Source: Invoices AMM Consol 020-04860612.exe |
ReversingLabs: Detection: 28% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: Invoices AMM Consol 020-04860612.exe |
Joe Sandbox ML: detected |
Source: Invoices AMM Consol 020-04860612.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 204.79.197.203 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 104.98.116.138 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 20.50.201.200 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: time.windows.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 49674 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49675 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49699 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49672 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49677 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49671 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49706 |
Source: initial sample |
Static PE information: Filename: Invoices AMM Consol 020-04860612.exe |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCC0D40 |
0_2_00007FFAACCC0D40 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCC4165 |
0_2_00007FFAACCC4165 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCC0E10 |
0_2_00007FFAACCC0E10 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCC1092 |
0_2_00007FFAACCC1092 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCCF817 |
0_2_00007FFAACCCF817 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCC155D |
0_2_00007FFAACCC155D |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCC15C0 |
0_2_00007FFAACCC15C0 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCD1768 |
0_2_00007FFAACCD1768 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6900 -s 12 |
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1283822264.000000001CD80000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameAxiom.dll@ vs Invoices AMM Consol 020-04860612.exe |
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1284671059.000000001F7F0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameTyrone.dll8 vs Invoices AMM Consol 020-04860612.exe |
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1284033123.000000001CEE0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Invoices AMM Consol 020-04860612.exe |
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1277354858.0000000004151000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Invoices AMM Consol 020-04860612.exe |
Source: Invoices AMM Consol 020-04860612.exe, 00000000.00000002.1280518394.0000000014161000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameAxiom.dll@ vs Invoices AMM Consol 020-04860612.exe |
Source: Invoices AMM Consol 020-04860612.exe |
Binary or memory string: OriginalFilenameOsLR.exe> vs Invoices AMM Consol 020-04860612.exe |
Source: Invoices AMM Consol 020-04860612.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal72.evad.winEXE@4/1@1/0 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Invoices AMM Consol 020-04860612.exe.log |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Mutant created: NULL |
Source: C:\Windows\System32\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6900 |
Source: C:\Windows\System32\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3fa91a2c-e4bc-420a-ba53-5c6dab05a691 |
Jump to behavior |
Source: Invoices AMM Consol 020-04860612.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Invoices AMM Consol 020-04860612.exe |
Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53% |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Invoices AMM Consol 020-04860612.exe |
ReversingLabs: Detection: 28% |
Source: unknown |
Process created: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe "C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe" |
|
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
|
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6900 -s 12 |
|
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: Invoices AMM Consol 020-04860612.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Invoices AMM Consol 020-04860612.exe |
Static file information: File size 1056256 > 1048576 |
Source: Invoices AMM Consol 020-04860612.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Invoices AMM Consol 020-04860612.exe, --.cs |
.Net Code: _0002 System.Reflection.Assembly.Load(byte[]) |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCD24C7 push ecx; ret |
0_2_00007FFAACCD250C |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Code function: 0_2_00007FFAACCCF218 push E9605589h; ret |
0_2_00007FFAACCCF21E |
Source: Invoices AMM Consol 020-04860612.exe |
Static PE information: section name: .text entropy: 7.9818509186390365 |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Memory allocated: 1630000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Memory allocated: 1C150000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe TID: 6416 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Thread register set: target process: 6900 |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe base: BC77CAE010 |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Queries volume information: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Invoices AMM Consol 020-04860612.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |