B0904249DFDB14DFAAD9487DEBBF1EF88304F208059E059B7361D774A984CB65

Function 00E1D408 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E1D486
GetCurrentThread.KERNEL32 ref: 00E1D4C3
GetCurrentProcess.KERNEL32 ref: 00E1D500
GetCurrentThreadId.KERNEL32 ref: 00E1D559

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 3725ace2b8f9a95e5ffabed2efcf101e4b165c88c9ed877bbf89a4961578ab1a
Instruction ID: 17088e48c6c7b11a7ed45bf5c523650c20cfaf20558905e8b7644a3b1b8ecd87
Opcode Fuzzy Hash: 3725ace2b8f9a95e5ffabed2efcf101e4b165c88c9ed877bbf89a4961578ab1a
Instruction Fuzzy Hash: 595158B0900209DFDB04DFAAD548BEEBBF1EF88314F208459E019B7361D774A984CB65

Function 07AB3934 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07AB3B76

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4fc7d47e3c2a999b764b93610ef845f862ba1f12c34baaf3a8b654ff6ff339d4
Instruction ID: 166ef5b580ce425ebebaf1135120fca4443f0bc8b225ceb59d5766fed8a0d1a2
Opcode Fuzzy Hash: 4fc7d47e3c2a999b764b93610ef845f862ba1f12c34baaf3a8b654ff6ff339d4
Instruction Fuzzy Hash: B3A18CB1D0021ADFDF20CFA9C841BEDBBB6EF45310F1481A9E818A7251DB759985CF91

Function 07AB3940 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07AB3B76

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 125df09ce718bce60d4cc4d778c8d4922673ccbfb10c69fcb6ca315366343998
Instruction ID: 5360b532724234f9c1eea8604ff78d30ad80d04d756d3ed15da07539e20a324d
Opcode Fuzzy Hash: 125df09ce718bce60d4cc4d778c8d4922673ccbfb10c69fcb6ca315366343998
Instruction Fuzzy Hash: E09179B1D0021ADFDF20CFA9C841BDDBBB6EB44310F1481A9E818A7251DB759985CF92

Function 00E1AD68 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00E1AFBE

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 69d9b66957ed293f6e82a4484e8820adbbdf48fa1afca118b523bad9497d8183
Instruction ID: fd3645c0559355497315c0ee9c6fc61f22a5cb24060d543d6cd487c0edd5a329
Opcode Fuzzy Hash: 69d9b66957ed293f6e82a4484e8820adbbdf48fa1afca118b523bad9497d8183
Instruction Fuzzy Hash: 29712370A01B058FD724DF2AD0507AABBF1FF88304F048929E08AE7A50DB75E885CB91

Function 00E144D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E159A9

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e002c02e6d2613a17b82d02be4ad71c1d334ee8111c427ebb3128080a7486f7b
Instruction ID: 4883bed46a4a710c63304887db52e3ba86f66fa58f233f8304d643710c8bcf40
Opcode Fuzzy Hash: e002c02e6d2613a17b82d02be4ad71c1d334ee8111c427ebb3128080a7486f7b
Instruction Fuzzy Hash: BE41E2B1C00719CBDB24DFAAC884BDDBBB5BF88304F20806AD408BB255DB756985CF90

Function 00E158EC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E159A9

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d59f8cb3739d48257c8090f815739cb9dfbde2514d878881d52802244c1608a
Instruction ID: 80b804e310099f9a12bb1051aa833eb23a7cf2dcd4dd18637caa9af743b1827f
Opcode Fuzzy Hash: 9d59f8cb3739d48257c8090f815739cb9dfbde2514d878881d52802244c1608a
Instruction Fuzzy Hash: 3C41F2B1C00719CBDB14CFA9C8847DDBBB5BF88304F24815AD408BB295DB75698ACF91

Function 072AF110 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733598354.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_Bill Of Lading.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b10c0c4cc1291a32c2ceafa3465d91efd4a99f843a2165c1f573968cd0751630
Instruction ID: 649177cd98d22c4ceaa74f786d3a0abe6b36153bee9e5cf4393e373a53a133af
Opcode Fuzzy Hash: b10c0c4cc1291a32c2ceafa3465d91efd4a99f843a2165c1f573968cd0751630
Instruction Fuzzy Hash: 253189B2904359AFDB11CFA9C804AEABFF8EF09310F14805AE954A7221C3359850CFA1

Function 07AB36B1 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07AB3748

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0a098e5ab40f7de2f865d7d55f25aed4f41e3ccb936fa1bbaf10634c381fc548
Instruction ID: 40e8f916a3e447230827a5027a0b7a643a181d789884135d980fd0ff07734cba
Opcode Fuzzy Hash: 0a098e5ab40f7de2f865d7d55f25aed4f41e3ccb936fa1bbaf10634c381fc548
Instruction Fuzzy Hash: AC2137B59002599FCB10CFAAC885BEEBBF5FF48320F10842AE918A7251D7749944CFA4

Function 072A1EE0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 072A1F7F

Memory Dump Source

Source File: 00000000.00000002.1733598354.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_Bill Of Lading.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 9c6497d2725c1c011a6f0f7b3de2afc445e255a14abf28f870c9e98fabdd8dec
Instruction ID: d216b515d6eef9dd7cbf9c5da6bbb9cd870ce9349b63d20dd4668cfadcbc123b
Opcode Fuzzy Hash: 9c6497d2725c1c011a6f0f7b3de2afc445e255a14abf28f870c9e98fabdd8dec
Instruction Fuzzy Hash: 4E3103B5D0034AAFDB10CF9AD884A9EFBF5FB48320F14842AE918A7310D774A554CFA0

Function 07AB37A1 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07AB3828

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 579f7b4de9b7c4df62c0a062f19e3bd9ba6b12cdf011d90b9c13f0d274a67b8d
Instruction ID: ac98dbef84ee1f3333b73f2b122f7a6c83917bd25b02cce13a0935ab6afc26ff
Opcode Fuzzy Hash: 579f7b4de9b7c4df62c0a062f19e3bd9ba6b12cdf011d90b9c13f0d274a67b8d
Instruction Fuzzy Hash: BE2127B18002599FDF10CFAAD881AEEFBF5FF48320F50842AE518A7251D7759944CBA5

Function 072A1EE8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 072A1F7F

Memory Dump Source

Source File: 00000000.00000002.1733598354.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_Bill Of Lading.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 07b97f372a6521aa5dda9d624f32683a0a21aa8715b4cbb6e2e0d440bccd78a3
Instruction ID: 13b8f997ccbfb2a2fb997c3b67bf914ae3d442c58150d77c88902b7ee07305c6
Opcode Fuzzy Hash: 07b97f372a6521aa5dda9d624f32683a0a21aa8715b4cbb6e2e0d440bccd78a3
Instruction Fuzzy Hash: 2621C3B5D1034A9FDB10CF9AD884A9EFBF5FB48320F14842AE919A7210D774A554CFA4

Function 07AB36B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07AB3748

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d59fe9b3c6fa05a9b5af517f4ca202749fc2de726f3b0b5453752edb57697ca8
Instruction ID: 0a6875c62652ba3cd17b3b10cb54eb9b13a17ca2885cd17998093e04362031d8
Opcode Fuzzy Hash: d59fe9b3c6fa05a9b5af517f4ca202749fc2de726f3b0b5453752edb57697ca8
Instruction Fuzzy Hash: 7B2146B19003599FCB10CFAAC880BDEBBF5FF48310F10842AE918A7251D7789944CFA4

Function 07AB30E0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AB3166

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 97665adaed7005c5f166f1a25ab0ccf2ea1fe0451b2dfafe37d402730a1812d2
Instruction ID: ebb16c2ff4732ff0dac296d44be18f9fa43068ec1537023eb539771975224468
Opcode Fuzzy Hash: 97665adaed7005c5f166f1a25ab0ccf2ea1fe0451b2dfafe37d402730a1812d2
Instruction Fuzzy Hash: 7D215CB19002099FDB10DFAAC4457EEBFF8EF89324F14842AD559A7241C7789584CFA5

Function 00E1D649 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E1D6D7

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dc6b97b6bae8bd63a35dfa1a9f6e0e68947211219d22433ac9c448eadd61fedb
Instruction ID: f6693738abbda20e081b2c8e96122f14295c24525adca0d755e63aa53df552d8
Opcode Fuzzy Hash: dc6b97b6bae8bd63a35dfa1a9f6e0e68947211219d22433ac9c448eadd61fedb
Instruction Fuzzy Hash: CA21E3B59002589FDB10CF9AD984ADEBBF9EB48314F14841AE958B7350D374A944CFA4

