Source: 2.2.InstallUtil.exe.150000.0.unpack | String decryptor: xwram1.duckdns.org |
Source: 2.2.InstallUtil.exe.150000.0.unpack | String decryptor: 58345 |
Source: 2.2.InstallUtil.exe.150000.0.unpack | String decryptor: <123456789> |
Source: 2.2.InstallUtil.exe.150000.0.unpack | String decryptor: <Xwormmm> |
Source: 2.2.InstallUtil.exe.150000.0.unpack | String decryptor: PC |
Source: 2.2.InstallUtil.exe.150000.0.unpack | String decryptor: USB.exe |
Source: | Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051B252Dh | 0_2_051B2440 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h | 0_2_051B1468 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h | 0_2_051B1460 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051B252Dh | 0_2_051B24F3 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051B252Dh | 0_2_051B26AB |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051F5D61h | 0_2_051F5D00 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051F5D61h | 0_2_051F5CF0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051FD400h | 0_2_051FD348 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051FD400h | 0_2_051FD340 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then jmp 051F5D61h | 0_2_051F5ECF |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h | 0_2_052DDA10 |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_00BD9D68 | 0_2_00BD9D68 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_00BD62F8 | 0_2_00BD62F8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_00BD6308 | 0_2_00BD6308 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_00BD58B8 | 0_2_00BD58B8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_00BD58A9 | 0_2_00BD58A9 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050D18E2 | 0_2_050D18E2 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050D1C17 | 0_2_050D1C17 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050D2AF8 | 0_2_050D2AF8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E7AF8 | 0_2_050E7AF8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E0006 | 0_2_050E0006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E0040 | 0_2_050E0040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E806F | 0_2_050E806F |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E6678 | 0_2_050E6678 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E6688 | 0_2_050E6688 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E129F | 0_2_050E129F |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E12B0 | 0_2_050E12B0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_050E7AEA | 0_2_050E7AEA |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051B2440 | 0_2_051B2440 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051BA558 | 0_2_051BA558 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051BA549 | 0_2_051BA549 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051B24F3 | 0_2_051B24F3 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051B26AB | 0_2_051B26AB |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051F79B0 | 0_2_051F79B0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051FBA28 | 0_2_051FBA28 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051F7D97 | 0_2_051F7D97 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051F79A0 | 0_2_051F79A0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051FB9D0 | 0_2_051FB9D0 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051FCF88 | 0_2_051FCF88 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051F8FD9 | 0_2_051F8FD9 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051F23F8 | 0_2_051F23F8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051F8FE8 | 0_2_051F8FE8 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_051FBA18 | 0_2_051FBA18 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_052B0006 | 0_2_052B0006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_052B0040 | 0_2_052B0040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_052D0006 | 0_2_052D0006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_052D0040 | 0_2_052D0040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_052DF648 | 0_2_052DF648 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_05550040 | 0_2_05550040 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_05550006 | 0_2_05550006 |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Code function: 0_2_0556D220 | 0_2_0556D220 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_009D0EE0 | 2_2_009D0EE0 |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003911000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002731000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1449018047.00000000055D2000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamefiletocrypt.exe4 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1437324458.00000000006AE000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1447539886.0000000004BF0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameQijjyabe.dll" vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000000.1427214065.0000000000208000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bill of Lading.exe |
Source: Bill of Lading.exe | Binary or memory string: OriginalFilename70filecrypt.exe8 vs Bill of Lading.exe |
Source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ITaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs | Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskService.cs | Task registration methods: 'CreateFromToken' |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ITaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: wtsapi32.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: | Binary string: O.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.00000000007F3000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: @zo.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: Osymbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bill of Lading.exe, 00000000.00000002.1446605944.0000000003731000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1448721171.0000000005250000.00000004.08000000.00040000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1438152349.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Bill of Lading.exe, 00000000.00000002.1446605944.00000000037AD000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdbSHA256}Lq source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdb source: Bill of Lading.exe, 00000000.00000002.1448275354.0000000005150000.00000004.08000000.00040000.00000000.sdmp |
Source: | Binary string: ?zoC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\System.pdbP% source: InstallUtil.exe, 00000002.00000002.2673359642.000000000086D000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: HPno8C:\Windows\InstallUtil.pdbWH source: InstallUtil.exe, 00000002.00000002.2672902175.00000000004F7000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000808000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.2673359642.0000000000828000.00000004.00000020.00020000.00000000.sdmp |
Source: Bill of Lading.exe, Pobwultsfy.cs | .Net Code: Atghiyyrxmt System.AppDomain.Load(byte[]) |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.5250000.9.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.37ad5b0.5.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Bill of Lading.exe.375d590.4.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, JUTfQANoJH8bQj3LXjk.cs | High entropy of concatenated method names: 'Ls5NPVJpxq', 'tAx4HJDc91PxEjiFKyw', 'J7NqPAD0gUZWL2dejci', 'ofollVDj9AYnZIOTl6y', 'fhAaFCDXuQfTche8IAx', 'A3D0nEDuIBIdvNTZWu4', 'AyoaSADhyZm8WdtqTuV' |
Source: 0.2.Bill of Lading.exe.4bf0000.6.raw.unpack, P5YM9AGvh3to0BuV5X9.cs | High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'OP2G1GjBoN', 'NtProtectVirtualMemory', 'NNjdnuSPQWnbU8taRc7', 'E8r9e6SZhLbYv6WW1qA', 'VsQjBsSoVleDmwpI4is', 'hXlawlSBdu4LXtYKVoD' |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Memory allocated: B90000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Memory allocated: 2730000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\Bill of Lading.exe | Memory allocated: 2530000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Memory allocated: 9D0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Memory allocated: 23C0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Memory allocated: 43C0000 memory reserve | memory write watch | Jump to behavior |
Source: Yara match | File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR |
Source: Yara match | File source: 0.2.Bill of Lading.exe.2dbc814.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.InstallUtil.exe.150000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Bill of Lading.exe.2dbc814.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.2672720208.0000000000152000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1438152349.0000000002DA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Bill of Lading.exe PID: 2080, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: InstallUtil.exe PID: 1036, type: MEMORYSTR |