Source: 2.2.InstallUtil.exe.150000.0.unpack |
String decryptor: xwram1.duckdns.org |
Source: 2.2.InstallUtil.exe.150000.0.unpack |
String decryptor: 58345 |
Source: 2.2.InstallUtil.exe.150000.0.unpack |
String decryptor: <123456789> |
Source: 2.2.InstallUtil.exe.150000.0.unpack |
String decryptor: <Xwormmm> |
Source: 2.2.InstallUtil.exe.150000.0.unpack |
String decryptor: PC |
Source: 2.2.InstallUtil.exe.150000.0.unpack |
String decryptor: USB.exe |
Source: |
Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051B252Dh |
0_2_051B2440 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_051B1468 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h |
0_2_051B1460 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051B252Dh |
0_2_051B24F3 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051B252Dh |
0_2_051B26AB |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051F5D61h |
0_2_051F5D00 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051F5D61h |
0_2_051F5CF0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051FD400h |
0_2_051FD348 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051FD400h |
0_2_051FD340 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then jmp 051F5D61h |
0_2_051F5ECF |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h |
0_2_052DDA10 |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_00BD9D68 |
0_2_00BD9D68 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_00BD62F8 |
0_2_00BD62F8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_00BD6308 |
0_2_00BD6308 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_00BD58B8 |
0_2_00BD58B8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_00BD58A9 |
0_2_00BD58A9 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050D18E2 |
0_2_050D18E2 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050D1C17 |
0_2_050D1C17 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050D2AF8 |
0_2_050D2AF8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E7AF8 |
0_2_050E7AF8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E0006 |
0_2_050E0006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E0040 |
0_2_050E0040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E806F |
0_2_050E806F |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E6678 |
0_2_050E6678 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E6688 |
0_2_050E6688 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E129F |
0_2_050E129F |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E12B0 |
0_2_050E12B0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_050E7AEA |
0_2_050E7AEA |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051B2440 |
0_2_051B2440 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051BA558 |
0_2_051BA558 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051BA549 |
0_2_051BA549 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051B24F3 |
0_2_051B24F3 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051B26AB |
0_2_051B26AB |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051F79B0 |
0_2_051F79B0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051FBA28 |
0_2_051FBA28 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051F7D97 |
0_2_051F7D97 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051F79A0 |
0_2_051F79A0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051FB9D0 |
0_2_051FB9D0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051FCF88 |
0_2_051FCF88 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051F8FD9 |
0_2_051F8FD9 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051F23F8 |
0_2_051F23F8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051F8FE8 |
0_2_051F8FE8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_051FBA18 |
0_2_051FBA18 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_052B0006 |
0_2_052B0006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_052B0040 |
0_2_052B0040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_052D0006 |
0_2_052D0006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_052D0040 |
0_2_052D0040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_052DF648 |
0_2_052DF648 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_05550040 |
0_2_05550040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_05550006 |
0_2_05550006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Code function: 0_2_0556D220 |
0_2_0556D220 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Code function: 2_2_009D0EE0 |
2_2_009D0EE0 |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1449018047.00000000055D2000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamefiletocrypt.exe4 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1437324458.00000000006AE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1447539886.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameQijjyabe.dll" vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000000.1427214065.0000000000208000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe |
Source: Bill of Lading.exe |
Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs |
Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskService.cs |
Task registration methods: 'CreateFromToken' |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: |
Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: Bill of Lading.exe, Pobwultsfy.cs |
.Net Code: Atghiyyrxmt System.AppDomain.Load(byte[]) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, JUTfQANoJH8bQj3LXjk.cs |
High entropy of concatenated method names: 'Ls5NPVJpxq', 'tAx4HJDc91PxEjiFKyw', 'J7NqPAD0gUZWL2dejci', 'ofollVDj9AYnZIOTl6y', 'fhAaFCDXuQfTche8IAx', 'A3D0nEDuIBIdvNTZWu4', 'AyoaSADhyZm8WdtqTuV' |
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, P5YM9AGvh3to0BuV5X9.cs |
High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'OP2G1GjBoN', 'NtProtectVirtualMemory', 'NNjdnuSPQWnbU8taRc7', 'E8r9e6SZhLbYv6WW1qA', 'VsQjBsSoVleDmwpI4is', 'hXlawlSBdu4LXtYKVoD' |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Memory allocated: B90000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Memory allocated: 2730000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe |
Memory allocated: 2530000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Memory allocated: 9D0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Memory allocated: 23C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Memory allocated: 43C0000 memory reserve | memory write watch |
Jump to behavior |
Source: Yara match |
File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR |