Play interactive tour

Edit tour

Windows Analysis Report KYC INQUIRY 14-01.exe

Overview

General Information

Sample Name:	KYC INQUIRY 14-01.exe
Analysis ID:	553301
MD5:	16d01fd64df59776d3454734512ded3c
SHA1:	dcfe9d148b76768ae3dea9875255c0873d58d1b0
SHA256:	77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops certificate files (DER)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

KYC INQUIRY 14-01.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\KYC INQUIRY 14-01.exe" MD5: 16D01FD64DF59776D3454734512DED3C)

KYC INQUIRY 14-01.exe (PID: 5984 cmdline: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe MD5: 16D01FD64DF59776D3454734512DED3C)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "syed@amtartec.com", "Password": "Ra@454504", "Host": "mail.amtartec.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
4.0.KYC INQUIRY 14-01.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.3663f58.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.3663f58.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.2637820.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.KYC INQUIRY 14-01.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.KYC INQUIRY 14-01.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.KYC INQUIRY 14-01.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.26766b4.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.KYC INQUIRY 14-01.exe.262f814.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.KYC INQUIRY 14-01.exe.3663f58.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.3663f58.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.369a178.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.KYC INQUIRY 14-01.exe.369a178.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 18 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "syed@amtartec.com", "Password": "Ra@454504", "Host": "mail.amtartec.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: KYC INQUIRY 14-01.exe

Virustotal: Detection: 31%

Perma Link

Machine Learning detection for sample

Show sources

Source: KYC INQUIRY 14-01.exe

Joe Sandbox ML: detected

Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8

Source: KYC INQUIRY 14-01.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: KYC INQUIRY 14-01.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: EventIgnoreAttribu.pdb source: KYC INQUIRY 14-01.exe

Source: Joe Sandbox View

ASN Name: UK2NET-ASGB UK2NET-ASGB

Source: global traffic

TCP traffic: 192.168.2.4:49845 -> 185.9.51.36:587

Source: global traffic

TCP traffic: 192.168.2.4:49845 -> 185.9.51.36:587

Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://amtartec.com
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930702649.0000000002D4F000.00000004.00000001.sdmp	String found in binary or memory: http://bWuGMpUiLLMQeS0B9HKc.net
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.932595997.0000000005E36000.00000004.00000010.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b4599107e9ad4
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: http://ecvgsx.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://mail.amtartec.com
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671164950.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669885794.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670254704.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671861127.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671765144.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670988903.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669919147.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.669401508.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comue
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.671622125.00000000056CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.672827687.00000000056CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgreta
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comuewaX
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cni
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/)
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnt-p
Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnue
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2D85F72862B55C4EADD9E66E06947F3D.4.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.932567505.0000000005E01000.00000004.00000010.sdmp	String found in binary or memory: http://x1.i.lencr.org/j
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.amtartec.com

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Jump to dropped file

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.cs	Large array initialization: .cctor: array initializer size 11968
Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.cs	Large array initialization: .cctor: array initializer size 11968
Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.cs	Large array initialization: .cctor: array initializer size 11968
Source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.cs	Large array initialization: .cctor: array initializer size 11968
Source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.cs	Large array initialization: .cctor: array initializer size 11968

Source: KYC INQUIRY 14-01.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_00CBC9B4	0_2_00CBC9B4
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_00CBEDE8	0_2_00CBEDE8
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_00CBEDF8	0_2_00CBEDF8
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00B620E8	4_2_00B620E8
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00B64C78	4_2_00B64C78
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00B69C58	4_2_00B69C58
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00B681A0	4_2_00B681A0
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D72D50	4_2_00D72D50
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D7E2F0	4_2_00D7E2F0
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D71FE0	4_2_00D71FE0
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D7A770	4_2_00D7A770
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D72768	4_2_00D72768
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D7C308	4_2_00D7C308
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F28C98	4_2_00F28C98
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F25864	4_2_00F25864
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F20040	4_2_00F20040
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F2BE90	4_2_00F2BE90
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F2EE78	4_2_00F2EE78
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F20E58	4_2_00F20E58
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F28FE1	4_2_00F28FE1
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00F20F08	4_2_00F20F08

Source: KYC INQUIRY 14-01.exe	Binary or memory string: OriginalFilename vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691712863.00000000085E0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000000.00000000.662068185.0000000000282000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe	Binary or memory string: OriginalFilename vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000004.00000000.682199691.00000000006A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.928876181.0000000000AF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs KYC INQUIRY 14-01.exe
Source: KYC INQUIRY 14-01.exe	Binary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe

Source: KYC INQUIRY 14-01.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: KYC INQUIRY 14-01.exe

Virustotal: Detection: 31%

Source: KYC INQUIRY 14-01.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe "C:\Users\user\Desktop\KYC INQUIRY 14-01.exe"
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KYC INQUIRY 14-01.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/5@3/1

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: KYC INQUIRY 14-01.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: KYC INQUIRY 14-01.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: KYC INQUIRY 14-01.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: EventIgnoreAttribu.pdb source: KYC INQUIRY 14-01.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: KYC INQUIRY 14-01.exe, Cd/gJ.cs	.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs	.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs	.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.1.unpack, Cd/gJ.cs	.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.9.unpack, Cd/gJ.cs	.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.3.unpack, Cd/gJ.cs	.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: KYC INQUIRY 14-01.exe, Cd/gJ.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
Source: 0.2.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
Source: 0.0.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.1.unpack, Cd/gJ.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.9.unpack, Cd/gJ.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.3.unpack, Cd/gJ.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_04C2C109 push cs; ret	0_2_04C2C14E
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_04C2E644 push cs; ret	0_2_04C2F3C6
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_04C2C2A0 push cs; ret	0_2_04C2C2AE
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 0_2_04C28D7D push ebp; iretd	0_2_04C28D80
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Code function: 4_2_00D77A37 push edi; retn 0000h	4_2_00D77A39

Source: initial sample

Static PE information: section name: .text entropy: 7.23594935691

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.2637820.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.26766b4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.262f814.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6512	Thread sleep time: -37638s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6936	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6920	Thread sleep count: 907 > 30	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6920	Thread sleep count: 8937 > 30	Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Window / User API: threadDelayed 907			Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Window / User API: threadDelayed 8937			Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Thread delayed: delay time: 37638	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: KYC INQUIRY 14-01.exe, 00000004.00000003.906047500.0000000005E9F000.00000004.00000010.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.932626951.0000000005E95000.00000004.00000010.sdmp	Binary or memory string: Hyper-V RAW
Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Code function: 4_2_00B64C78 LdrInitializeThunk,

4_2_00B64C78

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Memory written: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Process created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Jump to behavior

Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Path Interception	Process Injection112	Masquerading1	OS Credential Dumping2	Query Registry1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	Credentials in Registry1	Security Software Discovery211	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion131	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing23	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KYC INQUIRY 14-01.exe	32%	Virustotal		Browse
KYC INQUIRY 14-01.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.KYC INQUIRY 14-01.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.2.KYC INQUIRY 14-01.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.KYC INQUIRY 14-01.exe.400000.10.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.KYC INQUIRY 14-01.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.KYC INQUIRY 14-01.exe.400000.12.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.KYC INQUIRY 14-01.exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
amtartec.com	2%	Virustotal		Browse
x1.i.lencr.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.zhongyicts.com.cnue	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.zhongyicts.com.cnt-p	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.fontbureau.comuewaX	0%	Avira URL Cloud	safe
http://bWuGMpUiLLMQeS0B9HKc.net	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgreta	0%	URL Reputation	safe
http://www.carterandcone.comue	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.como.	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cni	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://ecvgsx.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://x1.i.lencr.org/	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://api.ipify.org%$	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://amtartec.com	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.zhongyicts.com.cno.	0%	URL Reputation	safe
http://x1.i.lencr.org/j	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/)	0%	Avira URL Cloud	safe
http://mail.amtartec.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
amtartec.com	185.9.51.36	true	true	2%, Virustotal, Browse	unknown
x1.i.lencr.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
mail.amtartec.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.zhongyicts.com.cnue	KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:HTTP/1.1	KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://www.zhongyicts.com.cnt-p	KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comuewaX	KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://bWuGMpUiLLMQeS0B9HKc.net	KYC INQUIRY 14-01.exe, 00000004.00000002.930702649.0000000002D4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0	KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgreta	KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comue	KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://r3.o.lencr.org0	KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.como.	KYC INQUIRY 14-01.exe, 00000000.00000003.669401508.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cni	KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://ecvgsx.com	KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671164950.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669885794.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670254704.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671861127.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671765144.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670988903.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669919147.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmp	false		high
http://www.galapagosdesign.com/	KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D.4.dr	false	URL Reputation: safe	unknown
http://DynDns.comDynDNS	KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmll	KYC INQUIRY 14-01.exe, 00000000.00000003.672827687.00000000056CD000.00000004.00000001.sdmp	false		high
http://cps.letsencrypt.org0	KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%$	KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.carterandcone.coml	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://amtartec.com	KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cno.	KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp	false		high
http://x1.i.lencr.org/j	KYC INQUIRY 14-01.exe, 00000004.00000002.932567505.0000000005E01000.00000004.00000010.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	KYC INQUIRY 14-01.exe, 00000000.00000003.671622125.00000000056CD000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/)	KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://mail.amtartec.com	KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.9.51.36	amtartec.com	United Kingdom		13213	UK2NET-ASGB	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553301
Start date:	14.01.2022
Start time:	16:18:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	KYC INQUIRY 14-01.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/5@3/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0%) Quality average: 10% Quality standard deviation: 22.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 3
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 209.197.3.8, 23.50.97.168, 173.222.108.226, 173.222.108.210 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e8652.dscx.akamaiedge.net, store-images.s-microsoft.com, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, cds.d2s7q6s2.hwcdn.net, img-prod-cms-rt-microsoft-com.akamaized.net, a767.dspw65.akamai.net, arc.msn.com, crl.root-x1.letsencrypt.org.edgekey.net, download.windowsupdate.com.edgesuite.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:19:18	API Interceptor	733x Sleep call for process: KYC INQUIRY 14-01.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.9.51.36	http://185.183.99.175/emar/index.php/campaigns/eo590jy956af4/web-version/hd2039z4ol40a	Get hash	malicious	Browse	24x7onlineservers.com/portal/modules/livehelp/locale/en/images/Offline.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UK2NET-ASGB	KYC DETAILS #13-01.exe	Get hash	malicious	Browse	185.9.51.36
	H8CkqRplFS.exe	Get hash	malicious	Browse	185.9.51.36
	INQUIRY 12 7.doc	Get hash	malicious	Browse	185.9.51.36
	DHLDOC.exe	Get hash	malicious	Browse	46.23.69.44
	rQzYHz2UB9	Get hash	malicious	Browse	83.170.125.32
	TRANSF67891.exe	Get hash	malicious	Browse	37.123.118.150
	5syWAI6DU6	Get hash	malicious	Browse	77.92.65.82
	quotation New Order I5117.exe	Get hash	malicious	Browse	37.123.118.150
	Request for Quotation.exe	Get hash	malicious	Browse	37.123.118.150
	Ocxwgtrrxrnbohidoxavjksseafwerivek.exe	Get hash	malicious	Browse	37.123.118.150
	P.O 20222021.xlsx	Get hash	malicious	Browse	37.123.118.150
	owari.arm7	Get hash	malicious	Browse	77.92.90.53
	0rder_pdf.exe	Get hash	malicious	Browse	37.123.118.150
	erRVQhhJO4	Get hash	malicious	Browse	77.92.65.85
	Shipping invoice2320214010.exe	Get hash	malicious	Browse	37.123.118.150
	RvWKZZXqch	Get hash	malicious	Browse	77.92.90.58
	qdo8TC8wxP	Get hash	malicious	Browse	77.92.90.91
	7084_00_WPG_20211716.exe	Get hash	malicious	Browse	37.123.118.150
	PO 211213-0221A.exe	Get hash	malicious	Browse	37.123.118.150
	lBpxJoOTRL.exe	Get hash	malicious	Browse	37.123.118.150

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Download File
Process:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
File Type:	data
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D Download File
Process:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.8064124905820815
Encrypted:	false
SSDEEP:	3:kkFklx7pklfllXlE/zMc+kl7vNNX8RolJuRdyo1dlUKlGXJlDdt:kKKJ1bl7VNMa8Rdy+UKcXP
MD5:	4A9383DDA1B555B0482BCE39D980D801
SHA1:	32D22C955C4FC6AE9A6A5D523CC6C0162E18C2F2
SHA-256:	D80EB9F34CB71554A8E79D9411BC2AAAEBF2D3C22DD042C4D7F9D70D49080067
SHA-512:	A64B9045FA3256F6C552F6E1481B117519BADB0C094C353078DC23A92D6B3CE54C9FE9932968DA6FE43CE405A8B2A52999D13F98E659F742A309A72107F6382B
Malicious:	false
Reputation:	low
Preview:	p...... .........NF.s...(....................................................... ..........~...3...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.107354238829088
Encrypted:	false
SSDEEP:	6:kKHl7k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:Pl79kPlE99SNxAhUeYlUSA/t
MD5:	CD1193487E842FB09580F190E8854F43
SHA1:	9F7D85ED563298576947EAC5DC7C881B38C73B73
SHA-256:	1E6BB9B9D15DB356B93F2D11A16F4D5C1788C2C3BCAA0E2FBA122CFF34CE073A
SHA-512:	5DC850BD90754D755FB12447FD023EC1A492C617F7505C20721C667B1F44052C7A9AD99A773345BF5539B30D6F5FE764ECF80E590751717184CEF256E11364C9
Malicious:	false
Reputation:	low
Preview:	p...... ...........u...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KYC INQUIRY 14-01.exe.log Download File
Process:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.345651901398759
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
MD5:	A9EFF9253CAF99EC8665E41D736DDAED
SHA1:	D95BB4ABC856D774DA4602A59DE252B4BF560530
SHA-256:	DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
SHA-512:	96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.226177281531698
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	KYC INQUIRY 14-01.exe
File size:	590336
MD5:	16d01fd64df59776d3454734512ded3c
SHA1:	dcfe9d148b76768ae3dea9875255c0873d58d1b0
SHA256:	77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
SHA512:	cb90d72e5244c4baf5aa9ee7aad040dbdc6b47318cb3b5dbec4a6c9d1b2290d650c4c8be77255c5017af181c446d6daa70202e89002429e5c6046643c0d0d699
SSDEEP:	12288:KK777777777777N7LPJ6OISxBo/+0dxGhu2jfwr7zo:KK777777777777lLB6O/p0dIhJwjo
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.a................................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4916de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61E1670E [Fri Jan 14 12:05:34 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x91690	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x5f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9163d	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8f6e4	0x8f800	False	0.755303040614	data	7.23594935691	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x5f4	0x600	False	0.438802083333	data	4.189050521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x920a0	0x366	data
RT_MANIFEST	0x92408	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	2022 Tradewell
Assembly Version	22.0.0.0
InternalName	EventIgnoreAttribu.exe
FileVersion	1.1.0.0
CompanyName	Tradewell ltd
LegalTrademarks
Comments	Purple Org
ProductName	Blaster
ProductVersion	1.1.0.0
FileDescription	Blaster
OriginalFilename	EventIgnoreAttribu.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 16:21:01.437788010 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.471756935 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.471884966 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.543900967 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.544349909 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.578347921 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.578954935 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.617613077 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.668987036 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.692372084 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.744628906 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.744682074 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.744714022 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.744823933 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.763871908 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:01.798615932 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:01.840856075 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.168373108 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.202347040 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.203335047 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.237579107 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.238215923 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.301060915 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.301949024 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.335903883 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.336252928 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.372306108 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.372832060 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.406718016 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.408494949 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.408813000 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.409708977 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.409912109 CET	49845	587	192.168.2.4	185.9.51.36
Jan 14, 2022 16:21:07.442313910 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.442532063 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.443483114 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.443550110 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.457731962 CET	587	49845	185.9.51.36	192.168.2.4
Jan 14, 2022 16:21:07.497565031 CET	49845	587	192.168.2.4	185.9.51.36

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 16:21:00.951390028 CET	64801	53	192.168.2.4	8.8.8.8
Jan 14, 2022 16:21:01.072341919 CET	53	64801	8.8.8.8	192.168.2.4
Jan 14, 2022 16:21:01.099323034 CET	61721	53	192.168.2.4	8.8.8.8
Jan 14, 2022 16:21:01.326092005 CET	53	61721	8.8.8.8	192.168.2.4
Jan 14, 2022 16:21:03.558242083 CET	51255	53	192.168.2.4	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2022 16:21:00.951390028 CET	192.168.2.4	8.8.8.8	0x333c	Standard query (0)	mail.amtartec.com	A (IP address)	IN (0x0001)
Jan 14, 2022 16:21:01.099323034 CET	192.168.2.4	8.8.8.8	0xdbe6	Standard query (0)	mail.amtartec.com	A (IP address)	IN (0x0001)
Jan 14, 2022 16:21:03.558242083 CET	192.168.2.4	8.8.8.8	0xdca9	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2022 16:21:01.072341919 CET	8.8.8.8	192.168.2.4	0x333c	No error (0)	mail.amtartec.com	amtartec.com		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2022 16:21:01.072341919 CET	8.8.8.8	192.168.2.4	0x333c	No error (0)	amtartec.com		185.9.51.36	A (IP address)	IN (0x0001)
Jan 14, 2022 16:21:01.326092005 CET	8.8.8.8	192.168.2.4	0xdbe6	No error (0)	mail.amtartec.com	amtartec.com		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2022 16:21:01.326092005 CET	8.8.8.8	192.168.2.4	0xdbe6	No error (0)	amtartec.com		185.9.51.36	A (IP address)	IN (0x0001)
Jan 14, 2022 16:21:03.580791950 CET	8.8.8.8	192.168.2.4	0xdca9	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 14, 2022 16:21:01.543900967 CET	587	49845	185.9.51.36	192.168.2.4	220-summit.nocdirect.com ESMTP Exim 4.93 #2 Fri, 14 Jan 2022 15:21:00 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 14, 2022 16:21:01.544349909 CET	49845	587	192.168.2.4	185.9.51.36	EHLO 724471
Jan 14, 2022 16:21:01.578347921 CET	587	49845	185.9.51.36	192.168.2.4	250-summit.nocdirect.com Hello 724471 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 14, 2022 16:21:01.578954935 CET	49845	587	192.168.2.4	185.9.51.36	STARTTLS
Jan 14, 2022 16:21:01.617613077 CET	587	49845	185.9.51.36	192.168.2.4	220 TLS go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: KYC INQUIRY 14-01.exe PID: 6504 Parent PID: 5176

General

Start time:	16:19:10
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\KYC INQUIRY 14-01.exe"
Imagebase:	0x280000
File size:	590336 bytes
MD5 hash:	16D01FD64DF59776D3454734512DED3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: KYC INQUIRY 14-01.exe PID: 5984 Parent PID: 6504

General

Start time:	16:19:19
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
Imagebase:	0x6a0000
File size:	590336 bytes
MD5 hash:	16D01FD64DF59776D3454734512DED3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: KYC INQUIRY 14-01.exe PID: 6504 Parent PID: 5176 KYC INQUIRY 14-01.exeCOMMON

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	219
Total number of Limit Nodes:	10

Executed Functions

Function 00CB9F10, Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBA156

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8e8b1d639fdb7305d52cf9ab0bb4adeef21d648412210a8641541cbf03e33c82
Instruction ID: a2b1ffe565ef5007785306fb6470418ff44c49383ab8b85daa829c630a789aff
Opcode Fuzzy Hash: 8e8b1d639fdb7305d52cf9ab0bb4adeef21d648412210a8641541cbf03e33c82
Instruction Fuzzy Hash: D3714670A00B058FDB24DF6AD44079AB7F5FF88314F00892ED59AD7A50DB35E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 04C207CE, Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C208E2

Memory Dump Source

Source File: 00000000.00000002.690463350.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3b53886327532cc6fa10408cfb0b16972fa8b2a4fae596906aed3adeb05181b7
Instruction ID: 2de05125f436accc3a7a5fae612a989311c760496de8251577f2be02d9d617bd
Opcode Fuzzy Hash: 3b53886327532cc6fa10408cfb0b16972fa8b2a4fae596906aed3adeb05181b7
Instruction Fuzzy Hash: 5E41B2B1D10319DFDF14CF9AC984ADEBBB5BF48314F24812AE919AB210D7B4A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C207D0, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04C208E2

Memory Dump Source

Source File: 00000000.00000002.690463350.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6ec57ba665b1044e6be649d4783c838d84443bfce2b3c5aedfc337ec40503cc6
Instruction ID: 710308b6aa019b7fabacff97efe3930dc946d28c2a635041851a56b7ef337401
Opcode Fuzzy Hash: 6ec57ba665b1044e6be649d4783c838d84443bfce2b3c5aedfc337ec40503cc6
Instruction Fuzzy Hash: 5341B2B1D10319DFDF14CF9AC984ADEBBB5BF48314F24812AE919AB210D7B4A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CB5574, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB5631

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d5cb8f9cd7bb5444353478e304d4c831d92b47cc90a23a3cd33352a440b038af
Instruction ID: 3f0a572ba864e85d2a3318258351c2a22b313b3cbc0cc35210b4ccd33788bf2d
Opcode Fuzzy Hash: d5cb8f9cd7bb5444353478e304d4c831d92b47cc90a23a3cd33352a440b038af
Instruction Fuzzy Hash: 0141E270C00619CFDB24DFA9C8857CEFBB5BF48304F608469D418AB251DB75A94ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CB3E30, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB5631

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 053dcaf923f5dbd18e71590edbf107f40442641c3b9f40cc1f2796776f7ab8e5
Instruction ID: 4299d09b79ea0808702ae832d1fe26318153876b203256f6eb769516a635701c
Opcode Fuzzy Hash: 053dcaf923f5dbd18e71590edbf107f40442641c3b9f40cc1f2796776f7ab8e5
Instruction Fuzzy Hash: 8B41F270C00619CFDB24DFA9C844BCEFBB5BF88304F608469E408AB251DB75A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04C22D90, Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04C22E51

Memory Dump Source

Source File: 00000000.00000002.690463350.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 261a6bf53574cc06846188a2bba7b607230f19ccdfd7d53bb2ad1e5d47a3fbb8
Instruction ID: e31c5a6833c7a4324764bb24633a54a41955a3ee72acafa30b6691c0e4b58dc5
Opcode Fuzzy Hash: 261a6bf53574cc06846188a2bba7b607230f19ccdfd7d53bb2ad1e5d47a3fbb8
Instruction Fuzzy Hash: B14136B4A00605CFDB50CF89C488AABFBF6FF88314F158499E519AB321D774A941CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC131, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CBC0FE,?,?,?,?,?), ref: 00CBC1BF

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b76c92f34ae8a96590f0667863b701b0f39d57b28b5c526fe31e83348d006a97
Instruction ID: 8cd4896bb7387665b29c4ab8b832f9313ef4094944a9e35095d63275e259fffc
Opcode Fuzzy Hash: b76c92f34ae8a96590f0667863b701b0f39d57b28b5c526fe31e83348d006a97
Instruction Fuzzy Hash: 2B21E4B5D012089FDB10CF9AD884ADEFBF4EB48324F14841AE915B7310D774AA55CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB9EB0, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CBC0FE,?,?,?,?,?), ref: 00CBC1BF

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 17c5cfdbf79d5118447fa73c58325d9f8e9b556bee8847f64ec339cf035f1627
Instruction ID: 64f86ab9a5e566b6e777654c6d8152cbb25fcca9c7bf4c5e3370c5ba432f2879
Opcode Fuzzy Hash: 17c5cfdbf79d5118447fa73c58325d9f8e9b556bee8847f64ec339cf035f1627
Instruction Fuzzy Hash: FE21E3B5901208AFDB10CF9AD884ADEFBF4EB48324F14841AE914B7311D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 087572C8, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNELBASE(?,00000000), ref: 08757346

Memory Dump Source

Source File: 00000000.00000002.691819784.0000000008750000.00000040.00000001.sdmp, Offset: 08750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8750000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: bb590edd6e5a1ff302e0d4e4e008f4d841199ac1a724ab02a0206742bf0d092e
Instruction ID: e182aafbd6821ae41e89b774fbf3b17b04f7a6e23ad6f1a6066d553a4b9250c9
Opcode Fuzzy Hash: bb590edd6e5a1ff302e0d4e4e008f4d841199ac1a724ab02a0206742bf0d092e
Instruction Fuzzy Hash: 43213871D003098FDB14DFAAC8847EEBBF5EF48264F548429D919A7340DB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB9B28, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBA1D1,00000800,00000000,00000000), ref: 00CBA3E2

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ad30fb1f174248a541d39b9cbb1c609494ad40e666393ea49029c513970418b
Instruction ID: eccf1f5ca42f250a97e861fc1d269bba16d9ecbc65bf0da8bd7fe7a445f15251
Opcode Fuzzy Hash: 3ad30fb1f174248a541d39b9cbb1c609494ad40e666393ea49029c513970418b
Instruction Fuzzy Hash: 9A1114B6D003099FDB10CF9AC844ADEFBF4EB88314F14842AE565A7210C775A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA372, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBA1D1,00000800,00000000,00000000), ref: 00CBA3E2

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9ac8282a1bafb62f2331db0cf0b76aea52c331524d6fc8741567273f54a7e447
Instruction ID: c3abd8919ed3dbab80e0a02f47ae0b44b0f358f7160e1b5c995de3d4916b3bf7
Opcode Fuzzy Hash: 9ac8282a1bafb62f2331db0cf0b76aea52c331524d6fc8741567273f54a7e447
Instruction Fuzzy Hash: E71114B6D002098FDB10CF9AC844ADEFBF4EB88310F14842AD425A7610C775A949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 08757218, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0875727A

Memory Dump Source

Source File: 00000000.00000002.691819784.0000000008750000.00000040.00000001.sdmp, Offset: 08750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8750000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f3cf79d38cfc18c0ccee27250f58e040f4c1b548f47ec4134174f31a77dfe0de
Instruction ID: 5ba9a9daccd25f74d7a9e3296a67868f5628693e83ceb45c6f464d6424f6a2c7
Opcode Fuzzy Hash: f3cf79d38cfc18c0ccee27250f58e040f4c1b548f47ec4134174f31a77dfe0de
Instruction Fuzzy Hash: A8113A71D003098BDB14DFAAC8447DFFBF9AF88224F148829D529A7350DB74A984CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 04C20A10, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04C20A75

Memory Dump Source

Source File: 00000000.00000002.690463350.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 95b62f206d5bcd8a5a5a36df8eafcc6029aa7a210e3826da2b0a3073b27dc5a3
Instruction ID: 39475839f6aafd6f57aac8879bd9571df734d750a540b7adb01f4d54b13ca536
Opcode Fuzzy Hash: 95b62f206d5bcd8a5a5a36df8eafcc6029aa7a210e3826da2b0a3073b27dc5a3
Instruction Fuzzy Hash: 2B1103B5900609DFDB10CF9AC985BDEFBF8EB48324F10851AE925A7300C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA0F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBA156

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0ad2cfcd669ac4784285ae9338640d1dfc9cce158ee2baad0856da02768e9ee7
Instruction ID: 06e7775583ebf8ce34cd4ae6954f1a6b88a3ec98de3079b472a16445c405ee86
Opcode Fuzzy Hash: 0ad2cfcd669ac4784285ae9338640d1dfc9cce158ee2baad0856da02768e9ee7
Instruction Fuzzy Hash: BC11FDB5C006498BDB10CF9AC844ADEFBF4AB88324F10841AD469A7210D374A945CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0875633C, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 08759EB5

Memory Dump Source

Source File: 00000000.00000002.691819784.0000000008750000.00000040.00000001.sdmp, Offset: 08750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8750000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dea217cef7b4d0e13892a2fa19a76bd72160488d06f74284afc59fe39e5da386
Instruction ID: f399105fcb8d036007259b6b412f9bd76dd539f7757ae70bb52ed164855ca4f8
Opcode Fuzzy Hash: dea217cef7b4d0e13892a2fa19a76bd72160488d06f74284afc59fe39e5da386
Instruction Fuzzy Hash: 3D11F5B5800749DFDB10DF99D844BDEBBF8EB48324F148419E914A7710D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04C20A18, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 04C20A75

Memory Dump Source

Source File: 00000000.00000002.690463350.0000000004C20000.00000040.00000001.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: eed5faa6973ea5c6c9b24db4264aa73ace39fa268c4baf9c2aebf17c1c6c1766
Instruction ID: ae5137bcf55015e8f4f40143d3b2104efbfd433fd32ec336911b3a2cdb80dd3b
Opcode Fuzzy Hash: eed5faa6973ea5c6c9b24db4264aa73ace39fa268c4baf9c2aebf17c1c6c1766
Instruction Fuzzy Hash: 921100B5800209DFDB10CF9AC984BDEFBF8EB88324F10841AD914A7300C374A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687823082.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_acd000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701d9504ced1aca7674007c41945e2fea82929335f86c5b72442cd9481b5ea12
Instruction ID: f05820c37d9f5c1ee60ca5c68175a2fd65f4321acf154af882c27b22d64149a3
Opcode Fuzzy Hash: 701d9504ced1aca7674007c41945e2fea82929335f86c5b72442cd9481b5ea12
Instruction Fuzzy Hash: 0C210372504244DFCB05DF14D9C0F27BF65FB88328F25857DE9050B246C336D856DAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687862449.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28649e978bbfced326f511ae3c30752bfac9fd954534425e5103e5ed756990d
Instruction ID: c3e28eae864f0ee69c41f35150ce2a82b7bb7b136a4af3d506aa34d69f93c30f
Opcode Fuzzy Hash: a28649e978bbfced326f511ae3c30752bfac9fd954534425e5103e5ed756990d
Instruction Fuzzy Hash: 49210475504240DFCB14DF24D8C4B16BBA5FBC8324F24C96AD80B4B346C73AD857CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687862449.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa0349a20df298f0274079208af8fb705482f73ac468a156c4f6ba0cb4d9a8b8
Instruction ID: be5a4bb3bd1a7abb3014997a9fddf2233df8e8b41cae057bcdacfad423504542
Opcode Fuzzy Hash: aa0349a20df298f0274079208af8fb705482f73ac468a156c4f6ba0cb4d9a8b8
Instruction Fuzzy Hash: DD2104B5504200EFDB05DF54D9C0B66BBA5FB88314F24CA6AE80A4B342C73AD856CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD005, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687862449.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba80f55b0ff48bd438fdd307df1e2552868df17353da5be5e82324f98029996e
Instruction ID: c782dc2b5d87f92a9a8026aeba1039aaf6b90737b103709c26024631a07e8100
Opcode Fuzzy Hash: ba80f55b0ff48bd438fdd307df1e2552868df17353da5be5e82324f98029996e
Instruction Fuzzy Hash: 132150755093808FCB16CF24D994715BF71EB86314F28C6DBD84A8B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687823082.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_acd000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: b98ffed35a7135884ae5546ef3cb5c794b7abf1c9d5b57c798f1143ae1878643
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: 8211B176404284CFCB12CF10D9C4B16BF71FB94324F24C6ADD8450B656C336D85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ADD1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687862449.0000000000ADD000.00000040.00000001.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_add000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction ID: 944cab994834cd3d15f0567d24f25351e54f2e9ed2bc263dbfb84e6abd673770
Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction Fuzzy Hash: A2118B75544280DFCB12CF10D5C4B55BBB1FB84324F28C6AAD84A4B756C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687823082.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_acd000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ebc6d8e5604670587bf58186152da2c93665de08b5fd6e64810f0e8b63cfc72
Instruction ID: 94ff9f326d8d226a36e182d5dab042d3e7d07c02a242e8088cff26746790b310
Opcode Fuzzy Hash: 3ebc6d8e5604670587bf58186152da2c93665de08b5fd6e64810f0e8b63cfc72
Instruction Fuzzy Hash: 5A01F271408344AAE7109B25CC84F67BBA8EF41328F19852EE9086E286D7799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00ACD744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.687823082.0000000000ACD000.00000040.00000001.sdmp, Offset: 00ACD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_acd000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0333573d3a78134a9cceca4a41abe34255e8c09ee06b25c04a0f0a582f11b876
Instruction ID: 55f5a985ab3c5ac9e91cba71c724d96422be6f947a64835b0a45da5aefac78e2
Opcode Fuzzy Hash: 0333573d3a78134a9cceca4a41abe34255e8c09ee06b25c04a0f0a582f11b876
Instruction Fuzzy Hash: 47F06271404244AAEB119F15CCC4B62FB98EB51734F18C46AED085B386D3799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00CBEDF8, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5be9e8bb63d76a64b4be1bc5154c14186345b9b86253f59aa8c94bb2628a6a
Instruction ID: 8b799f31e78eabc747ff1ab5d309e9941ae0a7f33c6974c25afe0893d3528fb3
Opcode Fuzzy Hash: 7b5be9e8bb63d76a64b4be1bc5154c14186345b9b86253f59aa8c94bb2628a6a
Instruction Fuzzy Hash: 6812A2B1512F668BE310CF65EC983AD3BA0B745329B91430BD2692FAF4D7B4114AEF44

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC9B4, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886822d9766585ea7056bb189ad965cec4887dfa52dd5a86479ca390eb83710e
Instruction ID: eb08105ca7b7d42563b3548536a572a30d32fecd70ac81d5de69901217cb9e76
Opcode Fuzzy Hash: 886822d9766585ea7056bb189ad965cec4887dfa52dd5a86479ca390eb83710e
Instruction Fuzzy Hash: 02A15B32E00219CFCF05DFA5C8845DEBBB2FF88700F15856AE915AB221EB75AA55DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00CBEDE8, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.688075876.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cb0000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e192e6b1d08e0c1451e96b5fe2ae9c1be9d16b5ba53c4f9ff85a2831af67288
Instruction ID: 6c61ffa137c57f15e8f9b6edfeb8aa5cd5e1db5be1f2daa45e4da6203425d523
Opcode Fuzzy Hash: 4e192e6b1d08e0c1451e96b5fe2ae9c1be9d16b5ba53c4f9ff85a2831af67288
Instruction Fuzzy Hash: 79C11AB1812B668BD310DF65EC983AD7BA1FB85328F51430BD2692F6E0D7B4104ADF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: KYC INQUIRY 14-01.exe PID: 5984 Parent PID: 6504 KYC INQUIRY 14-01.exeCOMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.4%
Total number of Nodes:	78
Total number of Limit Nodes:	12

Executed Functions

Function 00B64C78, Relevance: 2.3, APIs: 1, Instructions: 817
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00B654A0

Memory Dump Source

Source File: 00000004.00000002.928931788.0000000000B60000.00000040.00000010.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b60000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c09a0f2f2ac9a21c0009e2be8a7084a329a61b4c04b58e28ede034583532abe
Instruction ID: 47dd3106b49b01a403f03a005bfac5c90f42614b75421fb785618650c0ddfd94
Opcode Fuzzy Hash: 8c09a0f2f2ac9a21c0009e2be8a7084a329a61b4c04b58e28ede034583532abe
Instruction Fuzzy Hash: 35721731E006198FCB25EF78C8546DEB7F1AF89304F1085AAD54AAB751EF34AE85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00B61DB0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B61DF1

Memory Dump Source

Source File: 00000004.00000002.928931788.0000000000B60000.00000040.00000010.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b60000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e881e9a86efdd327843a8f41131d2b3ac6217e8d6499d5bf1bc9ad71ebdf4c18
Instruction ID: b91ddaa4e68ee09a160ead71df7f21c410149cb6a64a6f765bd969d0b6cac198
Opcode Fuzzy Hash: e881e9a86efdd327843a8f41131d2b3ac6217e8d6499d5bf1bc9ad71ebdf4c18
Instruction Fuzzy Hash: C6616D30A1021ADFDB14EFB8D499AAE7BF6BF84304F148869E446A7294DF799C45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F246C8, Relevance: 1.7, APIs: 1, Instructions: 172
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F24787

Memory Dump Source

Source File: 00000004.00000002.929501784.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94684f970fce0d313a18d031f89835fe60733251d18de6c602ef77ef29281337
Instruction ID: fc9cfe2e70498c2e8ac507b6f7c4b459ab55892000a8b945d69f8583f8d647d6
Opcode Fuzzy Hash: 94684f970fce0d313a18d031f89835fe60733251d18de6c602ef77ef29281337
Instruction Fuzzy Hash: E2510231A142459FCB01EBB4C854AEE7BF5AF85304F05856AE546DB292EF39EC04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F24728, Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00F24787

Memory Dump Source

Source File: 00000004.00000002.929501784.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: da51ab7c1f807273d1105f382a32066cf00d45d749301dd9aedff189fb50d275
Instruction ID: 43666b05675be71d7829cf96b8681af5ff19d6ed198191c9cb34907c694e623b
Opcode Fuzzy Hash: da51ab7c1f807273d1105f382a32066cf00d45d749301dd9aedff189fb50d275
Instruction Fuzzy Hash: 1851A231A102069FCB14EBB4D845AEEB7F5FF84304F14896AE5469B395EF35E904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EA98, Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.929501784.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6d268ca289b91a2013b91bdbcb8622e939b52ac0cbfc95d74a86d7da4b354d
Instruction ID: 0c675dc7e6e258fb02034bfaca4e5bf8c1d03503dfb5d0af631fa892b46ff141
Opcode Fuzzy Hash: 7b6d268ca289b91a2013b91bdbcb8622e939b52ac0cbfc95d74a86d7da4b354d
Instruction Fuzzy Hash: 19414771E083558FCB00CBB9D8042DEBFF1AF89320F09856AD404AB251DB789C45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7EA41, Relevance: 1.6, APIs: 1, Instructions: 119
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00D7EB59

Memory Dump Source

Source File: 00000004.00000002.929327580.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5d3c29f9b8e28c9f09e714366e79fb9c62e0bb62f74cc37923173d3129524415
Instruction ID: 716b9e822a4ad293185493f68b19e1fbb582560414e94fa1312f19b7d3741803
Opcode Fuzzy Hash: 5d3c29f9b8e28c9f09e714366e79fb9c62e0bb62f74cc37923173d3129524415
Instruction Fuzzy Hash: ED4124B1E012599FCB11CFA9C884ADEBFF5BF49304F19806AE859AB351E7349805CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00D7E789, Relevance: 1.6, APIs: 1, Instructions: 115
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00D7E89C

Memory Dump Source

Source File: 00000004.00000002.929327580.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 1636264bfe9b6fc20746aca99eff17698040890688304c43e5a5b511a84da5e0
Instruction ID: f26ba90ff43e4e9cf2f278382ed83ea71fb0d978baa083dd10c2022b0fe466c9
Opcode Fuzzy Hash: 1636264bfe9b6fc20746aca99eff17698040890688304c43e5a5b511a84da5e0
Instruction Fuzzy Hash: 2F4167B0E053499FDB04CFA9C544A8EFFF5AF49304F29C1AAE408AB342D7759845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B61D50, Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B61DF1

Memory Dump Source

Source File: 00000004.00000002.928931788.0000000000B60000.00000040.00000010.sdmp, Offset: 00B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_b60000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7e090bf7405ca6ec94a6e4d5727fd19f10e310ad1843587d5ecdca5c9d15c304
Instruction ID: 2eecb5c0e79ef2fb3d5ddddb24e0ee96613f52c9b07a8eaf4de560e9b90f8269
Opcode Fuzzy Hash: 7e090bf7405ca6ec94a6e4d5727fd19f10e310ad1843587d5ecdca5c9d15c304
Instruction Fuzzy Hash: 8141E231A083859FDB05EB78D4546AE7BF1EF86304F1588BAD041DB2A6DB3A8C05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00D7BF90, Relevance: 1.6, APIs: 1, Instructions: 88
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00D7EB59

Memory Dump Source

Source File: 00000004.00000002.929327580.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 620e6f06019e5140a6581af7cf612d3372f1b50aaab808ad008c97d9cfc38ef2
Instruction ID: 7bdfb4035050277e21459bf055af4ffb0acf3be8611abe18c007cd37027db35a
Opcode Fuzzy Hash: 620e6f06019e5140a6581af7cf612d3372f1b50aaab808ad008c97d9cfc38ef2
Instruction Fuzzy Hash: 6E31C0B1D00258DFCB10CF9AC484A9EBFF5BF48714F55806AE819AB310E774A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7BF84, Relevance: 1.6, APIs: 1, Instructions: 83
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,00000000,?,00000001,?), ref: 00D7E89C

Memory Dump Source

Source File: 00000004.00000002.929327580.0000000000D70000.00000040.00000010.sdmp, Offset: 00D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_d70000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e2c3e68e44cb287888281ab181c3d3dc9ed25884c806a277fe6bd15baba926af
Instruction ID: 92b839d5039d4196cf52d83407267691fa6d9feee2ac95b6c4c94703a5654f99
Opcode Fuzzy Hash: e2c3e68e44cb287888281ab181c3d3dc9ed25884c806a277fe6bd15baba926af
Instruction Fuzzy Hash: 41310FB0D002499FDB14CFA9C584A8EFFF5BF48304F29C5AAE809AB341D7759845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2D518, Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00F2EAEA), ref: 00F2EBD7

Memory Dump Source

Source File: 00000004.00000002.929501784.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 269d561efae2e9f3ece020c79bc3814985c07286263b2f2b84fc9d112ae16007
Instruction ID: f89bd5a159cf80e50692d18181143d8d9b59072f5536566b2d92c721093b5204
Opcode Fuzzy Hash: 269d561efae2e9f3ece020c79bc3814985c07286263b2f2b84fc9d112ae16007
Instruction Fuzzy Hash: 2B1133B1C006199BCB00CFAAD444BDEFBF4AB48324F14812AE814B7200D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F2EB68, Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00F2EAEA), ref: 00F2EBD7

Memory Dump Source

Source File: 00000004.00000002.929501784.0000000000F20000.00000040.00000010.sdmp, Offset: 00F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f20000_KYC INQUIRY 14-01.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 3493dd343a90e03d245d3e12b2a9bdee890b25ada161e8c901b73de5b7c5a2d8
Instruction ID: 821b8eb93d2cfe4a31af89cb92b5f56a058738e73e797cfd27a2cdb28a13b537
Opcode Fuzzy Hash: 3493dd343a90e03d245d3e12b2a9bdee890b25ada161e8c901b73de5b7c5a2d8
Instruction Fuzzy Hash: 371126B1C046599FCB10CFAAD444BDEFBF4AF48324F15816AD414B7241D378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.929630535.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ffd000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27358e077ff98baa98bdc769e378198f66de489e43f36212c2c9e0cf72e2dbd
Instruction ID: f7b012d5feee3e13af10a356bbdf2bfde421f433a41586746343412b46a72ed0
Opcode Fuzzy Hash: b27358e077ff98baa98bdc769e378198f66de489e43f36212c2c9e0cf72e2dbd
Instruction Fuzzy Hash: ED2128B2504248DFCB05DF14D9C0B27BF66FF94328F288569EA054B256C336D856E7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0100D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.929676154.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_100d000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b931aa6400abdd0dbb5771882a50928b448d05d5f80e3693cdb4b022c2ccf3
Instruction ID: ba89d9e4272fb300d914452f32d98b69af3ee677cc3dba162a494983f02b1458
Opcode Fuzzy Hash: 45b931aa6400abdd0dbb5771882a50928b448d05d5f80e3693cdb4b022c2ccf3
Instruction Fuzzy Hash: 28212571504200DFEB16CF94D8C4B16BBA5FB84364F20C9A9E88D4B286C33AD857CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00FFD537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.929630535.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ffd000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction ID: 5240ae7a98918ac6c27750fa700dd6d066261c16fc12a3e1b60d6da3d8e30f3b
Opcode Fuzzy Hash: f9154f6813b35f5e849061fcfaf88a5200d9197f54dc6ddbdd48086d4df7a377
Instruction Fuzzy Hash: A211B176804284CFCB12CF10D5C4B26BF72FF94324F28C6A9D9094B666C336D85ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0100D017, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.929676154.000000000100D000.00000040.00000001.sdmp, Offset: 0100D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_100d000_KYC INQUIRY 14-01.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction ID: f08942dfb2042dce48e5d62ebddbc4eeb340c548babf787ff327c992335c71ec
Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
Instruction Fuzzy Hash: 91119075504280DFDB12CF94D5C4B15FFA1FB44324F24C6AAE8494B796C33AD45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report KYC INQUIRY 14-01.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Statistics

CPU Usage

Function 00CB9F10, Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 04C207CE, Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Function 04C207D0, Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00CB5574, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00CB3E30, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 04C22D90, Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Function 00CBC131, Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 00B64C78, Relevance: 2.3, APIs: 1, Instructions: 817
libraryCOMMON

Function 00F246C8, Relevance: 1.7, APIs: 1, Instructions: 172
libraryCOMMON

Function 00F24728, Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Function 00F2EA98, Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Function 00D7EA41, Relevance: 1.6, APIs: 1, Instructions: 119
registryCOMMON

Function 00D7E789, Relevance: 1.6, APIs: 1, Instructions: 115
registryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre