Loading ...

Play interactive tourEdit tour

Windows Analysis Report KYC INQUIRY 14-01.exe

Overview

General Information

Sample Name:KYC INQUIRY 14-01.exe
Analysis ID:553301
MD5:16d01fd64df59776d3454734512ded3c
SHA1:dcfe9d148b76768ae3dea9875255c0873d58d1b0
SHA256:77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • KYC INQUIRY 14-01.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\KYC INQUIRY 14-01.exe" MD5: 16D01FD64DF59776D3454734512DED3C)
    • KYC INQUIRY 14-01.exe (PID: 5984 cmdline: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe MD5: 16D01FD64DF59776D3454734512DED3C)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "syed@amtartec.com", "Password": "Ra@454504", "Host": "mail.amtartec.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.KYC INQUIRY 14-01.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.KYC INQUIRY 14-01.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.KYC INQUIRY 14-01.exe.369a178.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.KYC INQUIRY 14-01.exe.369a178.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.0.KYC INQUIRY 14-01.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "syed@amtartec.com", "Password": "Ra@454504", "Host": "mail.amtartec.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KYC INQUIRY 14-01.exeVirustotal: Detection: 31%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: KYC INQUIRY 14-01.exeJoe Sandbox ML: detected
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: KYC INQUIRY 14-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: KYC INQUIRY 14-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: EventIgnoreAttribu.pdb source: KYC INQUIRY 14-01.exe
                      Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                      Source: global trafficTCP traffic: 192.168.2.4:49845 -> 185.9.51.36:587
                      Source: global trafficTCP traffic: 192.168.2.4:49845 -> 185.9.51.36:587
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://amtartec.com
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930702649.0000000002D4F000.00000004.00000001.sdmpString found in binary or memory: http://bWuGMpUiLLMQeS0B9HKc.net
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.932595997.0000000005E36000.00000004.00000010.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b4599107e9ad4
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://ecvgsx.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://mail.amtartec.com
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671164950.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669885794.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670254704.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671861127.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671765144.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670988903.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669919147.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.669401508.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.671622125.00000000056CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.672827687.00000000056CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comuewaX
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/)
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnt-p
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: 2D85F72862B55C4EADD9E66E06947F3D.4.drString found in binary or memory: http://x1.i.lencr.org/
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.932567505.0000000005E01000.00000004.00000010.sdmpString found in binary or memory: http://x1.i.lencr.org/j
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.amtartec.com
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: KYC INQUIRY 14-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_00CBC9B40_2_00CBC9B4
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_00CBEDE80_2_00CBEDE8
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_00CBEDF80_2_00CBEDF8
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B620E84_2_00B620E8
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B64C784_2_00B64C78
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B69C584_2_00B69C58
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B681A04_2_00B681A0
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D72D504_2_00D72D50
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D7E2F04_2_00D7E2F0
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D71FE04_2_00D71FE0
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D7A7704_2_00D7A770
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D727684_2_00D72768
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D7C3084_2_00D7C308
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F28C984_2_00F28C98
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F258644_2_00F25864
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F200404_2_00F20040
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F2BE904_2_00F2BE90
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F2EE784_2_00F2EE78
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F20E584_2_00F20E58
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F28FE14_2_00F28FE1
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F20F084_2_00F20F08
                      Source: KYC INQUIRY 14-01.exeBinary or memory string: OriginalFilename vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691712863.00000000085E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000000.662068185.0000000000282000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exeBinary or memory string: OriginalFilename vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000000.682199691.00000000006A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.928876181.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exeBinary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: KYC INQUIRY 14-01.exeVirustotal: Detection: 31%
                      Source: KYC INQUIRY 14-01.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe "C:\Users\user\Desktop\KYC INQUIRY 14-01.exe"
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exeJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KYC INQUIRY 14-01.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@3/1
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: KYC INQUIRY 14-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: KYC INQUIRY 14-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: KYC INQUIRY 14-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: EventIgnoreAttribu.pdb source: KYC INQUIRY 14-01.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: KYC INQUIRY 14-01.exe, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.1.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.9.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.3.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: KYC INQUIRY 14-01.exe, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 0.2.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 0.0.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.1.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.9.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.3.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C2C109 push cs; ret 0_2_04C2C14E
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C2E644 push cs; ret 0_2_04C2F3C6
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C2C2A0 push cs; ret 0_2_04C2C2AE
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C28D7D push ebp; iretd 0_2_04C28D80
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D77A37 push edi; retn 0000h4_2_00D77A39
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23594935691
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.2637820.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.26766b4.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.262f814.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6512Thread sleep time: -37638s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 2264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6936Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6920Thread sleep count: 907 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6920Thread sleep count: 8937 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWindow / User API: threadDelayed 907Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWindow / User API: threadDelayed 8937Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 37638Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000003.906047500.0000000005E9F000.00000004.00000010.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.932626951.0000000005E95000.00000004.00000010.sdmpBinary or memory string: Hyper-V RAW
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B64C78 LdrInitializeThunk,4_2_00B64C78
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeMemory written: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exeJump to behavior
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: