Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report KYC INQUIRY 14-01.exe

Overview

General Information

Sample Name:KYC INQUIRY 14-01.exe
Analysis ID:553301
MD5:16d01fd64df59776d3454734512ded3c
SHA1:dcfe9d148b76768ae3dea9875255c0873d58d1b0
SHA256:77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • KYC INQUIRY 14-01.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\KYC INQUIRY 14-01.exe" MD5: 16D01FD64DF59776D3454734512DED3C)
    • KYC INQUIRY 14-01.exe (PID: 5984 cmdline: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe MD5: 16D01FD64DF59776D3454734512DED3C)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "syed@amtartec.com", "Password": "Ra@454504", "Host": "mail.amtartec.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.KYC INQUIRY 14-01.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.KYC INQUIRY 14-01.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.KYC INQUIRY 14-01.exe.369a178.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.KYC INQUIRY 14-01.exe.369a178.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    4.0.KYC INQUIRY 14-01.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "syed@amtartec.com", "Password": "Ra@454504", "Host": "mail.amtartec.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KYC INQUIRY 14-01.exeVirustotal: Detection: 31%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: KYC INQUIRY 14-01.exeJoe Sandbox ML: detected
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: KYC INQUIRY 14-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: KYC INQUIRY 14-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: EventIgnoreAttribu.pdb source: KYC INQUIRY 14-01.exe
                      Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                      Source: global trafficTCP traffic: 192.168.2.4:49845 -> 185.9.51.36:587
                      Source: global trafficTCP traffic: 192.168.2.4:49845 -> 185.9.51.36:587
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://amtartec.com
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930702649.0000000002D4F000.00000004.00000001.sdmpString found in binary or memory: http://bWuGMpUiLLMQeS0B9HKc.net
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.932595997.0000000005E36000.00000004.00000010.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?b4599107e9ad4
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: http://ecvgsx.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://mail.amtartec.com
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671164950.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669885794.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670254704.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671861127.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671765144.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670988903.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669919147.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.669401508.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.671622125.00000000056CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.672827687.00000000056CD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgreta
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comuewaX
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/)
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnt-p
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: 2D85F72862B55C4EADD9E66E06947F3D.4.drString found in binary or memory: http://x1.i.lencr.org/
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.932567505.0000000005E01000.00000004.00000010.sdmpString found in binary or memory: http://x1.i.lencr.org/j
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.amtartec.com
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b3F9652B0u002d6316u002d41B6u002d88C3u002d1801FE1BB841u007d/u00392255519u002d335Eu002d4240u002d92FDu002d43C6C020859F.csLarge array initialization: .cctor: array initializer size 11968
                      Source: KYC INQUIRY 14-01.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_00CBC9B4
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_00CBEDE8
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_00CBEDF8
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B620E8
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B64C78
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B69C58
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B681A0
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D72D50
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D7E2F0
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D71FE0
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D7A770
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D72768
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D7C308
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F28C98
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F25864
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F20040
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F2BE90
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F2EE78
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F20E58
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F28FE1
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00F20F08
                      Source: KYC INQUIRY 14-01.exeBinary or memory string: OriginalFilename vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.691712863.00000000085E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000000.662068185.0000000000282000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exeBinary or memory string: OriginalFilename vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000000.682199691.00000000006A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameIPVSkwuOyeoRxTWWyCCMZJnGlQffbxV.exe4 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.928876181.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exeBinary or memory string: OriginalFilenameEventIgnoreAttribu.exe0 vs KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: KYC INQUIRY 14-01.exeVirustotal: Detection: 31%
                      Source: KYC INQUIRY 14-01.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe "C:\Users\user\Desktop\KYC INQUIRY 14-01.exe"
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KYC INQUIRY 14-01.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@3/1
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: KYC INQUIRY 14-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: KYC INQUIRY 14-01.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: KYC INQUIRY 14-01.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: EventIgnoreAttribu.pdb source: KYC INQUIRY 14-01.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: KYC INQUIRY 14-01.exe, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.1.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.9.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.3.unpack, Cd/gJ.cs.Net Code: TW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: KYC INQUIRY 14-01.exe, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 0.2.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 0.0.KYC INQUIRY 14-01.exe.280000.0.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.1.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.9.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: 4.0.KYC INQUIRY 14-01.exe.6a0000.3.unpack, Cd/gJ.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable694, null, null)
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C2C109 push cs; ret
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C2E644 push cs; ret
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C2C2A0 push cs; ret
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 0_2_04C28D7D push ebp; iretd
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00D77A37 push edi; retn 0000h
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23594935691
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.2637820.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.26766b4.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.262f814.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6512Thread sleep time: -37638s >= -30000s
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 2264Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6936Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6920Thread sleep count: 907 > 30
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe TID: 6920Thread sleep count: 8937 > 30
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWindow / User API: threadDelayed 907
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWindow / User API: threadDelayed 8937
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 37638
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeThread delayed: delay time: 922337203685477
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000003.906047500.0000000005E9F000.00000004.00000010.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.932626951.0000000005E95000.00000004.00000010.sdmpBinary or memory string: Hyper-V RAW
                      Source: KYC INQUIRY 14-01.exe, 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeCode function: 4_2_00B64C78 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeMemory written: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeProcess created: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: KYC INQUIRY 14-01.exe, 00000004.00000002.930019635.0000000001410000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Users\user\Desktop\KYC INQUIRY 14-01.exe VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\KYC INQUIRY 14-01.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.KYC INQUIRY 14-01.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.0.KYC INQUIRY 14-01.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.3663f58.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.KYC INQUIRY 14-01.exe.369a178.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 6504, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: KYC INQUIRY 14-01.exe PID: 5984, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      KYC INQUIRY 14-01.exe32%VirustotalBrowse
                      KYC INQUIRY 14-01.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.0.KYC INQUIRY 14-01.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      4.2.KYC INQUIRY 14-01.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.KYC INQUIRY 14-01.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.KYC INQUIRY 14-01.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.KYC INQUIRY 14-01.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      4.0.KYC INQUIRY 14-01.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      amtartec.com2%VirustotalBrowse
                      x1.i.lencr.org0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.zhongyicts.com.cnue0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.zhongyicts.com.cnt-p0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fontbureau.comuewaX0%Avira URL Cloudsafe
                      http://bWuGMpUiLLMQeS0B9HKc.net0%Avira URL Cloudsafe
                      http://r3.i.lencr.org/00%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgreta0%URL Reputationsafe
                      http://www.carterandcone.comue0%URL Reputationsafe
                      http://x1.c.lencr.org/00%URL Reputationsafe
                      http://x1.i.lencr.org/00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.founder.com.cn/cni0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://ecvgsx.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://x1.i.lencr.org/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://amtartec.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.zhongyicts.com.cno.0%URL Reputationsafe
                      http://x1.i.lencr.org/j0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/)0%Avira URL Cloudsafe
                      http://mail.amtartec.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      amtartec.com
                      		185.9.51.36
                      		truetrueunknown
                      x1.i.lencr.org
                      		unknown
                      		unknownfalseunknown
                      mail.amtartec.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.zhongyicts.com.cnueKYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.zhongyicts.com.cnt-pKYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comKYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comuewaXKYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://bWuGMpUiLLMQeS0B9HKc.netKYC INQUIRY 14-01.exe, 00000004.00000002.930702649.0000000002D4F000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://r3.i.lencr.org/0KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgretaKYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comueKYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.c.lencr.org/0KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.i.lencr.org/0KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.o.lencr.org0KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org%GETMozilla/5.0KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.fonts.comKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.como.KYC INQUIRY 14-01.exe, 00000000.00000003.669401508.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cniKYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipKYC INQUIRY 14-01.exe, 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://ecvgsx.comKYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0KYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668680200.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668803095.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669633894.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669148799.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669074106.0000000005695000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671164950.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669885794.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669377652.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670254704.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669281617.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669520183.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669723395.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669440181.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671861127.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.671765144.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.670988903.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669259523.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.669919147.000000000569B000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.668886513.0000000005694000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.688371314.0000000000D57000.00000004.00000040.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D.4.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://DynDns.comDynDNSKYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmllKYC INQUIRY 14-01.exe, 00000000.00000003.672827687.00000000056CD000.00000004.00000001.sdmpfalse
                                        		high
                                        http://cps.letsencrypt.org0KYC INQUIRY 14-01.exe, 00000004.00000002.930656310.0000000002D37000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haKYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%$KYC INQUIRY 14-01.exe, 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.carterandcone.comlKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnKYC INQUIRY 14-01.exe, 00000000.00000003.667848338.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667872959.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667709031.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667682755.0000000005694000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667769667.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667813528.0000000005697000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlKYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://amtartec.comKYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cno.KYC INQUIRY 14-01.exe, 00000000.00000003.667989126.0000000005696000.00000004.00000001.sdmp, KYC INQUIRY 14-01.exe, 00000000.00000003.667940784.0000000005696000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8KYC INQUIRY 14-01.exe, 00000000.00000002.691104031.00000000068A2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://x1.i.lencr.org/jKYC INQUIRY 14-01.exe, 00000004.00000002.932567505.0000000005E01000.00000004.00000010.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/KYC INQUIRY 14-01.exe, 00000000.00000003.671622125.00000000056CD000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/)KYC INQUIRY 14-01.exe, 00000000.00000003.674939945.00000000056C7000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://mail.amtartec.comKYC INQUIRY 14-01.exe, 00000004.00000002.930634828.0000000002D2B000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                185.9.51.36
                                                		amtartec.comUnited Kingdom
                                                		13213UK2NET-ASGBtrue

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:553301
                                                Start date:14.01.2022
                                                Start time:16:18:15
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 12s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:KYC INQUIRY 14-01.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:16
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/5@3/1
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 0.3% (good quality ratio 0%)
                                                • Quality average: 10%
                                                • Quality standard deviation: 22.4%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 209.197.3.8, 23.50.97.168, 173.222.108.226, 173.222.108.210
                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e8652.dscx.akamaiedge.net, store-images.s-microsoft.com, wu-shim.trafficmanager.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, cds.d2s7q6s2.hwcdn.net, img-prod-cms-rt-microsoft-com.akamaized.net, a767.dspw65.akamai.net, arc.msn.com, crl.root-x1.letsencrypt.org.edgekey.net, download.windowsupdate.com.edgesuite.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                16:19:18API Interceptor733x Sleep call for process: KYC INQUIRY 14-01.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
                                                Process:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1391
                                                Entropy (8bit):7.705940075877404
                                                Encrypted:false
                                                SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: 0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                                Category:dropped
                                                Size (bytes):61414
                                                Entropy (8bit):7.995245868798237
                                                Encrypted:true
                                                SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                                MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                                SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                                SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                                SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                                Malicious:false
                                                Reputation:moderate, very likely benign file
                                                Preview: MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D
                                                Process:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):192
                                                Entropy (8bit):2.8064124905820815
                                                Encrypted:false
                                                SSDEEP:3:kkFklx7pklfllXlE/zMc+kl7vNNX8RolJuRdyo1dlUKlGXJlDdt:kKKJ1bl7VNMa8Rdy+UKcXP
                                                MD5:4A9383DDA1B555B0482BCE39D980D801
                                                SHA1:32D22C955C4FC6AE9A6A5D523CC6C0162E18C2F2
                                                SHA-256:D80EB9F34CB71554A8E79D9411BC2AAAEBF2D3C22DD042C4D7F9D70D49080067
                                                SHA-512:A64B9045FA3256F6C552F6E1481B117519BADB0C094C353078DC23A92D6B3CE54C9FE9932968DA6FE43CE405A8B2A52999D13F98E659F742A309A72107F6382B
                                                Malicious:false
                                                Reputation:low
                                                Preview: p...... .........NF.s...(....................................................... ..........~...3...............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...
                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                Process:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):328
                                                Entropy (8bit):3.107354238829088
                                                Encrypted:false
                                                SSDEEP:6:kKHl7k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:Pl79kPlE99SNxAhUeYlUSA/t
                                                MD5:CD1193487E842FB09580F190E8854F43
                                                SHA1:9F7D85ED563298576947EAC5DC7C881B38C73B73
                                                SHA-256:1E6BB9B9D15DB356B93F2D11A16F4D5C1788C2C3BCAA0E2FBA122CFF34CE073A
                                                SHA-512:5DC850BD90754D755FB12447FD023EC1A492C617F7505C20721C667B1F44052C7A9AD99A773345BF5539B30D6F5FE764ECF80E590751717184CEF256E11364C9
                                                Malicious:false
                                                Reputation:low
                                                Preview: p...... ...........u...(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KYC INQUIRY 14-01.exe.log
                                                Process:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1310
                                                Entropy (8bit):5.345651901398759
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                                MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                                SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                                SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                                SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.226177281531698
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:KYC INQUIRY 14-01.exe
                                                File size:590336
                                                MD5:16d01fd64df59776d3454734512ded3c
                                                SHA1:dcfe9d148b76768ae3dea9875255c0873d58d1b0
                                                SHA256:77743ead6e13c024db3534a837c669ee3c4fbaac2320bbf937fbe5e58de4a3b3
                                                SHA512:cb90d72e5244c4baf5aa9ee7aad040dbdc6b47318cb3b5dbec4a6c9d1b2290d650c4c8be77255c5017af181c446d6daa70202e89002429e5c6046643c0d0d699
                                                SSDEEP:12288:KK777777777777N7LPJ6OISxBo/+0dxGhu2jfwr7zo:KK777777777777lLB6O/p0dIhJwjo
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g.a................................. ... ....@.. .......................`............@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4916de
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x61E1670E [Fri Jan 14 12:05:34 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x916900x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x5f4.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x9163d0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x8f6e40x8f800False0.755303040614data7.23594935691IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x920000x5f40x600False0.438802083333data4.189050521IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x940000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0x920a00x366data
                                                RT_MANIFEST0x924080x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyright2022 Tradewell
                                                Assembly Version22.0.0.0
                                                InternalNameEventIgnoreAttribu.exe
                                                FileVersion1.1.0.0
                                                CompanyNameTradewell ltd
                                                LegalTrademarks
                                                CommentsPurple Org
                                                ProductNameBlaster
                                                ProductVersion1.1.0.0
                                                FileDescriptionBlaster
                                                OriginalFilenameEventIgnoreAttribu.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 14, 2022 16:21:01.437788010 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.471756935 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.471884966 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.543900967 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.544349909 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.578347921 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.578954935 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.617613077 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.668987036 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.692372084 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.744628906 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.744682074 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.744714022 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.744823933 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.763871908 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:01.798615932 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:01.840856075 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.168373108 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.202347040 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.203335047 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.237579107 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.238215923 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.301060915 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.301949024 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.335903883 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.336252928 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.372306108 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.372832060 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.406718016 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.408494949 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.408813000 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.409708977 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.409912109 CET49845587192.168.2.4185.9.51.36
                                                Jan 14, 2022 16:21:07.442313910 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.442532063 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.443483114 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.443550110 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.457731962 CET58749845185.9.51.36192.168.2.4
                                                Jan 14, 2022 16:21:07.497565031 CET49845587192.168.2.4185.9.51.36

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 14, 2022 16:21:00.951390028 CET6480153192.168.2.48.8.8.8
                                                Jan 14, 2022 16:21:01.072341919 CET53648018.8.8.8192.168.2.4
                                                Jan 14, 2022 16:21:01.099323034 CET6172153192.168.2.48.8.8.8
                                                Jan 14, 2022 16:21:01.326092005 CET53617218.8.8.8192.168.2.4
                                                Jan 14, 2022 16:21:03.558242083 CET5125553192.168.2.48.8.8.8

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Jan 14, 2022 16:21:00.951390028 CET192.168.2.48.8.8.80x333cStandard query (0)mail.amtartec.comA (IP address)IN (0x0001)
                                                Jan 14, 2022 16:21:01.099323034 CET192.168.2.48.8.8.80xdbe6Standard query (0)mail.amtartec.comA (IP address)IN (0x0001)
                                                Jan 14, 2022 16:21:03.558242083 CET192.168.2.48.8.8.80xdca9Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Jan 14, 2022 16:21:01.072341919 CET8.8.8.8192.168.2.40x333cNo error (0)mail.amtartec.comamtartec.comCNAME (Canonical name)IN (0x0001)
                                                Jan 14, 2022 16:21:01.072341919 CET8.8.8.8192.168.2.40x333cNo error (0)amtartec.com185.9.51.36A (IP address)IN (0x0001)
                                                Jan 14, 2022 16:21:01.326092005 CET8.8.8.8192.168.2.40xdbe6No error (0)mail.amtartec.comamtartec.comCNAME (Canonical name)IN (0x0001)
                                                Jan 14, 2022 16:21:01.326092005 CET8.8.8.8192.168.2.40xdbe6No error (0)amtartec.com185.9.51.36A (IP address)IN (0x0001)
                                                Jan 14, 2022 16:21:03.580791950 CET8.8.8.8192.168.2.40xdca9No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Jan 14, 2022 16:21:01.543900967 CET58749845185.9.51.36192.168.2.4220-summit.nocdirect.com ESMTP Exim 4.93 #2 Fri, 14 Jan 2022 15:21:00 +0000
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Jan 14, 2022 16:21:01.544349909 CET49845587192.168.2.4185.9.51.36EHLO 724471
                                                Jan 14, 2022 16:21:01.578347921 CET58749845185.9.51.36192.168.2.4250-summit.nocdirect.com Hello 724471 [84.17.52.18]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Jan 14, 2022 16:21:01.578954935 CET49845587192.168.2.4185.9.51.36STARTTLS
                                                Jan 14, 2022 16:21:01.617613077 CET58749845185.9.51.36192.168.2.4220 TLS go ahead

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: KYC INQUIRY 14-01.exe PID: 6504 Parent PID: 5176

                                                General

                                                Start time:16:19:10
                                                Start date:14/01/2022
                                                Path:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\KYC INQUIRY 14-01.exe"
                                                Imagebase:0x280000
                                                File size:590336 bytes
                                                MD5 hash:16D01FD64DF59776D3454734512DED3C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.688722039.000000000264A000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.688470946.0000000002601000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.689364084.0000000003609000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Analysis Process: KYC INQUIRY 14-01.exe PID: 5984 Parent PID: 6504

                                                General

                                                Start time:16:19:19
                                                Start date:14/01/2022
                                                Path:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\KYC INQUIRY 14-01.exe
                                                Imagebase:0x6a0000
                                                File size:590336 bytes
                                                MD5 hash:16D01FD64DF59776D3454734512DED3C
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.928613280.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.685488835.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.684540552.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.685016391.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.685872653.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.930221885.00000000029C1000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Disassembly

                                                Code Analysis

                                                Reset < >