Windows Analysis Report
Invoices AMM Consol 020-04860612.exe

Overview

General Information

Sample name: Invoices AMM Consol 020-04860612.exe
Analysis ID: 1467072
MD5: d6ab3fc2af456e87088f640d4cabb8c5
SHA1: 4543d0556b4eaa857bd77b61c7ff062531645980
SHA256: cd1d53de473b9d6a924d7942acc9f8e09fcd6bc452ed1fa4935f3ca692d9cc44
Tags: exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Invoices AMM Consol 020-04860612.exe ReversingLabs: Detection: 28%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: Invoices AMM Consol 020-04860612.exe Joe Sandbox ML: detected
Source: Invoices AMM Consol 020-04860612.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Invoices AMM Consol 020-04860612.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCC0D40 0_2_00007FFAACCC0D40
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCC4165 0_2_00007FFAACCC4165
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCC0E10 0_2_00007FFAACCC0E10
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCC1092 0_2_00007FFAACCC1092
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCCF817 0_2_00007FFAACCCF817
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCC155D 0_2_00007FFAACCC155D
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCC15C0 0_2_00007FFAACCC15C0
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCD1768 0_2_00007FFAACCD1768
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6900 -s 12
Sample file is different than original file name gathered from version info
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1283822264.000000001CD80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAxiom.dll@ vs Invoices AMM Consol 020-04860612.exe
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1284671059.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Invoices AMM Consol 020-04860612.exe
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1284033123.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Invoices AMM Consol 020-04860612.exe
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1277354858.0000000004151000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Invoices AMM Consol 020-04860612.exe
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1280518394.0000000014161000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAxiom.dll@ vs Invoices AMM Consol 020-04860612.exe
Source: Invoices AMM Consol 020-04860612.exe Binary or memory string: OriginalFilenameOsLR.exe> vs Invoices AMM Consol 020-04860612.exe
Source: Invoices AMM Consol 020-04860612.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal72.evad.winEXE@4/1@1/0
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Invoices AMM Consol 020-04860612.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6900
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3fa91a2c-e4bc-420a-ba53-5c6dab05a691 Jump to behavior
Source: Invoices AMM Consol 020-04860612.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Invoices AMM Consol 020-04860612.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Invoices AMM Consol 020-04860612.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe "C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe"
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6900 -s 12
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Invoices AMM Consol 020-04860612.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Invoices AMM Consol 020-04860612.exe Static file information: File size 1056256 > 1048576
Source: Invoices AMM Consol 020-04860612.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Invoices AMM Consol 020-04860612.exe, --.cs .Net Code: _0002 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCD24C7 push ecx; ret 0_2_00007FFAACCD250C
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Code function: 0_2_00007FFAACCCF218 push E9605589h; ret 0_2_00007FFAACCCF21E
Source: Invoices AMM Consol 020-04860612.exe Static PE information: section name: .text entropy: 7.9818509186390365
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Memory allocated: 1630000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Memory allocated: 1C150000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe TID: 6416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Thread register set: target process: 6900 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: BC77CAE010 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Queries volume information: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467072 Sample: Invoices AMM Consol 020-048... Startdate: 03/07/2024 Architecture: WINDOWS Score: 72 18 time.windows.com 2->18 20 bg.microsoft.map.fastly.net 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 .NET source code contains potential unpacker 2->24 26 Machine Learning detection for sample 2->26 28 2 other signatures 2->28 8 Invoices AMM Consol 020-04860612.exe 3 2->8         started        signatures3 process4 file5 16 Invoices AMM Consol 020-04860612.exe.log, CSV 8->16 dropped 30 Writes to foreign memory regions 8->30 32 Modifies the context of a thread in another process (thread injection) 8->32 12 MSBuild.exe 8->12         started        signatures6 process7 process8 14 WerFault.exe 2 12->14         started       
No contacted IP infos

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
time.windows.com unknown unknown