Function 07AB37A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07AB3828

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ca86dc94e026dff7486e6f266fc8e653add68cef8d78bf48f4141d60f00e618b
Instruction ID: abba0fc1f2a4dbc4d2199fb649038c5c8d1f072f8cb33567a13cacd792c97e25
Opcode Fuzzy Hash: ca86dc94e026dff7486e6f266fc8e653add68cef8d78bf48f4141d60f00e618b
Instruction Fuzzy Hash: 8D2128B18002599FCB10DFAAC880ADEFBF5FF48310F10842AE559A7250D7789544CBA5

Function 07AB30E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AB3166

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8eb3aba0fbb519cee1c608253eae135126d4cb1f6602079ab93717e0f8e39b76
Instruction ID: 4e36f8d42c72fa74e275e4b6e206766e70e4f383db687663a6c0e90bafa4f37a
Opcode Fuzzy Hash: 8eb3aba0fbb519cee1c608253eae135126d4cb1f6602079ab93717e0f8e39b76
Instruction Fuzzy Hash: 0D2129B1D003099FDB10DFAAC4857EEBBF8EF88324F14842AD559A7241D778A944CFA5

Function 00E1D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E1D6D7

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7b018d2577eb8eeefa3afd2be4b159032fcd5761b6083504bd14e9ea08830919
Instruction ID: 88e8ec44e693911c00037a31dc12aaca31afd1848b458d687c6f588aa9827713
Opcode Fuzzy Hash: 7b018d2577eb8eeefa3afd2be4b159032fcd5761b6083504bd14e9ea08830919
Instruction Fuzzy Hash: DD21E2B59002489FDB10CFAAD984ADEBBF8FB48320F14841AE958A7350D374A944CFA4

Function 07AB35F1 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07AB3666

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 12d429c0de19932dc0a417aed606919e99d88d507b6160bcd874f7cc9592b3f9
Instruction ID: bc21b2d3dbb4698052a98f1845ec1c3032fc5c9587957835daa4ad69710b5e35
Opcode Fuzzy Hash: 12d429c0de19932dc0a417aed606919e99d88d507b6160bcd874f7cc9592b3f9
Instruction Fuzzy Hash: 6B216AB19002489FDF20DFAAD845BEFBFF9EF48320F108819E515A7251C7759540CBA5

Function 072AE130 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,072AF12A,?,?,?,?,?), ref: 072AF1CF

Memory Dump Source

Source File: 00000000.00000002.1733598354.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_Bill Of Lading.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e425da8d7b22249f9d90f645c6cf1542d6e23bcb9f3d5e0d321e9b568c0bd53e
Instruction ID: 24426379eea87a1493c00fd8786e3d9494c82b6877abb8fec5cebbc701ea5346
Opcode Fuzzy Hash: e425da8d7b22249f9d90f645c6cf1542d6e23bcb9f3d5e0d321e9b568c0bd53e
Instruction Fuzzy Hash: EA116AB591034D9FDB10DF9AC944BDEBFF8EB48320F14841AE914A7210C379A950CFA4

Function 07AB3030 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07AB309A

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f33121a6b727af091ff5ad7df6669046b90101c14f9cc9609fff0a7839f17117
Instruction ID: 8e1438cb0f9ee2ef1f320630d539204e8abe7228f49492fa3bc5c42e61ff41e2
Opcode Fuzzy Hash: f33121a6b727af091ff5ad7df6669046b90101c14f9cc9609fff0a7839f17117
Instruction Fuzzy Hash: 0D115BB19002488BCB20DFAAC4457DEFFF5EF88324F10841AD559A7654CB75A544CFA5

Function 07379C10 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 07379C88

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: c7d582d0cc4866618b5517fadab83cb3e2f67730ee8ee10d6c53a8853ab6ea5c
Instruction ID: f3ad98f81fd800099aefe28a5b83e7aa9bf0dd2c8aa72c633196d8b5ca68db9b
Opcode Fuzzy Hash: c7d582d0cc4866618b5517fadab83cb3e2f67730ee8ee10d6c53a8853ab6ea5c
Instruction Fuzzy Hash: BB1130B1C0065A9BCB10CF9AD544BDEFBF4FB48320F10822AD818A7240C338A544CFA5

Function 07373C18 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNEL32(00000000), ref: 07379C88

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 607582a7e54da09a130d1e44ca8322683e249a769e40fde1f6c3341844c77180
Instruction ID: cb162137182525ca15ffa651f5c3a7310d7c72711d87b97279ca386baa449934
Opcode Fuzzy Hash: 607582a7e54da09a130d1e44ca8322683e249a769e40fde1f6c3341844c77180
Instruction Fuzzy Hash: 791112B1C0465A9BDB10CF9AD544B9EFBF8FB48320F14822AD918B7650D378A944CFA5

Function 07AB35F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07AB3666

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6fe7e24801aebf128b0a33e1cced830d9e22d6e64e03301a41cc5acecb0b5adf
Instruction ID: 0d52759d52e7f075b449ae4016c4ffc64ba0b4fbbb03a4819ea2902113d0f0a5
Opcode Fuzzy Hash: 6fe7e24801aebf128b0a33e1cced830d9e22d6e64e03301a41cc5acecb0b5adf
Instruction Fuzzy Hash: C51137B19002499FCB20DFAAC844BDFBFF5EF88324F108819E559A7250C775A544CFA5

Function 07AB6E68 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07AB6ECD

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: fe884491bc6c4c51374ca37c9e93d92e09a71fc5d554d3d62ed9161f11fcd058
Instruction ID: 2d9337ee863f45e135b917577592e6fc512c22e8022e094abd714c254f409a90
Opcode Fuzzy Hash: fe884491bc6c4c51374ca37c9e93d92e09a71fc5d554d3d62ed9161f11fcd058
Instruction Fuzzy Hash: 2F1122B5800249DFCB20CF9AD884BDEBFF8EB48320F14881AE518A7601C375A584CFA5

Function 07AB3038 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 07AB309A

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c2ce338fb27401c7c54a539cd107221afb97d771cf3ca1b8005b72dc8d3e3f58
Instruction ID: 688023c50bede1ed1d4e7d3012775cf0d26d103af21f8071c515e6f389be2ec3
Opcode Fuzzy Hash: c2ce338fb27401c7c54a539cd107221afb97d771cf3ca1b8005b72dc8d3e3f58
Instruction Fuzzy Hash: 17113AB1D002498FDB20DFAAC4457DEFBF4EF88324F208819D559A7254C775A944CF95

Function 00E1AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00E1AFBE

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 05bbc1394c24109bed8436fa32280d549efaf298a9b72136c5831d0bea0570ea
Instruction ID: 401d7c23e14007476113fba7db4bbc55cccab7fda6778e58581d59434edb3426
Opcode Fuzzy Hash: 05bbc1394c24109bed8436fa32280d549efaf298a9b72136c5831d0bea0570ea
Instruction Fuzzy Hash: D41110B5D002498FCB10CF9AC444ADEFBF4AB88328F14842AD419B7614C379A585CFA1

Function 07AB43B4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07AB6ECD

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8f655e251b254163da8044a605b93fdaef95c757d93e75301760c46947af37a6
Instruction ID: 7bd14c5e7e33a2b7707122850811cdd9564c00149bbd9772aa7d42f3aa295eed
Opcode Fuzzy Hash: 8f655e251b254163da8044a605b93fdaef95c757d93e75301760c46947af37a6
Instruction Fuzzy Hash: 1011F5B5800349DFDB20DF9AC444BEEBBF8EB48324F108459E558A7711C375A944CFA5

Function 00DBD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730072125.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60866a5b803803df9565b4a1092e7ea784bfb5efadfed93cd0ba620af2425400
Instruction ID: 4de994efc05e8f39cc61c01685b5e1c9fe5d79fc1606be445e3e964d46ec9599
Opcode Fuzzy Hash: 60866a5b803803df9565b4a1092e7ea784bfb5efadfed93cd0ba620af2425400
Instruction Fuzzy Hash: 01213A71500204DFDB05DF14D9C0B5ABF66FB94314F24C56DD90A4B256D336E856C7B2

Function 00DBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730072125.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81dd33d2efb11930258d3e2e0de82b58a238b47d8f98d7a701c0c0fa437340f8
Instruction ID: a242fb09b194a8beb6d3db92f49330b5d0bf4ce4c3191227a311a38689b50e1e
Opcode Fuzzy Hash: 81dd33d2efb11930258d3e2e0de82b58a238b47d8f98d7a701c0c0fa437340f8
Instruction Fuzzy Hash: 93213471504240DFCB25DF14D9C0B6BBFA6FB98318F24C569E84A0B256D336D856CBB2

Function 00DCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730145721.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a103fbd9890d7a7c69b329d167829c2741cd77380ef42974a3972c0b5ed426
Instruction ID: 4e57dc3a6bb162649ea9fdafa383daaca819a6f3aaa911119e7b3aa96c84fcce
Opcode Fuzzy Hash: d5a103fbd9890d7a7c69b329d167829c2741cd77380ef42974a3972c0b5ed426
Instruction Fuzzy Hash: 5921D071604201DFCB14DF18D984F26BBA6EB84314F24C57DE84A4B296C33AD847DA71

Function 00DCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730145721.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f08f2fb76c7c20d4220d8ffc02ce156310c0e3f7a22882d709ee90fc4727cda
Instruction ID: db43dce5c88f35904a525989bf5fefd07e028d06f8124efd4467a35dce89d672
Opcode Fuzzy Hash: 6f08f2fb76c7c20d4220d8ffc02ce156310c0e3f7a22882d709ee90fc4727cda
Instruction Fuzzy Hash: 2F21D071504201EFDB05DF14D984F26FBA6FB84314F24C67DE8494B296C336D846CA75

Function 00DCD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730145721.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec66e7335d5070208ff6b7c9c4bbad07dfbdcc16b79ae40e8d4bcb3dac29cf8
Instruction ID: 49da2913797068686ddf83e50e73fda1a21debab811c517c94fc4c7c269cb315
Opcode Fuzzy Hash: 1ec66e7335d5070208ff6b7c9c4bbad07dfbdcc16b79ae40e8d4bcb3dac29cf8
Instruction Fuzzy Hash: 8C2183755093808FDB02CF24D994B15BF71EB46314F28C5EED8498F6A7C33A980ACB62

Function 00DBD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730072125.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 3e29c21f3f807216fd93b7ac971cfb3e14ef0f9148f5962a2d95dbb8483e38c5
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 10112672404240CFCB02CF00D5C4B56BF72FB94324F28C6A9DC0A0B256C33AE85ACBA2

Function 00DBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730072125.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dbd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: b5062e443f3b06c4ae92693be57d894a856853d01e9dd2b632acb47c4eb2bcd6
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A311E676504280CFCB16CF14D5C4B56BFB2FB94318F28C6A9DC4A0B656C33AD85ACBA1

Function 00DCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730145721.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_dcd000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 9b8a7f6f47364cb2ba0180311a5d7253fceb56be511b34089c8afa79bd757f3d
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: D9118B76504280DFDB16CF14D9C4B15FBA2FB84314F28C6AED8494B696C33AD84ACB61

Non-executed Functions

Function 07AB73E8 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14bc3b4f7e04ce22331b01006cce94453b941c037c4e7d1f8859660146ba872
Instruction ID: 9f51591c1e63d824f9be9735be3e2259dd266ad7f239bd6ae93109545fadcea4
Opcode Fuzzy Hash: a14bc3b4f7e04ce22331b01006cce94453b941c037c4e7d1f8859660146ba872
Instruction Fuzzy Hash: 64E1DEB0B017008FDB29EB69C550BEEB7FAAFC9700F14446AE0159B392DB35E941CB52

Function 07377BD0 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86ddcae8090988b543d05a01b9501d2a1239c2a845b85830772b3ee6b3770939
Instruction ID: d64dad5b3c39a1b23fcb745f29fac6a8e8e0d1d2fbe552c7aa984c502e81b4c4
Opcode Fuzzy Hash: 86ddcae8090988b543d05a01b9501d2a1239c2a845b85830772b3ee6b3770939
Instruction Fuzzy Hash: C0E11BB4E045198FDB24DFA9C5809AEFBB2FF49304F248169E818AB356D734AD41CF60

Function 073784D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3005212156ab7d9bffee4737e10de14cbdd35513a148100a6f4ec9f79ca21d3
Instruction ID: d4bcfbae0de98c6269cef391bf5d571ff8bc2d90b2a4863d11bd2ce1019d693b
Opcode Fuzzy Hash: d3005212156ab7d9bffee4737e10de14cbdd35513a148100a6f4ec9f79ca21d3
Instruction Fuzzy Hash: 57E11CB4E005198FDB24DFA9C5849AEFBF2FF89304F248169D818AB356D734A941CF61

Function 07378018 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0063bd84060915c465d1d71547550174b3475f8aa6f6fc9ba6b13e4c3d20d795
Instruction ID: b6cfce9cb4d13a6ba588aad973cc38a739e9da6e6688f1f7dab5326af2244fb7
Opcode Fuzzy Hash: 0063bd84060915c465d1d71547550174b3475f8aa6f6fc9ba6b13e4c3d20d795
Instruction Fuzzy Hash: 55E12BB4E105198FDB24DFA9C5849AEFBF2FF89304F248169D818AB356D734A941CF60

Function 07378D88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43cadb3bf7497372d74f7c407a045bf95e6111b697c5c86dbb740a94e448519
Instruction ID: 243a4bc3b776379f3fe38d0796106e9c369efc94e13610608b466b3248a2dcf0
Opcode Fuzzy Hash: a43cadb3bf7497372d74f7c407a045bf95e6111b697c5c86dbb740a94e448519
Instruction Fuzzy Hash: BEE12CB4E105198FDB24DFA9C5809AEFBB2FF89304F248169D418AB356D734A941CF61

Function 07AB31C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe586f4e5ae3a26c87ddcdf4d2284746f935db65a42fa1303873a421eb9f6d6
Instruction ID: 7006eed1bbac39028680a7e73e9faacddb01f34c5f391653ee64014e5d6edf9f
Opcode Fuzzy Hash: abe586f4e5ae3a26c87ddcdf4d2284746f935db65a42fa1303873a421eb9f6d6
Instruction Fuzzy Hash: A1E1EAB4E042198FCB24DF99C5809AEFBF6FF89304F248169D815AB356DB31A941CF61

Function 07AB1138 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43713f19ec978c071031cec57cbb654594a3830253cd5e8c3422b70042268816
Instruction ID: af6270e616c409c2f360ca502fea74c20b9ebdccb123b5346627c20c7426ef70
Opcode Fuzzy Hash: 43713f19ec978c071031cec57cbb654594a3830253cd5e8c3422b70042268816
Instruction Fuzzy Hash: 66E109B4E04219CFCB24DFA9C5909AEFBF6BF89304F248169D814AB356D731A941CF61

Function 07AB0D00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb228fed8854f63fc1afe4d550fd595c26e0fd857b221f8bab5d6fa2212891b9
Instruction ID: 4903b68f9992cfc05f04598d20f007e128cefbed1c1c18751e25b4bc26e23049
Opcode Fuzzy Hash: cb228fed8854f63fc1afe4d550fd595c26e0fd857b221f8bab5d6fa2212891b9
Instruction Fuzzy Hash: 8CE1FAB4E002198FCB24DFA9C5809AEFBF6BF89304F24C169D815AB356D731A941CF61

Function 07AB1570 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e855086f2222acbd7bfcfcf70f10b8e52663610c7c4b5e6448cef473ee9408
Instruction ID: c14747f1be684de0bc2414cbe0d9239441b42310e63e3b7399afaeaff3d61691
Opcode Fuzzy Hash: 49e855086f2222acbd7bfcfcf70f10b8e52663610c7c4b5e6448cef473ee9408
Instruction Fuzzy Hash: 2BE10CB4E002198FCB14DFA9C5909AEFBF6FF89304F248159E815AB356D731A941CF61

Function 07AB2810 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eec229906b618ffcf43761e03b75e8a099896d3a26f012e1e4ddd0f7f96077e
Instruction ID: d9b9f4b6d587cb14986052eef1a24465f33192de4d4fa87b7fa162b3147edbc6
Opcode Fuzzy Hash: 8eec229906b618ffcf43761e03b75e8a099896d3a26f012e1e4ddd0f7f96077e
Instruction Fuzzy Hash: DEE1ECB4E042198FCB24DFA9C580AAEFBF6FF89305F24855AD414AB356D730A941CF61

Function 00E1D3C4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730377363.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f0b5a4b94c1a4051547ec38a8602785299a8d13a64a18abb946f97d2470c317
Instruction ID: 67eed93a653465ffd2f494dcbaa6ad65190e11f355ad786ba2b27aab96aeefd5
Opcode Fuzzy Hash: 3f0b5a4b94c1a4051547ec38a8602785299a8d13a64a18abb946f97d2470c317
Instruction Fuzzy Hash: 9EA14A36E002058FCF05DFA5C8445DEB7B2FF89304B15957AE906BB266DB71E986CB80

Function 0737AA10 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a42871a0a82d3e164010140561d34eb12f022267b87d40f960247ff1298b5cc
Instruction ID: 6c875ef18796ab81a1c839fd098a466fc2e3b1834fc29d73d09d84275516aeeb
Opcode Fuzzy Hash: 8a42871a0a82d3e164010140561d34eb12f022267b87d40f960247ff1298b5cc
Instruction Fuzzy Hash: 4C7171B4E016188FDB14DFAAD58499EFBF2FF88300F14D16AE419AB215DB349942CF50

Function 0737A788 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d287023bb277c79c10f79aa9f38916ef08e575a7a8ec216cd745b1e2aa1c3384
Instruction ID: d64bcadea02d938394519aa3a2fb7388d7602819d7316f57d12edcd91d488435
Opcode Fuzzy Hash: d287023bb277c79c10f79aa9f38916ef08e575a7a8ec216cd745b1e2aa1c3384
Instruction Fuzzy Hash: 7B5183B1D012199FDB18DFEAD8446DEBBB6FF89300F10C029E519AB254D7345906CF50

Function 07AB31B1 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1734276306.0000000007AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ab0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b898d85f90d5ce9adcb59f8d35dc4e4608c0aabf64fa369afb566fe5bf1f80d
Instruction ID: bf1e25036e6b1d978646e75d25b9835d1824303597003ccf3d3efc468e6c9fdf
Opcode Fuzzy Hash: 5b898d85f90d5ce9adcb59f8d35dc4e4608c0aabf64fa369afb566fe5bf1f80d
Instruction Fuzzy Hash: EF512EB0E052198FCB14CFA9C5805EEFBF6EF89304F24C169D418AB216DB319A41CFA1

Function 0737A778 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc054e427b2336aaeca004a28ee47505de9dff28e1ff67e78e27a794e551068
Instruction ID: f5ed49e7b07f9324acb5df3f47667d8b9638040a613fb5eeec960067e6351baf
Opcode Fuzzy Hash: 3dc054e427b2336aaeca004a28ee47505de9dff28e1ff67e78e27a794e551068
Instruction Fuzzy Hash: 3151B4B5E002599FEB18CFEAD88469EFBF6EF88300F24C12AE519AB254D7345945CF50

Function 0737A9FF Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1733665803.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7370000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecba954aa09e01a2b6a7531475e91cb4a95370351ed2f163782d220e6cb71a50
Instruction ID: c218175b148d4e9eeeee3c9088af73ea7cb105e05bda3086e7ba0cb4314b1339
Opcode Fuzzy Hash: ecba954aa09e01a2b6a7531475e91cb4a95370351ed2f163782d220e6cb71a50
Instruction Fuzzy Hash: 02517FB5E006598FDB08DFAAD98469EFBF2BF88300F14C16AD419AB354DB349946CB50

Analysis Process: Bill Of Lading.exePID: 2516, Parent PID: 7096COMMON

Execution Graph

Execution Coverage:	16.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.1%
Total number of Nodes:	48
Total number of Limit Nodes:	3

Executed Functions

Function 032D7770 Relevance: 12.2, Strings: 9, Instructions: 914COMMON

Download Yara Rule

Strings

,bq, xrefs: 032D7C10
(o^q, xrefs: 032D7D41
(o^q, xrefs: 032D7869
(o^q, xrefs: 032D77AE
,bq, xrefs: 032D7C20
(o^q, xrefs: 032D7C7F
(o^q, xrefs: 032D7C8F
(o^q, xrefs: 032D7895
(o^q, xrefs: 032D7932

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
API String ID: 0-2735749406
Opcode ID: 4c3335b0e7ce9368b8285dab9cba3151b297545933cd10563eb548b75f0321ad
Instruction ID: 132995b0047885cb52a34833a66eeacae65af812dc9ac5dd89f22494ac8f7c10
Opcode Fuzzy Hash: 4c3335b0e7ce9368b8285dab9cba3151b297545933cd10563eb548b75f0321ad
Instruction Fuzzy Hash: 7A825C30A1064ADFCB14CF68D988AAEBBF6FF48314F198599E4059B3A5D734ED81CB50

Function 032D6998 Relevance: 9.8, Strings: 7, Instructions: 1035COMMON

Download Yara Rule

Strings

Hbq, xrefs: 032D6E22
(o^q, xrefs: 032D72A0
,bq, xrefs: 032D730A
,bq, xrefs: 032D7318
(o^q, xrefs: 032D7292
(o^q, xrefs: 032D75BD
(o^q, xrefs: 032D6F56

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$(o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-1608600535
Opcode ID: f80b3817c24f330d39f1453fbb8fa8aa4ffa90c2c4635eee5f1ffc41fb526b99
Instruction ID: fb5aa43368c4490fa70fb02e3ed0f3762ffa2824acfdcfea1d828de6e6dcb5e2
Opcode Fuzzy Hash: f80b3817c24f330d39f1453fbb8fa8aa4ffa90c2c4635eee5f1ffc41fb526b99
Instruction Fuzzy Hash: 75928270A102199FCB15DF69D844AAEBBF6FF88300F198569E845DB3A5DB34DC81CB90

Function 032D1C58 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PH^q, xrefs: 032D1EA3
PH^q, xrefs: 032D1E92

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: PH^q$PH^q
API String ID: 0-1598597984
Opcode ID: 42970943dfafc1516b3263605e426d81ac33b74cbf82d53c0ff67b42553c5b2b
Instruction ID: 313be32c54b488ac0d4c3d242b3211e528e0235c01bc9cae31b66e4cb4c2117d
Opcode Fuzzy Hash: 42970943dfafc1516b3263605e426d81ac33b74cbf82d53c0ff67b42553c5b2b
Instruction Fuzzy Hash: E981D074E00218CFDB58DFAAD9947ADBBF2BF89300F24806AD419AB354DB746985CF50

Function 016BC168 Relevance: 2.0, APIs: 1, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2929385309.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16b0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcca47dd1a03c3b4a980ce13f38081b763889cb309c3edd09593b7f58c752a4
Instruction ID: 651a06ff6861d0a55cea1abefe7bd1e579e38162914395619574f918bcda8b62
Opcode Fuzzy Hash: 5bcca47dd1a03c3b4a980ce13f38081b763889cb309c3edd09593b7f58c752a4
Instruction Fuzzy Hash: 32224874E01219CFDB14DFA9D884BDDBBB2BF88300F1485A9E409AB355DB359A86CF50

Function 032D4500 Relevance: .7, Instructions: 745COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7277b311f4ea97529bb7f53d179c69e2a6f72403ba6b900adc3e01c648b7c34f
Instruction ID: 72f11c1c8e6571187d66938da1c37095b0f54014fdb94b98b28f9cf252d2b1e7
Opcode Fuzzy Hash: 7277b311f4ea97529bb7f53d179c69e2a6f72403ba6b900adc3e01c648b7c34f
Instruction Fuzzy Hash: 4B828B74E012298FDB64DF69DD98BDDBBB2BB89300F1481EA940DA7264DB315E85CF40

Function 032D15F8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73488a9fc01ae4af41fccf0f3022915fb3775cdbec9cbebcbc533a4d0959dc09
Instruction ID: a2ef6d99a4db191847bb3e0cc981658561d31f9432422ae20afee4a7e1485651
Opcode Fuzzy Hash: 73488a9fc01ae4af41fccf0f3022915fb3775cdbec9cbebcbc533a4d0959dc09
Instruction Fuzzy Hash: 85E1CF74E01218CFEB64CFA9D984BDDBBB2BF89300F6080A9D409A7394DB755A85CF15

Function 032DED80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c581046eb9ae8867208bd69e2d44fd1054de792fa9bf202ba2bc831afcf72d
Instruction ID: 4003af930baa01f10e14c711f96038b70e6e29ef031114fe3f09ff53d61cf21a
Opcode Fuzzy Hash: f9c581046eb9ae8867208bd69e2d44fd1054de792fa9bf202ba2bc831afcf72d
Instruction Fuzzy Hash: 95C19F74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF55

Function 016B4F08 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929385309.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16b0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aabfb6d92984dce0e0ef5affed0d6c4140e44735614fbb9ca2d302695110c74
Instruction ID: 5d55311f8bed9187ec5ce096f4ecdf060e1e9d1d6e4093982a3812af10b42b03
Opcode Fuzzy Hash: 4aabfb6d92984dce0e0ef5affed0d6c4140e44735614fbb9ca2d302695110c74
Instruction Fuzzy Hash: 05C19E74E01218CFDB14DFA9D998B9DBBB2FB89300F2090A9D809A7354DB359E85CF51

Function 016B5367 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929385309.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16b0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e968837bc198ce3f3c7aa1a768542325e24f6d508f4d644a29f4f7766b7f0746
Instruction ID: a7f8df0a948bf4bdf5576cf67c7c7cfeadba572ca5c704ddffb6ef5121531e6f
Opcode Fuzzy Hash: e968837bc198ce3f3c7aa1a768542325e24f6d508f4d644a29f4f7766b7f0746
Instruction Fuzzy Hash: 26A10470E01208CFEB24DFA9D984BDDBBB1BF88300F209269E509A7395DB745985CF55

Function 016B56AF Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929385309.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16b0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90360036da83019f22031fb4115683e3c4114c2014f30b3a7f3b2fe69bad3d8
Instruction ID: c3048318a165e5d5586456a901d4d924040d5f8d77cfcb393b7c53aced71fb24
Opcode Fuzzy Hash: d90360036da83019f22031fb4115683e3c4114c2014f30b3a7f3b2fe69bad3d8
Instruction Fuzzy Hash: AB91F370E01218CFDB10DFA8D988BDCBBB1FF49301F249269E509A7291DB749985CF54

Function 032D15EB Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a9ed5caa0ad5c1901c66ebeaa26d08aff325c4f12f1a355c170dbff95ae9ee
Instruction ID: 41038c60ef488b7ee3b1e796895560688fa777e17d4f60465407cae6351b7f37
Opcode Fuzzy Hash: 79a9ed5caa0ad5c1901c66ebeaa26d08aff325c4f12f1a355c170dbff95ae9ee
Instruction Fuzzy Hash: 7941C3B0D012098BEB58DFAAD8447DDFBF2BF89300F14D069C418AB294DB755986CF24

Function 032DED70 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf6628dd82bd58555fa66e42c0ad94b8a5d05728ce78239c447ca9e358568bc
Instruction ID: dc50c355fcc9c117f5487ab3bbfcd87363b51e4d8948456324348ebf584ddf4c
Opcode Fuzzy Hash: 7cf6628dd82bd58555fa66e42c0ad94b8a5d05728ce78239c447ca9e358568bc
Instruction Fuzzy Hash: 9141D370E01209DBEB18CFAAD9446DEFBF2AF89300F24D12AC419BB254DB345946CF54

Function 032D8848 Relevance: 3.3, Strings: 2, Instructions: 786
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 032D936C
$^q, xrefs: 032D938F

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 180823f24952e87f8066b1777a6b92e0e994c026f2b409269af3912e38c076f7
Instruction ID: 951746d0e594f953475c48510b4b147237a45f1ace2ca1af914f54e40cc2155d
Opcode Fuzzy Hash: 180823f24952e87f8066b1777a6b92e0e994c026f2b409269af3912e38c076f7
Instruction Fuzzy Hash: 57625C34A102198FDB25DBA4C864B9EBBB7FF84300F1481ADD10AAB3A5CF359D85DB51

Function 032D65F1 Relevance: 2.7, Strings: 2, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,bq, xrefs: 032D66D6
,bq, xrefs: 032D66E0

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: ,bq$,bq
API String ID: 0-2699258169
Opcode ID: cdd5f5c53595ae172f6b754ab7c76ef9fdcf7af78274b529a396f2410020fa70
Instruction ID: 8a90e9d7c373481a3d621f87ee532da433b0d39aa1a58f720bcf7f66f24c5a75
Opcode Fuzzy Hash: cdd5f5c53595ae172f6b754ab7c76ef9fdcf7af78274b529a396f2410020fa70
Instruction Fuzzy Hash: 3681B434B2010ACFDB14CF69D884A6AF7B6FF88204B998169D405DB3A5DB31EC85CF90

Function 032D2508 Relevance: 2.7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 032D26E2
(&^q, xrefs: 032D2623

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: (&^q$(bq
API String ID: 0-1294341849
Opcode ID: 5532e8a45cda144d25f8e8a501848269831aa99b33abceb934627efd24096671
Instruction ID: 3728c8cbb4ba20941f27efc0b63be2354aae79549f6f9c38cb0fddb7db086aba
Opcode Fuzzy Hash: 5532e8a45cda144d25f8e8a501848269831aa99b33abceb934627efd24096671
Instruction Fuzzy Hash: 08716F31F103599BDB15DFB9D8506AEBBB2BF84700F148529D406AB384DF30AD46CB95

Function 032D6130 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hbq, xrefs: 032D625E
Hbq, xrefs: 032D622B

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: Hbq$Hbq
API String ID: 0-4258043069
Opcode ID: 76962a4ebb2ee3703d94e582a812d82459d711d7d0b040d2c7888389b9736fc2
Instruction ID: 3c6c9683ff23aab2f9c40810c362bfb872aed65122d41a91ec86aac3024dd7d4
Opcode Fuzzy Hash: 76962a4ebb2ee3703d94e582a812d82459d711d7d0b040d2c7888389b9736fc2
Instruction Fuzzy Hash: D851F0317142568FCB15DF64D858BAABBF6FF89300F488969E8458B381DB78D851CB90

Function 016BC76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 016BC8AE

Memory Dump Source

Source File: 00000004.00000002.2929385309.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_16b0000_Bill Of Lading.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cd412c2e0b31eff8c42b9962e5c553049af4c0538915aadafea2aff62182c98
Instruction ID: 07ca23bd1f0fef4908eda158a2cfdde0f113e80263838275488cb09218898e84
Opcode Fuzzy Hash: 9cd412c2e0b31eff8c42b9962e5c553049af4c0538915aadafea2aff62182c98
Instruction Fuzzy Hash: B3117C74E011099FDB04DFA8D8C4EEDBBB5FB88314F159129E904E7246DB30AA81CB64

Function 032D5F08 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

d8cq, xrefs: 032D5F60

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: d8cq
API String ID: 0-3601494702
Opcode ID: c92a8dd90e78c58f1f0f69de9299198c9c885448c45731559ef91acc88f9f290
Instruction ID: 9c70ef016be9df862cb2cad09498a5970e8e78b1650cb1de31ce180c7cd71389
Opcode Fuzzy Hash: c92a8dd90e78c58f1f0f69de9299198c9c885448c45731559ef91acc88f9f290
Instruction Fuzzy Hash: E1417C303106018FC724EB39D858B2ABBE6EF85304F2985ADD5468F7A5EB65EC85CB50

Function 032D82F8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

4'^q, xrefs: 032D8383

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2871d2e9cafb3270b8679d2fc5f0db23f72a05e343b6ce37c2e59bf7dd3b913b
Instruction ID: 089ffc9309fcd3c72cb7693d276deb0964fe74068f88ebf3fa373c075f679cc6
Opcode Fuzzy Hash: 2871d2e9cafb3270b8679d2fc5f0db23f72a05e343b6ce37c2e59bf7dd3b913b
Instruction Fuzzy Hash: C14137746102169FCB14DF28D898AAE7BB5FF48310F1440A9F90ACB3A1DB71DC91CB90

Function 032D8640 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'^q, xrefs: 032D86BA

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ab60c94544b51ea2b5e27bcf0e5d0c8011445fcb5ff841470b325f98d4a37fdf
Instruction ID: 5d9d93fb03bc796787d2020962dbea624c02202cd87762115b828f20e3de4fa7
Opcode Fuzzy Hash: ab60c94544b51ea2b5e27bcf0e5d0c8011445fcb5ff841470b325f98d4a37fdf
Instruction Fuzzy Hash: 4921B57572815A8BDB14CE25988477BBBEAEF89320F18842AE511C7244DBB5DC80CBE0

Function 032D5EF8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

d8cq, xrefs: 032D5F60

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID: d8cq
API String ID: 0-3601494702
Opcode ID: f368b19643a60556e79eec569a37e3fd94426056762e77829d115e877341051a
Instruction ID: ccdf7ad841669f0412230143cb3567e35ce06d22ec8876335d2aff5fea8d7af7
Opcode Fuzzy Hash: f368b19643a60556e79eec569a37e3fd94426056762e77829d115e877341051a
Instruction Fuzzy Hash: 8811A3302007024FC735DB2DC854B6EBBA6AFC2304F18896CD0568F275EBB1E8898781

Function 032D62A8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a045e8bc70877f301a5c51a53e3066f581d56bb4a4e7990c86bcc8955db130a
Instruction ID: 15fe92fe9925d6f62424ab6e8a7aa3dd5b0c70b9dcd0e953cdba18e3dd03e483
Opcode Fuzzy Hash: 8a045e8bc70877f301a5c51a53e3066f581d56bb4a4e7990c86bcc8955db130a
Instruction Fuzzy Hash: 6871E3347102128FC719EF79D89863EB7A6BF89601B58846DD906CB395DF34DC82CB91

Function 032D84F8 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d5f29ba0742006672c081a54b1270e05d0a4da52938f458313bd2be63c3cbf
Instruction ID: 1208b9c7cbe4eac518430ff0a4885e724fbd841a967e68ada68e83fea3ec6e4c
Opcode Fuzzy Hash: 80d5f29ba0742006672c081a54b1270e05d0a4da52938f458313bd2be63c3cbf
Instruction Fuzzy Hash: 18519131B201168FD714DF39D884A7AB7E9FF4936071984A9E406CB365EB70EC81CB90

Function 032D44F0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0e6ce1d2e3618d0b2a1f97da853c1f77d804b8508b7ebc930550e8c2208d71
Instruction ID: 9664e589c87eb69042d42f8d262e63d9db7bd2fad192b5629e857cd8cbe3dff3
Opcode Fuzzy Hash: db0e6ce1d2e3618d0b2a1f97da853c1f77d804b8508b7ebc930550e8c2208d71
Instruction Fuzzy Hash: 4A81AD74E012298FDB65DF29DD84BEDBBB2BB89300F1080EAD849A7254DB715E81CF44

Function 032D24F8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a101208e969660cdefc7e879b95da29266bfc09347219772b61076be3c7415f
Instruction ID: 41c04c3723cab9c6bea7e8a2a3104458f141a5c2d7283dda2c5ae06d8d60c35a
Opcode Fuzzy Hash: 0a101208e969660cdefc7e879b95da29266bfc09347219772b61076be3c7415f
Instruction Fuzzy Hash: F3414271E1030ADBDB15DFA5C890AEEFBF5AF88700F248529E405B7254DB70AD86CB90

Function 032D5858 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd96ea1e1c95d29f43b2fa01d855cf3113ea52692241298a13e36f39d02ec74
Instruction ID: 3b0488d8914bda6d9458234e5d6a367bb74413570c114c4af529eb928527f78b
Opcode Fuzzy Hash: 9cd96ea1e1c95d29f43b2fa01d855cf3113ea52692241298a13e36f39d02ec74
Instruction Fuzzy Hash: 2941C33061524A9FCF05DF64E848AAF3BA6FB49311F148029F9068B384CB79DDA1CB91

Function 032D8729 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7d15feb5b39a17314724ad508e403c9c67f033a746d9db3259e048fead9967
Instruction ID: 58ac383cda2442cefbaff9392d6e794bb2545a489c2397da1b9c96f7e01d66da
Opcode Fuzzy Hash: 6c7d15feb5b39a17314724ad508e403c9c67f033a746d9db3259e048fead9967
Instruction Fuzzy Hash: 312195357202168BEB24A72AE85873E669BEFC4755F188079D406CB394EF75CCC2D381

Function 0161D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929062044.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_161d000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c784e6da7e02bf656035ca4a1a2a1fd2170936927a991321b4841d3e190eef6
Instruction ID: 52a7cf17e98cb89a1dcc30bbb94badc5fb5f1d4d40cec4ebc5c9f2c64dc02b02
Opcode Fuzzy Hash: 4c784e6da7e02bf656035ca4a1a2a1fd2170936927a991321b4841d3e190eef6
Instruction Fuzzy Hash: 64213471504200DFCB11DF58DDC8B26BBA5FB84314F28C66DD80A4B39AC33AD847CA62

Function 0161D006 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2929062044.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_161d000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7055061061b9af2d13ba7e710bf359ce264583576f66e990ff8f38160fbd550
Instruction ID: 114fe5aa4b3850130584d49b48a0df75bcb343a417a88ab186981a2bee81e6f0
Opcode Fuzzy Hash: a7055061061b9af2d13ba7e710bf359ce264583576f66e990ff8f38160fbd550
Instruction Fuzzy Hash: 26214B715093C09FCB03CF64D994711BF71AB46214F29C5DBD8898F2A7C33A981ACB62

Function 032D26EA Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d6daef8d310f641060795940faa23b174bf4e88d9aa1a67ec8c93ad42246f24
Instruction ID: 36073b2511d0b5a63a789212795bb2a5a06e292b3dcbbfc1da03aa642852e782
Opcode Fuzzy Hash: 9d6daef8d310f641060795940faa23b174bf4e88d9aa1a67ec8c93ad42246f24
Instruction Fuzzy Hash: D81108317182945FCB06AF78981426E3FA3FFC5250B14846AE405DB396CF358D12C7A6

Function 032D2270 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492c56ebaad160a0076afce1fb234d18623969d370dc29d5dbaa9b9974df8140
Instruction ID: fadd742ab257c10a6db30379e654af5ca48aff2f18a4775d9853f68b1acdb6a9
Opcode Fuzzy Hash: 492c56ebaad160a0076afce1fb234d18623969d370dc29d5dbaa9b9974df8140
Instruction Fuzzy Hash: 0F1167B2810349DFCB10CF99D844BDEBFF4EB48320F248419E558A7251C335A590DFA0

Function 032D1EB9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782f1a57d095bc02447db48c7e01dc2589b694103bead35d7f6b0731726a187c
Instruction ID: 0717f64d41a6aaa8d860277a258af451a700afad2d7ceffd2d047c113140f3a0
Opcode Fuzzy Hash: 782f1a57d095bc02447db48c7e01dc2589b694103bead35d7f6b0731726a187c
Instruction Fuzzy Hash: 49113034F101498FDB00DFF8D854B9EBBB5AB48311F00D461E908EB749EB30A9918B51

Function 032D2990 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d5374ad70a6b46eae6dfaeb776606df11a058eed72ce2681ac108794ecf1ef1
Instruction ID: 93fe691b289e0a3e9e79fa133d3a1f0d46920d147d302e4914be8e93ba2e7787
Opcode Fuzzy Hash: 5d5374ad70a6b46eae6dfaeb776606df11a058eed72ce2681ac108794ecf1ef1
Instruction Fuzzy Hash: 5D1153B6800249DFCB20CF9AD844BDEBFF4EB48320F14845AE958A7251D339A594DFA1

Function 032D60B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf5f520dad55f5cb1f3b0d77763e5ac863a48e1109027b978503eac00cdd8cf
Instruction ID: 745daef857b886a4b4fc1868e2e26a47d690e938b2b31f615df165ea5b30d5fb
Opcode Fuzzy Hash: 9cf5f520dad55f5cb1f3b0d77763e5ac863a48e1109027b978503eac00cdd8cf
Instruction Fuzzy Hash: FB0126327201196FCB05DE59AC00AAF7B9BEBC9650F188029F505D7380DB71DC518BA4

Function 032D60A0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1825bd297849de6da5f37dbe1b9759a5045a37a8385edb7d61d6a07197ffb59d
Instruction ID: 2c330e48ecdbf358103bbfe0de791d47bbbb8566ce43767d3fceb4925768510c
Opcode Fuzzy Hash: 1825bd297849de6da5f37dbe1b9759a5045a37a8385edb7d61d6a07197ffb59d
Instruction Fuzzy Hash: 35014473A141096FDB01DE95EC01BDF7FAAEBC8340F188029F905C3281DB76D8618BA0

Function 032D947D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25159ec7fb70c867115fb7209687a659ae5073fe0b58d3c83245e820fe6009a1
Instruction ID: e17e80b9609d4075e96cd44f430faf4fdc623ab2034933061eda0d317d88df56
Opcode Fuzzy Hash: 25159ec7fb70c867115fb7209687a659ae5073fe0b58d3c83245e820fe6009a1
Instruction Fuzzy Hash: D0D0673AB40018DFCB049F99E8548DDF7B6FB98221B148116E915E3265C631A925DB94

Function 032D68A1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb38b4d03f06570add185975f7ce58fdc6318a41fd355466b12f5101562af224
Instruction ID: 67ef12f0de56cf075a0a66c9e7b3ad7995333bcda70b90929ad9681d8ef07182
Opcode Fuzzy Hash: fb38b4d03f06570add185975f7ce58fdc6318a41fd355466b12f5101562af224
Instruction Fuzzy Hash: 5CD05B305583084FC605F778FD5AA567B2AEB50205B944178D0060E39FDF7878568B44

Function 032D68B0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2df66a28edb455d4a581d509b1a59e63f285c5d6a06c941d743fe07c5636633
Instruction ID: 25c5fb416bb3d24332c903fe35ca9dc2137d69b943afe154694f22d24b59d78f
Opcode Fuzzy Hash: d2df66a28edb455d4a581d509b1a59e63f285c5d6a06c941d743fe07c5636633
Instruction Fuzzy Hash: 98C012301483094EC505F769FD49556772EE6902117808530D00A0A39EDF787C9A4794

Non-executed Functions

Function 032DAB20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cbcd604159647877a50a177096b6d25abbff61f393d4bbc04b76f8c21a6c44
Instruction ID: 89e31a44ef85978a438131d445459e553f85385b1c3d66d24f47793db5427278
Opcode Fuzzy Hash: 87cbcd604159647877a50a177096b6d25abbff61f393d4bbc04b76f8c21a6c44
Instruction Fuzzy Hash: 31C19F74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB365DB359E85CF51

Function 032DAF78 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677f1f1534433b61fb250fe60f8d2017f1b6de602031cf0cd2857b68bc771dd1
Instruction ID: 5f542700f76a317a507c5bfa0f830104e123d26d23ae92ac3beaa5c1e8f3544e
Opcode Fuzzy Hash: 677f1f1534433b61fb250fe60f8d2017f1b6de602031cf0cd2857b68bc771dd1
Instruction Fuzzy Hash: FEC19E74E01218CFDB54DFA9D994B9DBBB2BF89300F6080A9D409AB364DB359E85CF11

Function 032D2F48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8beaaa131b0931aa7436f51cba12d54ed45a8fb83f7c830490dcebd7089bc29b
Instruction ID: 2e55821f71d9b6a141f3761543da51d6abb9921c3b25b8abb3d46af4783988fa
Opcode Fuzzy Hash: 8beaaa131b0931aa7436f51cba12d54ed45a8fb83f7c830490dcebd7089bc29b
Instruction Fuzzy Hash: 5DC1BF74E01218CFDB54DFA9D984B9DBBB2FB89300F6080A9D409AB364DB359E85CF51

Function 032D33A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1cb10706b4a9f2d05448f98d7c724dfb9c3d7763837cb2d0f065e5336ce21a0
Instruction ID: be16e31207a933e6618a862d3f457e128eae29f57e81329e59c3cbaf49412027
Opcode Fuzzy Hash: d1cb10706b4a9f2d05448f98d7c724dfb9c3d7763837cb2d0f065e5336ce21a0
Instruction Fuzzy Hash: 58C1A174E01218CFDB54DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF51

Function 032D37F8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d906ec9ba2ad6746141bca535b9980fad67518a735804ff71c5a9cbe6dd0f4ba
Instruction ID: f6432cb24ffba012f04a8e67d5febc60359135563864cf303315b4779fef4424
Opcode Fuzzy Hash: d906ec9ba2ad6746141bca535b9980fad67518a735804ff71c5a9cbe6dd0f4ba
Instruction Fuzzy Hash: 68C19F74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB365DB359E85CF11

Function 032DB3D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f53fee21d3cf955304e375749c40efc984f659bd86e8087e3c584fc32396387
Instruction ID: 7fc8f8918bc25f5a7851a0741ba4f931db41e726bebc21f4e557be909e5a85fe
Opcode Fuzzy Hash: 6f53fee21d3cf955304e375749c40efc984f659bd86e8087e3c584fc32396387
Instruction Fuzzy Hash: 41C19F74E01218CFDB14DFA9D994B9DBBB2EF89300F6080A9D409AB364DB359E85CF51

Function 032DD238 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c1d262e72c4c0792e88013a2beea727dcf6d1fff7a9419d1ac691730f4b712
Instruction ID: 2a88286bca967ea9e4a7a94f9e3acb596c6f2a66cbe1a6da06e72994b6b4619b
Opcode Fuzzy Hash: e0c1d262e72c4c0792e88013a2beea727dcf6d1fff7a9419d1ac691730f4b712
Instruction Fuzzy Hash: 02C1AE74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF51

Function 032DF630 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d9fcf42fc4344ae1b8dc3f6c763c76e768e78974886936dc15a16f4e1e2a31
Instruction ID: 7ef794db5e797290e7d2895ad9286c1f0646a9a1b4d0b70060fb02c8c079880d
Opcode Fuzzy Hash: b9d9fcf42fc4344ae1b8dc3f6c763c76e768e78974886936dc15a16f4e1e2a31
Instruction Fuzzy Hash: 7EC1AF74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF15

Function 032D9E18 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfff80eb73737f6f089827f3697842051aaf5fa3cebabbf76f43fe5276422d4
Instruction ID: 8a9a146ddc5fffde507750f07cf0f73a13a71462692e6106dd86b919e7144b5b
Opcode Fuzzy Hash: 5cfff80eb73737f6f089827f3697842051aaf5fa3cebabbf76f43fe5276422d4
Instruction Fuzzy Hash: CDC1AF74E01218CFDB14DFA9D984B9DBBB2BF89300F6080A9D409AB364DB359E85CF10

Function 032DA270 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19181693975a328cc88b4c46190b72dce7d1fc140acd5f6d1a93ef878c3f0bf8
Instruction ID: f95d9326cdd4f7c5c9f3b54b54d44e6af8fd7d8327148e706debf9a1db41e501
Opcode Fuzzy Hash: 19181693975a328cc88b4c46190b72dce7d1fc140acd5f6d1a93ef878c3f0bf8
Instruction Fuzzy Hash: A0C19F74E01218CFDB54DFA9D984B9DBBB2EB89300F6080A9D409AB364DB359E85CF51

Function 032DFA88 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb243cdaa0e047fa21eca905afd909cf3f73855e6aaba9098b677a020406371
Instruction ID: 8871bb179f6a0703648fceb2d88f634d48c77b15d99b6e213b16be0b9a21a696
Opcode Fuzzy Hash: 9eb243cdaa0e047fa21eca905afd909cf3f73855e6aaba9098b677a020406371
Instruction Fuzzy Hash: F5C1B074E01218CFDB14DFA9D984B9DBBB2EF89300F5080A9D409AB365DB359E85CF54

Function 032DD690 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d01c9a87c41f9cab9ef61364d73dd54beb564c1bbfec60a25277202576940633
Instruction ID: 8f04ee894761ec0405a320746b1f94253a1749091ec7f7ffc50e9ce8aa7458f4
Opcode Fuzzy Hash: d01c9a87c41f9cab9ef61364d73dd54beb564c1bbfec60a25277202576940633
Instruction Fuzzy Hash: 09C19074E01218CFDB14DFA9D994B9DBBB2EF89300F5080A9D809AB364DB355E85CF51

Function 032D2AF0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fe92b75829e5f95ce33b10334c5972e8a77d1a85cc186af646e25e7b8e04a3
Instruction ID: 9c2a0c1672f65d7e76ff648880271d8ff8f0043b8735c5866fedbf0596449e65
Opcode Fuzzy Hash: 54fe92b75829e5f95ce33b10334c5972e8a77d1a85cc186af646e25e7b8e04a3
Instruction Fuzzy Hash: 88C1A174E01218CFDB14DFA9D984B9DBBB2EF89300F6084A9D809AB364DB355E85CF51

Function 032DA6C8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1f287698b37d9d1388390475b8fbad3f604cac795f125236636c4e2310057f
Instruction ID: 1cccf52b7c54cb8d3a6c928ffaf7fc8cd261ebbb0c4bd953518669283ae605be
Opcode Fuzzy Hash: fe1f287698b37d9d1388390475b8fbad3f604cac795f125236636c4e2310057f
Instruction Fuzzy Hash: 5BC19E74E01218CFDB14DFA9D984B9DBBB2BF89300F6081A9D409AB364DB359E85CF51

Function 032DE928 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c16561df1605ce058a743cba347528ea35577a33956465825376f56f65c66b5
Instruction ID: eb2535f1b84b39e6055a2b6f3f22c27cdd8ac4236f64f71eeb745455513337da
Opcode Fuzzy Hash: 4c16561df1605ce058a743cba347528ea35577a33956465825376f56f65c66b5
Instruction Fuzzy Hash: CAC19F74E01218CFDB14DFA9D994B9DBBB2BF89300F6080A9D409AB364DB359E85CF11

Function 032DC530 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d128045a6a4ca6aa310e702988b855716f30e8b7c324e673cb3d190588550b
Instruction ID: eecff105c318205d2d5f7311a8009e9cfb9025d402d12c2b351841af04e9d227
Opcode Fuzzy Hash: a3d128045a6a4ca6aa310e702988b855716f30e8b7c324e673cb3d190588550b
Instruction Fuzzy Hash: A7C19F74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF51

Function 032D0D48 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abef0e7caa41ee47d48710791eabe9fa58fd6e0d4adaba0b39135c5e13948fe1
Instruction ID: 691097bd5991389e7d74b40a635ef3573b48047e6c55eb5eb0669ee610be6f5d
Opcode Fuzzy Hash: abef0e7caa41ee47d48710791eabe9fa58fd6e0d4adaba0b39135c5e13948fe1
Instruction Fuzzy Hash: DFC19174E01218CFDB54DFA9D984B9DBBB2FB89300F5080A9D409AB364DB359E85CF51

Function 032D11A0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86af55db4b91e59ad0db9b4ae205976c8a905f455e4baa6439eee223b981be7e
Instruction ID: 6d4985897b38ea17a769f5ce427fa8ab4127aea78456225f1872c79f75d74dda
Opcode Fuzzy Hash: 86af55db4b91e59ad0db9b4ae205976c8a905f455e4baa6439eee223b981be7e
Instruction Fuzzy Hash: CEC19074E01218CFDB54DFA9D984B9DBBB2FB89300F5080A9D809AB364DB359E85CF11

Function 032DC988 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0b772c8c6388b9ff055f4028f9ab541f663652446f02ab91de1d74d86b0ed8
Instruction ID: df5f9fdfc7b78e02afee8348c39fab53ee27d231d4d8aa8105620ac6be2ad600
Opcode Fuzzy Hash: 7d0b772c8c6388b9ff055f4028f9ab541f663652446f02ab91de1d74d86b0ed8
Instruction Fuzzy Hash: 91C19F74E01218CFDB54DFA9D994B9DBBB2EF89300F6080A9D409AB364DB359E85CF11

Function 032DCDE0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08241555fb796624f457d9e0b7fe11e089899ccd81052e149cabc660c3fc3c2
Instruction ID: dc45bd11486dd5d44bcbae82430aa643e8b66c46459d0903fbb7527d6f9ea92f
Opcode Fuzzy Hash: b08241555fb796624f457d9e0b7fe11e089899ccd81052e149cabc660c3fc3c2
Instruction Fuzzy Hash: 26C19174E01218CFDB14DFA9D984B9DBBB2EF89300F5080A9D409AB364DB359E85CF51

Function 032DF1D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08f037b1abae45f8fe0d85c40f6c5164f7bb346027ed355203b75f58802dd504
Instruction ID: 8261bbe35373e12331bc16386de0c24c25d365d2087470d65629f169b009e8ee
Opcode Fuzzy Hash: 08f037b1abae45f8fe0d85c40f6c5164f7bb346027ed355203b75f58802dd504
Instruction Fuzzy Hash: 6FC1AF74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF15

Function 032DB828 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5b86c52ccfb5b5ad626c90c5829e3f54922049747e10245c52930de7f5af6a
Instruction ID: f604c007ce89739219d7fe63da7d01a4f37d58e9f0e74f2b28f399e68e92b541
Opcode Fuzzy Hash: 3c5b86c52ccfb5b5ad626c90c5829e3f54922049747e10245c52930de7f5af6a
Instruction Fuzzy Hash: 8DC19D74E01218CFDB14DFA9D994B9DBBB2BF89300F6080A9D409AB364DB359E85CF11

Function 032DDC20 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13ab7c97e2f6771dc86fc3343853fcbe0d60d92d580759aa1f080c9f1b61d9b4
Instruction ID: db7c25b9bf5b81bafbf8f87a8f79f3475da03005188d57529f56eead73e89d82
Opcode Fuzzy Hash: 13ab7c97e2f6771dc86fc3343853fcbe0d60d92d580759aa1f080c9f1b61d9b4
Instruction Fuzzy Hash: F2C1AF74E01218CFDB14DFA9D984B9DBBB2EF89300F6080A9D409AB365DB359E85CF51

Function 032DE078 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05dc45b0d31316cd3626bdef686c34c78332db804c2dad7daa85252b0bde6769
Instruction ID: f37338b2d671b80f80d0cca5639c6fb5a1e12ebc0cae4cb7fd0f083ae834bbe5
Opcode Fuzzy Hash: 05dc45b0d31316cd3626bdef686c34c78332db804c2dad7daa85252b0bde6769
Instruction Fuzzy Hash: A1C19E74E01218CFDB14DFA9D984B9DBBB2AF89300F6080A9D409AB365DB359E85CF51

Function 032D0040 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63b927a4451e12bbc5f214c9d8e644a71ce5183bbebf412c16b9fc2540ea8e8
Instruction ID: e329114a929ccd4dc2999235c1a6f2737a639f891ea616f707fe2e4ff3bccf1f
Opcode Fuzzy Hash: e63b927a4451e12bbc5f214c9d8e644a71ce5183bbebf412c16b9fc2540ea8e8
Instruction Fuzzy Hash: C7C19F74E01218CFDB14DFA9D994B9DBBB2BB89300F5080A9D809AB365DB359E85CF11

Function 032D3C50 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e334dffb42d609e2705bcab8ec1bfc10f6222effdee30e445da700b1ce88e7
Instruction ID: 53226f130b381bc69c552d4a8768168ff9c1f7fd4326d380cb37cfaccd76ada3
Opcode Fuzzy Hash: 07e334dffb42d609e2705bcab8ec1bfc10f6222effdee30e445da700b1ce88e7
Instruction Fuzzy Hash: 75C19F74E01218CFDB14DFA9D984B9DBBB2EF89300F5080A9D809AB364DB359E85CF51

Function 032D40A8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade87458e8b85d42c58f5529b78c5d24f6f15d635f1505fcaa69367c3631543e
Instruction ID: 6337378fc3497520b4a0e95c74d3c3c05bce0c2c1f9311eeaa0980c0985d12a7
Opcode Fuzzy Hash: ade87458e8b85d42c58f5529b78c5d24f6f15d635f1505fcaa69367c3631543e
Instruction Fuzzy Hash: 4CC1AE74E01218CFDB14DFA9D984B9DBBB2BF89300F6080A9D409AB365DB359E85CF11

Function 032DBC80 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493eda5030623a7bc097fa8491f9da1042394b0c25b9045abcdbde286e828e6b
Instruction ID: 739293f89e457733ff261bb598e8bac456572424b0dd85803657d79ad5eca5a2
Opcode Fuzzy Hash: 493eda5030623a7bc097fa8491f9da1042394b0c25b9045abcdbde286e828e6b
Instruction Fuzzy Hash: 0DC1A074E01218CFDB14DFA9D994B9DBBB2EF89300F5080A9D409AB364DB355E85CF50

Function 032D0498 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202d6c844ad8e311b88fa16b18c12f3ee7c91bbfae9444fd903ebd3943a35e53
Instruction ID: 0cd15dcec413a8e204632eed061d8d2b45a4987fdeb89e67a1a0aa461c96c03e
Opcode Fuzzy Hash: 202d6c844ad8e311b88fa16b18c12f3ee7c91bbfae9444fd903ebd3943a35e53
Instruction Fuzzy Hash: 5FC19074E01218CFDB14DFA9D984B9DBBB2FB89300F5080A9D809AB364DB359E85CF51

Function 032D08F0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2abd23c9b3b2dd8cc7f40f73e1bb35ef82902195359e124f75f250e3a6b58fe8
Instruction ID: ba3a8b246913c1d2434b5350b09d5db7351cb203756d30863dbc5f53588adaf0
Opcode Fuzzy Hash: 2abd23c9b3b2dd8cc7f40f73e1bb35ef82902195359e124f75f250e3a6b58fe8
Instruction Fuzzy Hash: 64C19074E01218CFDB14DFA9D994B9DBBB2FB89304F6080A9D809A7364DB355E85CF11

Function 032DC0D8 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1650a2db61f49232a2dc9c4d9ca14f5ee62cce6bc5a8c54fbc045292279ceb7d
Instruction ID: 90dff078054a0c1c5a78945df06a9fcab0414b61e7e15ce3b5377f0d0adab793
Opcode Fuzzy Hash: 1650a2db61f49232a2dc9c4d9ca14f5ee62cce6bc5a8c54fbc045292279ceb7d
Instruction Fuzzy Hash: 88C19E74E01218CFDB54DFA9D984B9DBBB2EF89300F6080A9D409AB364DB359E85CF11

Function 032DE4D0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2930495061.00000000032D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_32d0000_Bill Of Lading.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26bc84d6b9d3a88e2badd7361d841559523568c8f89f662d6afd90a59e052950
Instruction ID: 8690844b2804f8206dd1c49ce1677b260fe219c5ec0137230afe83e0c1c15148
Opcode Fuzzy Hash: 26bc84d6b9d3a88e2badd7361d841559523568c8f89f662d6afd90a59e052950
Instruction Fuzzy Hash: A6C19E74E01218CFDB54DFA9D984B9DBBB2BF89300F6080A9D409AB364DB359E85CF51

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bill Of Lading.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bill Of Lading.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikhewcja.44a.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lefng4a4.n3e.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3sovwsg.x3n.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdss2j2m.moh.psm1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Bill Of Lading.exe

Function 072AE100 Relevance: 6.9, Strings: 5, Instructions: 627
COMMON

Function 00E1D3F8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Function 00E1D408 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 07AB3934 Relevance: 1.7, APIs: 1, Instructions: 249
processCOMMON

Function 07AB3940 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre