Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report vbc.exe_

Overview

General Information

Sample Name:vbc.exe_ (renamed file extension from exe_ to exe)
Analysis ID:502670
MD5:a665b705b9381b33aaa9e307fe340af7
SHA1:a6fba4f009921b1de9d524047bcb7fa0e571a116
SHA256:dc07322ef1652695b5e85bfd5d6da8c5b6c311d26ff13eb18a390cd4b7232203
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • vbc.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\vbc.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • vbc.exe (PID: 6404 cmdline: C:\Users\user\Desktop\vbc.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • BnevyAj.exe (PID: 4624 cmdline: 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 6176 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • BnevyAj.exe (PID: 3144 cmdline: 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 5840 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 4640 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@croatiahunt.com", "Password": "VilaVrgade852", "Host": "mail.croatiahunt.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.vbc.exe.3a55230.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.vbc.exe.3a55230.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    11.2.BnevyAj.exe.37d5230.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 28 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 16.2.BnevyAj.exe.3725230.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@croatiahunt.com", "Password": "VilaVrgade852", "Host": "mail.croatiahunt.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: vbc.exeVirustotal: Detection: 30%Perma Link
                      Source: vbc.exeMetadefender: Detection: 22%Perma Link
                      Source: vbc.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeMetadefender: Detection: 22%Perma Link
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeReversingLabs: Detection: 44%
                      Source: 14.2.BnevyAj.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.BnevyAj.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.vbc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: vbc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: global trafficTCP traffic: 192.168.2.4:49884 -> 116.202.174.203:587
                      Source: global trafficTCP traffic: 192.168.2.4:49884 -> 116.202.174.203:587
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://MpOtQG.com
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.c
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: vbc.exe, 00000004.00000003.909645922.00000000067D7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: vbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpString found in binary or memory: http://croatiahunt.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: vbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpString found in binary or memory: http://mail.croatiahunt.com
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: vbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://ryfE27WOGC.c
                      Source: vbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://ryfE27WOGC.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: vbc.exe, 00000000.00000003.668894572.000000000580D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: vbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: vbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldTF
                      Source: vbc.exe, 00000000.00000003.664625275.00000000057EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: vbc.exe, 00000000.00000003.666659224.00000000057D6000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: vbc.exe, 00000000.00000003.666529673.00000000057D6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: vbc.exe, 00000000.00000003.666467941.00000000057D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/l
                      Source: vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                      Source: vbc.exe, 00000000.00000003.666028561.00000000057DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comUz
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comgz
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.croatiahunt.com

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: vbc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADD0640_2_00ADD064
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADF2980_2_00ADF298
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADF2960_2_00ADF296
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_014BBA184_2_014BBA18
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_014B69A04_2_014B69A0
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F046A04_2_02F046A0
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F046304_2_02F04630
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059475404_2_05947540
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059425484_2_05942548
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059494F84_2_059494F8
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_05946C704_2_05946C70
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1D06411_2_00C1D064
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1F29611_2_00C1F296
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1F29811_2_00C1F298
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CDCAF811_2_06CDCAF8
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CD6D9011_2_06CD6D90
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CD6DA011_2_06CD6DA0
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_027546A014_2_027546A0
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275463B14_2_0275463B
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275469314_2_02754693
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275DA0014_2_0275DA00
                      Source: vbc.exe, 00000000.00000002.680415873.00000000003B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll< vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGDufUjPAGIrcCocQttaA.exe4 vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs vbc.exe
                      Source: vbc.exe, 00000004.00000000.679006892.0000000000BE4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGDufUjPAGIrcCocQttaA.exe4 vs vbc.exe
                      Source: vbc.exe, 00000004.00000002.929243029.0000000000F88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs vbc.exe
                      Source: vbc.exeBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe DC07322EF1652695B5E85BFD5D6DA8C5B6C311D26FF13EB18A390CD4B7232203
                      Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: BnevyAj.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: vbc.exeVirustotal: Detection: 30%
                      Source: vbc.exeMetadefender: Detection: 22%
                      Source: vbc.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Users\user\Desktop\vbc.exeJump to behavior
                      Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\vbc.exe 'C:\Users\user\Desktop\vbc.exe'
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@2/1
                      Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 4.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: vbc.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.vbc.exe.340000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.vbc.exe.340000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: BnevyAj.exe.4.dr, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.2.vbc.exe.b70000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.vbc.exe.b70000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 11.2.BnevyAj.exe.230000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 11.0.BnevyAj.exe.230000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 14.2.BnevyAj.exe.470000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 14.0.BnevyAj.exe.470000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 16.0.BnevyAj.exe.40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 16.2.BnevyAj.exe.40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.0.BnevyAj.exe.30000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.2.BnevyAj.exe.30000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 18.2.BnevyAj.exe.5e0000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E63665 push FFFFFF8Bh; iretd 0_2_06E63667
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E6366E push cs; retf 0_2_06E6366F
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60FD2 push eax; ret 0_2_06E60FD9
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60FDA pushad ; ret 0_2_06E60FD1
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60F9C pushad ; ret 0_2_06E60FD1
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F0DD38 push FFFFFF8Bh; iretd 4_2_02F0DD3B
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C12018 push ebx; retf 11_2_00C1207A
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F63665 push FFFFFF8Bh; iretd 11_2_06F63667
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F6366E push cs; retf 11_2_06F6366F
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60FDB push eax; ret 11_2_06F60FD9
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60F9C push eax; ret 11_2_06F60FD9
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60F45 push es; retf 11_2_06F60F48
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F634BE pushad ; retf 11_2_06F634BF
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F6346C pushad ; retf 11_2_06F6346D
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80231606159
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80231606159
                      Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to dropped file
                      Source: C:\Users\user\Desktop\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BnevyAjJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BnevyAjJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.vbc.exe.2801570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.24d1524.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.2581524.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4624, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 3144, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\vbc.exe TID: 7092Thread sleep time: -46038s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exe TID: 6964Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exe TID: 4936Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exe TID: 5704Thread sleep count: 721 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exe TID: 5704Thread sleep count: 9117 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 4552Thread sleep time: -42962s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 6128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3000Thread sleep count: 31 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3000Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3176Thread sleep count: 4359 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3176Thread sleep count: 5458 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 4812Thread sleep time: -31879s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 5708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 6784Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 5192Thread sleep count: 8542 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 5192Thread sleep count: 1290 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeWindow / User API: threadDelayed 721Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeWindow / User API: threadDelayed 9117Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 4359Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 5458Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 8542Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 1290Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 46038Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 42962Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 31879Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\vbc.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\vbc.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeMemory written: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.362bd80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3904960.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.36dbd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.395bd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.3684960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.35d4960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4624, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 3144, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4640, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4640, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.362bd80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3904960.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.36dbd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.395bd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.3684960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.35d4960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4624, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 3144, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4640, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 502670 Sample: vbc.exe_ Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 4 other signatures 2->49 6 vbc.exe 6 2->6         started        10 BnevyAj.exe 3 2->10         started        12 BnevyAj.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 6->25 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 14 vbc.exe 2 5 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 57 Injects a PE file into a foreign processes 10->57 19 BnevyAj.exe 2 10->19         started        21 BnevyAj.exe 2 12->21         started        23 BnevyAj.exe 12->23         started        signatures5 process6 dnsIp7 31 croatiahunt.com 116.202.174.203, 49884, 587 HETZNER-ASDE Germany 14->31 33 mail.croatiahunt.com 14->33 27 C:\Users\user\AppData\Roaming\...\BnevyAj.exe, PE32 14->27 dropped 29 C:\Users\user\...\BnevyAj.exe:Zone.Identifier, ASCII 14->29 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 2 other signatures 14->41 file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      vbc.exe30%VirustotalBrowse
                      vbc.exe23%MetadefenderBrowse
                      vbc.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe23%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe44%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.2.BnevyAj.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      18.2.BnevyAj.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      4.2.vbc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      windowsupdate.s.llnwi.net0%VirustotalBrowse
                      croatiahunt.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.sajatypeworks.com.0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://ryfE27WOGC.c0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnp0%URL Reputationsafe
                      http://MpOtQG.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnt0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.founder.com.cn/cn/l0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sajatypeworks.comgz0%Avira URL Cloudsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://mail.croatiahunt.com0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://crl.c0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comUz0%Avira URL Cloudsafe
                      http://croatiahunt.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comldTF0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.htmlr0%Avira URL Cloudsafe
                      http://ryfE27WOGC.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      windowsupdate.s.llnwi.net
                      		178.79.242.0
                      		truefalseunknown
                      croatiahunt.com
                      		116.202.174.203
                      		truetrueunknown
                      mail.croatiahunt.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.sajatypeworks.com.vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                          		high
                          http://ryfE27WOGC.cvbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.collada.org/2005/11/COLLADASchema9Donevbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnpvbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://MpOtQG.comBnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cntvbc.exe, 00000000.00000003.666028561.00000000057DD000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/lvbc.exe, 00000000.00000003.666467941.00000000057D8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.ipify.org%GETMozilla/5.0BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.fonts.comvbc.exe, 00000000.00000003.664625275.00000000057EB000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleasevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comgzvbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sakkal.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://mail.croatiahunt.comvbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://DynDns.comDynDNSBnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://sectigo.com/CPS0vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%havbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comavbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%$vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.carterandcone.comlvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/vbc.exe, 00000000.00000003.666529673.00000000057D6000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnvbc.exe, 00000000.00000003.666659224.00000000057D6000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://crl.cvbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.comUzvbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://croatiahunt.comvbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comldTFvbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.ascendercorp.com/typedesigners.htmlrvbc.exe, 00000000.00000003.668894572.000000000580D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://ryfE27WOGC.comvbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            116.202.174.203
                                            		croatiahunt.comGermany
                                            		24940HETZNER-ASDEtrue

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:502670
                                            Start date:14.10.2021
                                            Start time:08:44:15
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 12m 8s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:vbc.exe_ (renamed file extension from exe_ to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:25
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@11/4@2/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 0.1% (good quality ratio 0%)
                                            • Quality average: 17.8%
                                            • Quality standard deviation: 26.1%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 58
                                            • Number of non-executed functions: 3
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.199.120.182, 23.203.141.148, 20.199.120.151, 20.82.209.183, 8.247.248.249, 8.247.248.223, 8.247.244.221, 2.20.178.33, 2.20.178.24, 20.54.110.249, 52.251.79.25, 40.112.88.60, 20.199.120.85
                                            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:45:17API Interceptor731x Sleep call for process: vbc.exe modified
                                            08:45:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BnevyAj C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                            08:45:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BnevyAj C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                            08:45:56API Interceptor891x Sleep call for process: BnevyAj.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            116.202.174.203SecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exeGet hashmaliciousBrowse
                                              DHL consignment number_600595460.xlsxGet hashmaliciousBrowse
                                                Po____211110.exeGet hashmaliciousBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  windowsupdate.s.llnwi.netREMITTANCE-54324.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  Farbestfoods.AP Summary.2752.htmlGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  iAuPyHuUkk.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  HqiJ8HpbxU.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  PEKv5PX7Wq.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  R6QyqCNJgljVTjY.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  SsbgfSoVLC.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  pvHBhNUyIm.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  Request For New Qoute - Ist Order.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  569vj51Zrs.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  correction HAWB.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  correction HAWB.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  Statement of Account.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  Statement of Account.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  jh6KzwrXQp.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  heX1kOkwqy.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  mixsix_20211013-084409.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  2rd Quater Order Quotation.zip.xlsGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  DOC REC EIPT.htmlGet hashmaliciousBrowse
                                                  • 178.79.242.128

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  HETZNER-ASDEGR01DtRd0N.exeGet hashmaliciousBrowse
                                                  • 88.99.75.82
                                                  Payment_Swift,png.exeGet hashmaliciousBrowse
                                                  • 78.46.56.160
                                                  PO 211011-021A.exeGet hashmaliciousBrowse
                                                  • 136.243.159.53
                                                  S27f5MP8UeGet hashmaliciousBrowse
                                                  • 5.75.211.8
                                                  75lT7DuXrs.exeGet hashmaliciousBrowse
                                                  • 168.119.93.163
                                                  #Ud83d#Udcde-youse.guia-644-46204-282109.htmGet hashmaliciousBrowse
                                                  • 95.217.53.76
                                                  6Vk012xoynGet hashmaliciousBrowse
                                                  • 144.79.90.35
                                                  tmDSSwkOAMGet hashmaliciousBrowse
                                                  • 94.130.40.209
                                                  8r3HRghvXXGet hashmaliciousBrowse
                                                  • 95.217.66.142
                                                  ARK Survival legit hack by Spyro.exeGet hashmaliciousBrowse
                                                  • 135.181.170.169
                                                  M12s7KNFDg.exeGet hashmaliciousBrowse
                                                  • 138.201.79.103
                                                  NBA 2K21 Cheat by Spyro.exeGet hashmaliciousBrowse
                                                  • 135.181.170.169
                                                  Gsdqz.dllGet hashmaliciousBrowse
                                                  • 116.203.98.109
                                                  4tOOUNDwaW.exeGet hashmaliciousBrowse
                                                  • 188.34.163.98
                                                  7ofFMoirr5.exeGet hashmaliciousBrowse
                                                  • 188.34.163.98
                                                  HUTWMrDhov.dllGet hashmaliciousBrowse
                                                  • 116.203.98.109
                                                  SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                  • 188.34.163.98
                                                  0q3K4qJqQT.exeGet hashmaliciousBrowse
                                                  • 88.99.75.82
                                                  SecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exeGet hashmaliciousBrowse
                                                  • 116.202.174.203
                                                  FTdhc25gn8.exeGet hashmaliciousBrowse
                                                  • 88.99.75.82

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exeGet hashmaliciousBrowse
                                                    DHL consignment number_600595460.xlsxGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BnevyAj.exe.log
                                                      Process:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1308
                                                      Entropy (8bit):5.348115897127242
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                      MD5:832D6A22CE7798D72609B9C21B4AF152
                                                      SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                      SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                      SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
                                                      Process:C:\Users\user\Desktop\vbc.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1308
                                                      Entropy (8bit):5.348115897127242
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                      MD5:832D6A22CE7798D72609B9C21B4AF152
                                                      SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                      SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                      SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Process:C:\Users\user\Desktop\vbc.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):564736
                                                      Entropy (8bit):7.0819561487133305
                                                      Encrypted:false
                                                      SSDEEP:6144:0MkhBXuLbabNr+o6RxQbACvuj8qLhT7uu5ziEjPY2hL1Vkebv0duOjwYB:vSBXuLbalbMebAr9LNu3KY8L1u+0j1
                                                      MD5:A665B705B9381B33AAA9E307FE340AF7
                                                      SHA1:A6FBA4F009921B1DE9D524047BCB7FA0E571A116
                                                      SHA-256:DC07322EF1652695B5E85BFD5D6DA8C5B6C311D26FF13EB18A390CD4B7232203
                                                      SHA-512:B7E7FF96DCE12935C71B6E6B6FC74652CD08725D8DE29A91E35B0D4F8F351D14F371E2D48A3AB5FE733003764AF09B6BE6DC6D943112B596FA2B09A7638BBAEE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 23%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 44%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exe, Detection: malicious, Browse
                                                      • Filename: DHL consignment number_600595460.xlsx, Detection: malicious, Browse
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.fa..............0..(...t......RF... ...`....@.. ....................................@..................................F..O....`..(q........................................................................... ............... ..H............text...X&... ...(.................. ..`.rsrc...(q...`...r...*..............@..@.reloc..............................@..B................4F......H.......Lb...O......Y...`................................................0..V.........}......*.*s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....|....(....Z.{.....|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....|....(..........-....X.....|....(..........-......,...o!.....sB........|....(.....|....(....s"
                                                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\vbc.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.0819561487133305
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:vbc.exe
                                                      File size:564736
                                                      MD5:a665b705b9381b33aaa9e307fe340af7
                                                      SHA1:a6fba4f009921b1de9d524047bcb7fa0e571a116
                                                      SHA256:dc07322ef1652695b5e85bfd5d6da8c5b6c311d26ff13eb18a390cd4b7232203
                                                      SHA512:b7e7ff96dce12935c71b6e6b6fc74652cd08725d8de29a91e35b0d4f8f351d14f371e2d48a3ab5fe733003764af09b6be6dc6d943112b596fa2b09a7638bbaee
                                                      SSDEEP:6144:0MkhBXuLbabNr+o6RxQbACvuj8qLhT7uu5ziEjPY2hL1Vkebv0duOjwYB:vSBXuLbalbMebAr9LNu3KY8L1u+0j1
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.fa..............0..(...t......RF... ...`....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:0c529252d9cce41b

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x464652
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61668753 [Wed Oct 13 07:14:27 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x646000x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x27128.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x626580x62800False0.889331178617data7.80231606159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x660000x271280x27200False0.141298921725data3.94408724321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x662200xe8acdata
                                                      RT_ICON0x74acc0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x75b740x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x7811c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x7c3440x10828dBase III DBT, version number 0, next free block index 40
                                                      RT_GROUP_ICON0x8cb6c0x14data
                                                      RT_GROUP_ICON0x8cb800x4cdata
                                                      RT_VERSION0x8cbcc0x370data
                                                      RT_MANIFEST0x8cf3c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Gottschalks 2011
                                                      Assembly Version1.0.0.0
                                                      InternalNameIsolatedStorageFi.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameGottschalks
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameMapEditor1
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionMapEditor1
                                                      OriginalFilenameIsolatedStorageFi.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 14, 2021 08:47:05.213349104 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.235928059 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.236557007 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.534688950 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.536415100 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.557899952 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.558201075 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.581259966 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.623823881 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.685749054 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.714250088 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714277029 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714293003 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714304924 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714365959 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.714437008 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.716888905 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.753770113 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.775552988 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.826987982 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.164921045 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.186460972 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.188076973 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.211909056 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.213227987 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.243670940 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.244704962 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.266201973 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.266877890 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.299679041 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.300473928 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.321907997 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.324021101 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.324489117 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.326102972 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.326271057 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.345870972 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.345899105 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.347266912 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.347373962 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.348305941 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.390258074 CEST49884587192.168.2.4116.202.174.203

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 14, 2021 08:47:04.976264000 CEST6242053192.168.2.48.8.8.8
                                                      Oct 14, 2021 08:47:05.003859997 CEST53624208.8.8.8192.168.2.4
                                                      Oct 14, 2021 08:47:05.035196066 CEST6057953192.168.2.48.8.8.8
                                                      Oct 14, 2021 08:47:05.062493086 CEST53605798.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Oct 14, 2021 08:47:04.976264000 CEST192.168.2.48.8.8.80x6a38Standard query (0)mail.croatiahunt.comA (IP address)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.035196066 CEST192.168.2.48.8.8.80xc729Standard query (0)mail.croatiahunt.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Oct 14, 2021 08:45:57.393074989 CEST8.8.8.8192.168.2.40x91c9No error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.003859997 CEST8.8.8.8192.168.2.40x6a38No error (0)mail.croatiahunt.comcroatiahunt.comCNAME (Canonical name)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.003859997 CEST8.8.8.8192.168.2.40x6a38No error (0)croatiahunt.com116.202.174.203A (IP address)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.062493086 CEST8.8.8.8192.168.2.40xc729No error (0)mail.croatiahunt.comcroatiahunt.comCNAME (Canonical name)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.062493086 CEST8.8.8.8192.168.2.40xc729No error (0)croatiahunt.com116.202.174.203A (IP address)IN (0x0001)

                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Oct 14, 2021 08:47:05.534688950 CEST58749884116.202.174.203192.168.2.4220-srv1.kuhada.com ESMTP Exim 4.94.2 #2 Thu, 14 Oct 2021 08:47:05 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Oct 14, 2021 08:47:05.536415100 CEST49884587192.168.2.4116.202.174.203EHLO 980108
                                                      Oct 14, 2021 08:47:05.557899952 CEST58749884116.202.174.203192.168.2.4250-srv1.kuhada.com Hello 980108 [102.129.143.33]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPE_CONNECT
                                                      250-AUTH PLAIN LOGIN
                                                      250-STARTTLS
                                                      250 HELP
                                                      Oct 14, 2021 08:47:05.558201075 CEST49884587192.168.2.4116.202.174.203STARTTLS
                                                      Oct 14, 2021 08:47:05.581259966 CEST58749884116.202.174.203192.168.2.4220 TLS go ahead

                                                      Code Manipulations

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: vbc.exe PID: 7088 Parent PID: 6032

                                                      General

                                                      Start time:08:45:09
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\Desktop\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\vbc.exe'
                                                      Imagebase:0x340000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: vbc.exe PID: 6404 Parent PID: 7088

                                                      General

                                                      Start time:08:45:18
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\Desktop\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\vbc.exe
                                                      Imagebase:0xb70000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: BnevyAj.exe PID: 4624 Parent PID: 3424

                                                      General

                                                      Start time:08:45:54
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                                                      Imagebase:0x230000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 23%, Metadefender, Browse
                                                      • Detection: 44%, ReversingLabs
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: BnevyAj.exe PID: 6176 Parent PID: 4624

                                                      General

                                                      Start time:08:45:56
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Imagebase:0x470000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: BnevyAj.exe PID: 3144 Parent PID: 3424

                                                      General

                                                      Start time:08:46:02
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                                                      Imagebase:0x40000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: BnevyAj.exe PID: 5840 Parent PID: 3144

                                                      General

                                                      Start time:08:46:06
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Imagebase:0x30000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      Chronological Activities

                                                      Analysis Process: BnevyAj.exe PID: 4640 Parent PID: 3144

                                                      General

                                                      Start time:08:46:06
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Imagebase:0x5e0000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Chronological Activities

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >

                                                        Analysis Process: vbc.exe PID: 7088 Parent PID: 6032 vbc.exeCOMMON

                                                        Execution Graph

                                                        Execution Coverage:9.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:99
                                                        Total number of Limit Nodes:7

                                                        Graph

                                                        execution_graph 16276 ad52b8 16277 ad52d4 16276->16277 16280 ad4fb0 16277->16280 16279 ad5314 16281 ad4fbb 16280->16281 16284 ad5234 16281->16284 16283 ad5999 16283->16279 16285 ad523f 16284->16285 16288 ad5254 16285->16288 16287 ad5a95 16287->16283 16289 ad525f 16288->16289 16292 ad5284 16289->16292 16291 ad5b7a 16291->16287 16293 ad528f 16292->16293 16296 ad5604 16293->16296 16295 ad5c79 16295->16291 16298 ad560f 16296->16298 16297 ad7e3c 16297->16295 16298->16297 16301 adc2f8 16298->16301 16306 adc308 16298->16306 16302 adc2fd 16301->16302 16303 adc34d 16302->16303 16311 adc4a8 16302->16311 16315 adc4b8 16302->16315 16303->16297 16307 adc329 16306->16307 16308 adc34d 16307->16308 16309 adc4a8 2 API calls 16307->16309 16310 adc4b8 2 API calls 16307->16310 16308->16297 16309->16308 16310->16308 16312 adc4c5 16311->16312 16313 adc4ff 16312->16313 16319 adaf74 16312->16319 16313->16303 16316 adc4c5 16315->16316 16317 adc4ff 16316->16317 16318 adaf74 2 API calls 16316->16318 16317->16303 16318->16317 16320 adaf7f 16319->16320 16322 add1f8 16320->16322 16323 adcd94 16320->16323 16322->16322 16324 adcd9f 16323->16324 16325 ad5604 2 API calls 16324->16325 16326 add267 16325->16326 16330 adefdb 16326->16330 16335 adefe8 16326->16335 16327 add2a0 16327->16322 16331 adef9f 16330->16331 16332 adefdf 16330->16332 16333 adf025 16332->16333 16334 adf250 LoadLibraryExW GetModuleHandleW 16332->16334 16333->16327 16334->16333 16337 adf019 16335->16337 16338 adf065 16335->16338 16336 adf025 16336->16327 16337->16336 16339 adf250 LoadLibraryExW GetModuleHandleW 16337->16339 16338->16327 16339->16338 16340 ada1d8 16341 ada1da 16340->16341 16345 ada2c0 16341->16345 16353 ada2d0 16341->16353 16342 ada1e7 16346 ada2d0 16345->16346 16347 ada2fb 16346->16347 16361 ada558 16346->16361 16365 ada548 16346->16365 16347->16342 16348 ada2f3 16348->16347 16349 ada4f8 GetModuleHandleW 16348->16349 16350 ada525 16349->16350 16350->16342 16354 ada2d2 16353->16354 16355 ada2fb 16354->16355 16359 ada548 LoadLibraryExW 16354->16359 16360 ada558 LoadLibraryExW 16354->16360 16355->16342 16356 ada2f3 16356->16355 16357 ada4f8 GetModuleHandleW 16356->16357 16358 ada525 16357->16358 16358->16342 16359->16356 16360->16356 16362 ada56c 16361->16362 16364 ada591 16362->16364 16369 ad9da0 16362->16369 16364->16348 16366 ada56c 16365->16366 16367 ada591 16366->16367 16368 ad9da0 LoadLibraryExW 16366->16368 16367->16348 16368->16367 16370 ada738 LoadLibraryExW 16369->16370 16372 ada7b1 16370->16372 16372->16364 16373 6e60930 16374 6e60cb3 16373->16374 16375 6e60268 16373->16375 16374->16375 16377 6e6124f 16374->16377 16378 6e6121b 16377->16378 16380 6e61256 16377->16380 16378->16375 16379 6e613eb 16379->16375 16380->16379 16383 6e614e0 PostMessageW 16380->16383 16385 6e614da PostMessageW 16380->16385 16384 6e6154c 16383->16384 16384->16380 16386 6e6154c 16385->16386 16386->16380 16387 adc5d0 16388 adc636 16387->16388 16392 adc781 16388->16392 16395 adc790 16388->16395 16389 adc6e5 16398 adaffc 16392->16398 16396 adc7be 16395->16396 16397 adaffc DuplicateHandle 16395->16397 16396->16389 16397->16396 16399 adc7f8 DuplicateHandle 16398->16399 16400 adc7be 16399->16400 16400->16389

                                                        Executed Functions

                                                        Function 00ADA2D0, Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 50 ada2d0-ada2e5 call ad9d3c 54 ada2fb-ada2ff 50->54 55 ada2e7 50->55 56 ada301-ada30b 54->56 57 ada313-ada354 54->57 104 ada2ed call ada548 55->104 105 ada2ed call ada558 55->105 56->57 62 ada356-ada35e 57->62 63 ada361-ada36f 57->63 58 ada2f3-ada2f5 58->54 59 ada430-ada4f0 58->59 99 ada4f8-ada523 GetModuleHandleW 59->99 100 ada4f2-ada4f5 59->100 62->63 64 ada371-ada376 63->64 65 ada393-ada395 63->65 67 ada378-ada37f call ad9d48 64->67 68 ada381 64->68 69 ada398-ada39f 65->69 74 ada383-ada391 67->74 68->74 72 ada3ac-ada3b3 69->72 73 ada3a1-ada3a9 69->73 76 ada3b5-ada3bd 72->76 77 ada3c0-ada3c9 call ad9d58 72->77 73->72 74->69 76->77 82 ada3cb-ada3d3 77->82 83 ada3d6-ada3db 77->83 82->83 84 ada3dd-ada3e4 83->84 85 ada3f9-ada406 83->85 84->85 86 ada3e6-ada3f6 call ad9d68 call ad9d78 84->86 91 ada429-ada42f 85->91 92 ada408-ada426 85->92 86->85 92->91 101 ada52c-ada540 99->101 102 ada525-ada52b 99->102 100->99 102->101 104->58 105->58
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADA516
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: fd198712c0154c64baaa557c458417f9599fcc851dd5f30dd30c03a52e1547af
                                                        • Instruction ID: a0bd81351ab57119af749e6a8c17c7480419dddba67f57f74438f0237783cf56
                                                        • Opcode Fuzzy Hash: fd198712c0154c64baaa557c458417f9599fcc851dd5f30dd30c03a52e1547af
                                                        • Instruction Fuzzy Hash: 23711274A00B058FDB24DF6AD14579AB7F2BF88304F00892ED48ADBB50DB75E9458F92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00ADAFFC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 106 adaffc-adc88c DuplicateHandle 108 adc88e-adc894 106->108 109 adc895-adc8b2 106->109 108->109
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ADC7BE,?,?,?,?,?), ref: 00ADC87F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 3472dd51c26c8cb25739ea29e7d62f0aab0c7d50ca3ce62b071e3bb6ad82d267
                                                        • Instruction ID: c4f03edf84b984d34009158b294a8e396a8c0eb8c44299850797e8ba762192c7
                                                        • Opcode Fuzzy Hash: 3472dd51c26c8cb25739ea29e7d62f0aab0c7d50ca3ce62b071e3bb6ad82d267
                                                        • Instruction Fuzzy Hash: B221E9B5D00209AFDB10CF99D884ADEBBF8FB48324F14846AE915B7310D374A944DFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00ADC7F0, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 112 adc7f0-adc88c DuplicateHandle 113 adc88e-adc894 112->113 114 adc895-adc8b2 112->114 113->114
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ADC7BE,?,?,?,?,?), ref: 00ADC87F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: f33073737d60acfc90a86cefdab28fdc2c46547fbb38521793fdcc2fd3084401
                                                        • Instruction ID: 6e7c930597f335718cd5ea9a370238af6335f0b1715710688210eb94b3ddb183
                                                        • Opcode Fuzzy Hash: f33073737d60acfc90a86cefdab28fdc2c46547fbb38521793fdcc2fd3084401
                                                        • Instruction Fuzzy Hash: 702114B5D00209DFDB10CFA9D484AEEBBF5FB08320F14846AE959A3350C778A954DF64
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00AD9DA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 117 ad9da0-ada778 119 ada77a-ada77d 117->119 120 ada780-ada7af LoadLibraryExW 117->120 119->120 121 ada7b8-ada7d5 120->121 122 ada7b1-ada7b7 120->122 122->121
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADA591,00000800,00000000,00000000), ref: 00ADA7A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 2e63d5ad621104891d55ddbd2bbf68e2e19683bb137b0e80a1901512cc31d0b3
                                                        • Instruction ID: cb49a893da1569f9f4584743640bb58b3b23b442c7b3af566a808ab4f8069518
                                                        • Opcode Fuzzy Hash: 2e63d5ad621104891d55ddbd2bbf68e2e19683bb137b0e80a1901512cc31d0b3
                                                        • Instruction Fuzzy Hash: A71114B69002089FDB10CF9AD448BDEFBF8EB98324F14842AD51AB7300C375A945CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00ADA731, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 125 ada731-ada778 126 ada77a-ada77d 125->126 127 ada780-ada7af LoadLibraryExW 125->127 126->127 128 ada7b8-ada7d5 127->128 129 ada7b1-ada7b7 127->129 129->128
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADA591,00000800,00000000,00000000), ref: 00ADA7A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: e008ddfab9a3a62a46ca46f46a40eb7ff625ca90824c150face67e678c35c13b
                                                        • Instruction ID: 99857792737b6a6829efdf8316c7715f899052949a8e44c8a618b394bb21927e
                                                        • Opcode Fuzzy Hash: e008ddfab9a3a62a46ca46f46a40eb7ff625ca90824c150face67e678c35c13b
                                                        • Instruction Fuzzy Hash: BB1126B6D002498FDB10CF99D444BDEFBF5AF48314F14842ED95AA7600C374A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00ADA4B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 132 ada4b0-ada4f0 133 ada4f8-ada523 GetModuleHandleW 132->133 134 ada4f2-ada4f5 132->134 135 ada52c-ada540 133->135 136 ada525-ada52b 133->136 134->133 136->135
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADA516
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: e4f0043666904d6596d7a53cb043ea41ad321329e4d966d3766ad9f5af4e453c
                                                        • Instruction ID: 96280dfe06c0d24c4c712e075fa4ed05e770b2b1a0b47a700b9a657118eeba3d
                                                        • Opcode Fuzzy Hash: e4f0043666904d6596d7a53cb043ea41ad321329e4d966d3766ad9f5af4e453c
                                                        • Instruction Fuzzy Hash: 9511D2B5D006498FDB10CF9AD448BDEFBF4EB48324F14846AD46AB7600C375A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06E614DA, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 138 6e614da-6e6154a PostMessageW 139 6e61553-6e61567 138->139 140 6e6154c-6e61552 138->140 140->139
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06E6153D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.686631313.0000000006E60000.00000040.00000001.sdmp, Offset: 06E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e60000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 4fcf9a05b3820db01b33a08577ce2b36d230e0a73a2d2f259957431c45f4aab6
                                                        • Instruction ID: 40ba16f9643599c06d7520a2c79a7d97d544e09f177e5bb407f35033af9853b7
                                                        • Opcode Fuzzy Hash: 4fcf9a05b3820db01b33a08577ce2b36d230e0a73a2d2f259957431c45f4aab6
                                                        • Instruction Fuzzy Hash: 9D1103B59003499FDB10DF99D889BDFFBF8EB48324F14841AE559A7600C374A584CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06E614E0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 143 6e614e0-6e6154a PostMessageW 144 6e61553-6e61567 143->144 145 6e6154c-6e61552 143->145 145->144
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06E6153D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.686631313.0000000006E60000.00000040.00000001.sdmp, Offset: 06E60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_6e60000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 09a1e164bd44e9a8b22d3c4c8dc060baa00d551be343c39432100b7fd44aced7
                                                        • Instruction ID: a25ad14dbd6d0a7c95732abd1e91579f4a4ddc5c13a199d03b49d9bf4f25a3fb
                                                        • Opcode Fuzzy Hash: 09a1e164bd44e9a8b22d3c4c8dc060baa00d551be343c39432100b7fd44aced7
                                                        • Instruction Fuzzy Hash: A211D3B59003499FDB10DF9AD889BDEFBF8EB48324F14845AE555A7200C375A584CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 00ADF298, Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bd4d517a311f746d7c3c9b8469bf4ffe8b580c68e49ccc41fb774c2fc74896fb
                                                        • Instruction ID: 0c353e6942c3d3120d819fc5b288376584d69a6aa2433b078980ef40e8a4f53e
                                                        • Opcode Fuzzy Hash: bd4d517a311f746d7c3c9b8469bf4ffe8b580c68e49ccc41fb774c2fc74896fb
                                                        • Instruction Fuzzy Hash: D312B7F9E917468BE710CF65E8881893FE1B765328BD0CA0BD2611BAD1D7B4116ECF48
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00ADD064, Relevance: .3, Instructions: 265COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 99d2d4fecec87de881e8af78da902b8d9b9f01a9017149bc20c9ca0473a2afde
                                                        • Instruction ID: b536a71a99cce133c45dfe33a073fd393636b92f2974c0448a42290744c1c751
                                                        • Opcode Fuzzy Hash: 99d2d4fecec87de881e8af78da902b8d9b9f01a9017149bc20c9ca0473a2afde
                                                        • Instruction Fuzzy Hash: 87A15C36E0021A8FCF15DFA5C9449DEBBF2FF85310B15856AE906AB321EB31A955CB40
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00ADF296, Relevance: .2, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.681086956.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_ad0000_vbc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92332ec51dc644e434f4f71d8b87701b2193c97098aa2c75ce533f0f8cf672a8
                                                        • Instruction ID: 525a4596a83232c2d5a04c1737cb8ecf8124b4bcee28e6ab8c767c7b10cecfcb
                                                        • Opcode Fuzzy Hash: 92332ec51dc644e434f4f71d8b87701b2193c97098aa2c75ce533f0f8cf672a8
                                                        • Instruction Fuzzy Hash: E7C109B9E917458BD710CF65E8882897FF1BB65328F91CB0BD2612B6D0D7B4106ACF48
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Analysis Process: vbc.exe PID: 6404 Parent PID: 7088 vbc.exeCOMMON

                                                        Execution Graph

                                                        Execution Coverage:13.4%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:153
                                                        Total number of Limit Nodes:9

                                                        Graph

                                                        execution_graph 37534 2f05090 37535 2f050f8 CreateWindowExW 37534->37535 37537 2f051b4 37535->37537 37537->37537 37538 2f0ba10 37539 2f0ba24 37538->37539 37542 2f0bc5a 37539->37542 37548 2f0bd40 37542->37548 37553 2f0be3c 37542->37553 37558 2f0be56 37542->37558 37563 2f0bd30 37542->37563 37543 2f0ba2d 37549 2f0bd84 37548->37549 37550 2f0be7b 37549->37550 37568 2f0c189 37549->37568 37576 2f0c138 37549->37576 37554 2f0bdef 37553->37554 37554->37553 37555 2f0be7b 37554->37555 37556 2f0c138 2 API calls 37554->37556 37557 2f0c189 2 API calls 37554->37557 37556->37555 37557->37555 37559 2f0be69 37558->37559 37560 2f0be7b 37558->37560 37561 2f0c138 2 API calls 37559->37561 37562 2f0c189 2 API calls 37559->37562 37561->37560 37562->37560 37564 2f0bd40 37563->37564 37565 2f0be7b 37564->37565 37566 2f0c138 2 API calls 37564->37566 37567 2f0c189 2 API calls 37564->37567 37566->37565 37567->37565 37569 2f0c132 37568->37569 37571 2f0c192 37568->37571 37575 2f0c189 RtlEncodePointer 37569->37575 37581 2f0c198 37569->37581 37570 2f0c166 37570->37550 37572 2f0c1fc RtlEncodePointer 37571->37572 37573 2f0c225 37571->37573 37572->37573 37573->37550 37575->37570 37577 2f0c156 37576->37577 37579 2f0c198 RtlEncodePointer 37577->37579 37580 2f0c189 2 API calls 37577->37580 37578 2f0c166 37578->37550 37579->37578 37580->37578 37582 2f0c1d2 37581->37582 37583 2f0c1fc RtlEncodePointer 37582->37583 37584 2f0c225 37582->37584 37583->37584 37584->37570 37585 14cd01c 37586 14cd034 37585->37586 37587 14cd08e 37586->37587 37592 2f07b80 37586->37592 37602 2f0359c 37586->37602 37612 2f05238 37586->37612 37616 2f05248 37586->37616 37595 2f07bbd 37592->37595 37593 2f07bf1 37638 2f0779c 37593->37638 37595->37593 37596 2f07be1 37595->37596 37620 2f07d18 37596->37620 37624 14b8298 37596->37624 37629 14b8289 37596->37629 37634 2f07d08 37596->37634 37597 2f07bef 37603 2f035a7 37602->37603 37604 2f07bf1 37603->37604 37606 2f07be1 37603->37606 37605 2f0779c 2 API calls 37604->37605 37607 2f07bef 37605->37607 37608 14b8289 2 API calls 37606->37608 37609 14b8298 2 API calls 37606->37609 37610 2f07d18 2 API calls 37606->37610 37611 2f07d08 2 API calls 37606->37611 37608->37607 37609->37607 37610->37607 37611->37607 37613 2f05248 37612->37613 37614 2f0359c 2 API calls 37613->37614 37615 2f0528f 37614->37615 37615->37587 37617 2f0526e 37616->37617 37618 2f0359c 2 API calls 37617->37618 37619 2f0528f 37618->37619 37619->37587 37622 2f07d26 37620->37622 37621 2f0779c 2 API calls 37621->37622 37622->37621 37623 2f07e13 37622->37623 37623->37597 37626 14b82ac 37624->37626 37625 14b8338 37625->37597 37645 14b8342 37626->37645 37648 14b8350 37626->37648 37631 14b82ac 37629->37631 37630 14b8338 37630->37597 37632 14b8342 2 API calls 37631->37632 37633 14b8350 2 API calls 37631->37633 37632->37630 37633->37630 37636 2f07d26 37634->37636 37635 2f0779c 2 API calls 37635->37636 37636->37635 37637 2f07e13 37636->37637 37637->37597 37639 2f077a7 37638->37639 37640 2f07f34 37639->37640 37641 2f07e8a 37639->37641 37642 2f0359c CallWindowProcW 37640->37642 37643 2f07ee2 CallWindowProcW 37641->37643 37644 2f07e91 37641->37644 37642->37644 37643->37644 37644->37597 37646 14b8361 37645->37646 37651 14b9970 37645->37651 37646->37625 37649 14b8361 37648->37649 37650 14b9970 2 API calls 37648->37650 37649->37625 37650->37649 37654 2f0779c 2 API calls 37651->37654 37655 2f07e39 37651->37655 37652 14b998a 37652->37646 37654->37652 37656 2f07e48 37655->37656 37657 2f07f34 37656->37657 37658 2f07e8a 37656->37658 37659 2f0359c CallWindowProcW 37657->37659 37660 2f07ee2 CallWindowProcW 37658->37660 37661 2f07e91 37658->37661 37659->37661 37660->37661 37661->37652 37662 2f06940 GetCurrentProcess 37663 2f069b3 37662->37663 37664 2f069ba GetCurrentThread 37662->37664 37663->37664 37665 2f069f0 37664->37665 37666 2f069f7 GetCurrentProcess 37664->37666 37665->37666 37667 2f06a2d 37666->37667 37668 2f06a55 GetCurrentThreadId 37667->37668 37669 2f06a86 37668->37669 37670 2f015a8 37671 2f015d7 37670->37671 37674 2f01328 37671->37674 37673 2f016fc 37675 2f01333 37674->37675 37678 2f03660 37675->37678 37676 2f01c42 37676->37673 37679 2f0368a 37678->37679 37688 2f02e34 37679->37688 37682 2f03708 37684 2f03731 37682->37684 37700 2f03300 37682->37700 37686 2f02e34 2 API calls 37686->37682 37690 2f02e3f 37688->37690 37689 2f036ec 37689->37686 37692 2f03b3a 37689->37692 37696 2f03bb2 37689->37696 37690->37689 37704 2f03d42 37690->37704 37693 2f03b48 37692->37693 37694 2f03b53 37693->37694 37695 2f03d42 2 API calls 37693->37695 37694->37682 37695->37694 37697 2f03bd0 37696->37697 37698 2f03c8e 37697->37698 37699 2f03d42 2 API calls 37697->37699 37699->37698 37701 2f040b0 GetModuleHandleW 37700->37701 37703 2f04125 37701->37703 37703->37684 37705 2f03d65 37704->37705 37706 2f03300 GetModuleHandleW 37705->37706 37707 2f03daa 37705->37707 37706->37707 37708 2f03300 GetModuleHandleW 37707->37708 37710 2f03f76 37707->37710 37711 2f03efb 37708->37711 37709 2f03fd1 37709->37689 37710->37709 37712 2f040f8 GetModuleHandleW 37710->37712 37711->37709 37711->37710 37714 2f03300 GetModuleHandleW 37711->37714 37713 2f04125 37712->37713 37713->37689 37715 2f03f49 37714->37715 37715->37710 37716 2f03300 GetModuleHandleW 37715->37716 37716->37710 37717 2f06b68 DuplicateHandle 37718 2f06bfe 37717->37718

                                                        Executed Functions

                                                        Function 014BBA18, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 20 14bba18-14bba7b 21 14bbaaa-14bbac8 20->21 22 14bba7d-14bbaa7 20->22 27 14bbaca-14bbacc 21->27 28 14bbad1-14bbb08 21->28 22->21 30 14bbf8a-14bbf9f 27->30 32 14bbf39 28->32 33 14bbb0e-14bbb22 28->33 36 14bbf3e-14bbf54 32->36 34 14bbb51-14bbb70 33->34 35 14bbb24-14bbb4e 33->35 42 14bbb88-14bbb8a 34->42 43 14bbb72-14bbb78 34->43 35->34 36->30 46 14bbba9-14bbbb2 42->46 47 14bbb8c-14bbba4 42->47 44 14bbb7a 43->44 45 14bbb7c-14bbb7e 43->45 44->42 45->42 49 14bbbba-14bbbc1 46->49 47->36 50 14bbbcb-14bbbd2 49->50 51 14bbbc3-14bbbc9 49->51 52 14bbbdc 50->52 53 14bbbd4-14bbbda 50->53 54 14bbbdf-14bbbf5 call 14ba948 51->54 52->54 53->54 56 14bbbfa-14bbbfc 54->56 57 14bbc02-14bbc09 56->57 58 14bbd51-14bbd55 56->58 57->32 59 14bbc0f-14bbc4c 57->59 60 14bbd5b-14bbd5f 58->60 61 14bbf24-14bbf37 58->61 69 14bbf1a-14bbf1e 59->69 70 14bbc52-14bbc57 59->70 62 14bbd79-14bbd82 60->62 63 14bbd61-14bbd74 60->63 61->36 65 14bbdb1-14bbdb8 62->65 66 14bbd84-14bbdae 62->66 63->36 67 14bbdbe-14bbdc5 65->67 68 14bbe57-14bbe6c 65->68 66->65 72 14bbdc7-14bbdf1 67->72 73 14bbdf4-14bbe16 67->73 68->69 82 14bbe72-14bbe74 68->82 69->49 69->61 74 14bbc89-14bbc9e call 14ba96c 70->74 75 14bbc59-14bbc67 call 14ba954 70->75 72->73 73->68 110 14bbe18-14bbe22 73->110 80 14bbca3-14bbca7 74->80 75->74 89 14bbc69-14bbc87 call 14ba960 75->89 85 14bbca9-14bbcbb call 14ba978 80->85 86 14bbd18-14bbd25 80->86 87 14bbec1-14bbede call 14ba948 82->87 88 14bbe76-14bbeaf 82->88 113 14bbcfb-14bbd13 85->113 114 14bbcbd-14bbced 85->114 86->69 101 14bbd2b-14bbd35 call 14ba988 86->101 87->69 100 14bbee0-14bbf0c WaitMessage 87->100 104 14bbeb8-14bbebf 88->104 105 14bbeb1-14bbeb7 88->105 89->80 107 14bbf0e 100->107 108 14bbf13 100->108 116 14bbd37-14bbd3f call 14ba994 101->116 117 14bbd44-14bbd4c call 14ba9a0 101->117 104->69 105->104 107->108 108->69 121 14bbe3a-14bbe55 110->121 122 14bbe24-14bbe2a 110->122 113->36 128 14bbcef 114->128 129 14bbcf4 114->129 116->69 117->69 121->68 121->110 126 14bbe2e-14bbe30 122->126 127 14bbe2c 122->127 126->121 127->121 128->129 129->113
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930593886.00000000014B0000.00000040.00000010.sdmp, Offset: 014B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14b0000_vbc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: acc41420b28f3446ae0edf42c6e0224d0a6fd37432cd193e2b9065540b15d551
                                                        • Instruction ID: cac49283b40225c4a4f8124add88338683d18a1b411e63a558c4b45036aa36db
                                                        • Opcode Fuzzy Hash: acc41420b28f3446ae0edf42c6e0224d0a6fd37432cd193e2b9065540b15d551
                                                        • Instruction Fuzzy Hash: 96F13A34A002098FDB14DFA9C898BEEBBF2FF48314F15856AE405AF365DB70A945CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F06940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 02F069A0
                                                        • GetCurrentThread.KERNEL32 ref: 02F069DD
                                                        • GetCurrentProcess.KERNEL32 ref: 02F06A1A
                                                        • GetCurrentThreadId.KERNEL32 ref: 02F06A73
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: 1146c8d830c235d6cda585dd1081fb145142919645644c0a720538f18bb97f64
                                                        • Instruction ID: e641ba700fa0ef076d951a86debf5eacf9cbeb2a39ed8209fb9fd1041548a0e5
                                                        • Opcode Fuzzy Hash: 1146c8d830c235d6cda585dd1081fb145142919645644c0a720538f18bb97f64
                                                        • Instruction Fuzzy Hash: 3F5157B4D002499FDB14CFA9D9887EEBBF9EF48304F208469E119A7390D7746884CF65
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F03D42, Relevance: 1.8, APIs: 1, Instructions: 302COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 132 2f03d42-2f03d76 135 2f03dc7-2f03dcf 132->135 136 2f03d78-2f03d8f 132->136 137 2f03dd1-2f03dd6 call 2f03368 135->137 138 2f03e15-2f03e5e call 2f03374 135->138 141 2f03d91-2f03d97 136->141 142 2f03d99 136->142 144 2f03ddb-2f03e10 137->144 162 2f03e64-2f03eaf 138->162 163 2f0400a-2f0403c 138->163 145 2f03d9f-2f03db0 call 2f03300 call 2f0335c 141->145 142->145 153 2f03eb2-2f03f0b call 2f03300 call 2f03380 144->153 154 2f03db5-2f03dc1 145->154 185 2f03f10-2f03f14 153->185 154->135 156 2f03fdd-2f04003 154->156 156->163 162->153 180 2f04043-2f040f0 163->180 193 2f040f2-2f040f5 180->193 194 2f040f8-2f04123 GetModuleHandleW 180->194 186 2f03fd1-2f03fdc 185->186 187 2f03f1a-2f03f27 185->187 191 2f03fcd-2f03fcf 187->191 192 2f03f2d-2f03f5a call 2f03300 call 2f03374 187->192 191->180 191->186 192->191 204 2f03f5c-2f03f6a 192->204 193->194 195 2f04125-2f0412b 194->195 196 2f0412c-2f04140 194->196 195->196 204->191 205 2f03f6c-2f03f83 call 2f03300 call 2f0338c 204->205 210 2f03f90-2f03fbf call 2f03380 205->210 211 2f03f85-2f03f8e call 2f03380 205->211 210->191 219 2f03fc1-2f03fcb 210->219 211->191 219->191 219->210
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02F04116
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 3c08bcac882111dc37484efdc1ea53550c6fc8041982b01fe8af0e4a6c362a45
                                                        • Instruction ID: 0e058b2115d7cb2cb4df2b0ecc711ae97fff79f216c3a32138cf5b1c03506782
                                                        • Opcode Fuzzy Hash: 3c08bcac882111dc37484efdc1ea53550c6fc8041982b01fe8af0e4a6c362a45
                                                        • Instruction Fuzzy Hash: 51C17D74A007058FCB18EFB9C4946AEBBF6FF88344B00896AD516DB795DF34E8458B90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F05090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 235 2f05090-2f050f6 236 2f05101-2f05108 235->236 237 2f050f8-2f050fe 235->237 238 2f05113-2f051b2 CreateWindowExW 236->238 239 2f0510a-2f05110 236->239 237->236 241 2f051b4-2f051ba 238->241 242 2f051bb-2f051f3 238->242 239->238 241->242 246 2f05200 242->246 247 2f051f5-2f051f8 242->247 248 2f05201 246->248 247->246 248->248
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F051A2
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 889b50d21e809055ad9ea3b506dba4cb82088f319b24f4c28247f6f10682c325
                                                        • Instruction ID: 9630f347ecf2583d6af1db073cebf292d7a19b2008f4683f87fa0d263938b06b
                                                        • Opcode Fuzzy Hash: 889b50d21e809055ad9ea3b506dba4cb82088f319b24f4c28247f6f10682c325
                                                        • Instruction Fuzzy Hash: 4841C3B1D003089FDF14CF99D884ADEBBB5BF48354F64812AE919AB250D7B59845CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F05084, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 221 2f05084-2f050f6 222 2f05101-2f05108 221->222 223 2f050f8-2f050fe 221->223 224 2f05113-2f0514b 222->224 225 2f0510a-2f05110 222->225 223->222 226 2f05153-2f051b2 CreateWindowExW 224->226 225->224 227 2f051b4-2f051ba 226->227 228 2f051bb-2f051f3 226->228 227->228 232 2f05200 228->232 233 2f051f5-2f051f8 228->233 234 2f05201 232->234 233->232 234->234
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F051A2
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: f3619b62f01a06956ba47f25469c99543a40205c4f10298228224e6e3def0582
                                                        • Instruction ID: 7a622196d3b0930dd43ee945be98bdd7cda3f18b32e50dee689bfb2a3e99a27e
                                                        • Opcode Fuzzy Hash: f3619b62f01a06956ba47f25469c99543a40205c4f10298228224e6e3def0582
                                                        • Instruction Fuzzy Hash: 8251E2B1D00308DFEF14CF99D884ADEBBB5BF48354F64812AE919AB250D7B09885CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F0779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 249 2f0779c-2f07e84 252 2f07f34-2f07f54 call 2f0359c 249->252 253 2f07e8a-2f07e8f 249->253 260 2f07f57-2f07f64 252->260 255 2f07e91-2f07ec8 253->255 256 2f07ee2-2f07f1a CallWindowProcW 253->256 262 2f07ed1-2f07ee0 255->262 263 2f07eca-2f07ed0 255->263 258 2f07f23-2f07f32 256->258 259 2f07f1c-2f07f22 256->259 258->260 259->258 262->260 263->262
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 02F07F09
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 9671ddb8ed4e80bc0bcf139ae2c9e4e97158046c3bd1069810f029adea3f9f76
                                                        • Instruction ID: 51f3d1965507236018a460420968e0b1e7c163027a8c01a789a9d38daf8feb42
                                                        • Opcode Fuzzy Hash: 9671ddb8ed4e80bc0bcf139ae2c9e4e97158046c3bd1069810f029adea3f9f76
                                                        • Instruction Fuzzy Hash: 0D414BB5A00205DFCB14DF99C488BAAFBF9FF88314F148499E519AB361C774A841DFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F0C189, Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 266 2f0c189-2f0c190 267 2f0c132-2f0c156 call 2f0bd08 266->267 268 2f0c192-2f0c1da 266->268 287 2f0c160 call 2f0c198 267->287 288 2f0c160 call 2f0c189 267->288 276 2f0c1e0 268->276 277 2f0c1dc-2f0c1de 268->277 275 2f0c166-2f0c185 call 2f0bf58 279 2f0c1e5-2f0c1f0 276->279 277->279 281 2f0c251-2f0c25e 279->281 282 2f0c1f2-2f0c223 RtlEncodePointer 279->282 284 2f0c225-2f0c22b 282->284 285 2f0c22c-2f0c24c 282->285 284->285 285->281 287->275 288->275
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 02F0C212
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 3bd61c37a7f8c966adb429ef479be89fcc832c80b064826726150fa44b54fc7f
                                                        • Instruction ID: 40d21b78865dcd5385161091653b3a065e57973c151c7309a714597e31e46a79
                                                        • Opcode Fuzzy Hash: 3bd61c37a7f8c966adb429ef479be89fcc832c80b064826726150fa44b54fc7f
                                                        • Instruction Fuzzy Hash: B931D4718053448FDB20DFA9E98939EBFF4EB49358F14445AE489AB2C2C7795844CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F06B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 289 2f06b68-2f06bfc DuplicateHandle 290 2f06c05-2f06c22 289->290 291 2f06bfe-2f06c04 289->291 291->290
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F06BEF
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 4adbb699a01e88e52f3746f01109a525c2502f2c6dd142a00400d215c5b32c02
                                                        • Instruction ID: 6944cc8ca4aff38a01624d843689adbffb40e1e71d04cc2e71be7c2b61346525
                                                        • Opcode Fuzzy Hash: 4adbb699a01e88e52f3746f01109a525c2502f2c6dd142a00400d215c5b32c02
                                                        • Instruction Fuzzy Hash: C321F3B5D00248AFDB10CFA9D984ADEFBF8FB48324F14842AE915A3350D374A954DFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F06B62, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 294 2f06b62-2f06bfc DuplicateHandle 295 2f06c05-2f06c22 294->295 296 2f06bfe-2f06c04 294->296 296->295
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02F06BEF
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 252434829ae2fac616d2a17412c8586b34fd375864006d33e5abfdda5eb960db
                                                        • Instruction ID: 2215ba648d955123e97906451889256614562a2314741936d4e3a4b5da885948
                                                        • Opcode Fuzzy Hash: 252434829ae2fac616d2a17412c8586b34fd375864006d33e5abfdda5eb960db
                                                        • Instruction Fuzzy Hash: 8121E2B5D00208AFDB10CFA9D984AEEBBF8FB08364F14842AE955B3350D374A954DF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014B6AF8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 299 14b6af8-14b7d80 301 14b7d88-14b7db7 LoadLibraryExW 299->301 302 14b7d82-14b7d85 299->302 303 14b7db9-14b7dbf 301->303 304 14b7dc0-14b7ddd 301->304 302->301 303->304
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,014B7D19,00000800), ref: 014B7DAA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930593886.00000000014B0000.00000040.00000010.sdmp, Offset: 014B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14b0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: e7e58852eb380893c916559bb56203c8f868b1784f5043476ec8283fb81a5f31
                                                        • Instruction ID: a742544ef6c2abe996a2e1bb3df1b4f79d016714e0de3d32a1935325d923d223
                                                        • Opcode Fuzzy Hash: e7e58852eb380893c916559bb56203c8f868b1784f5043476ec8283fb81a5f31
                                                        • Instruction Fuzzy Hash: 9B11EAB69002099FDB10CF9AD484BEEFBF8EB88354F14842AD515B7350C375A546CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014B7D39, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 307 14b7d39-14b7d80 308 14b7d88-14b7db7 LoadLibraryExW 307->308 309 14b7d82-14b7d85 307->309 310 14b7db9-14b7dbf 308->310 311 14b7dc0-14b7ddd 308->311 309->308 310->311
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,014B7D19,00000800), ref: 014B7DAA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930593886.00000000014B0000.00000040.00000010.sdmp, Offset: 014B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14b0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: cb9b1fe94f0df6d2df919636c783509ba6b119f15607ed23c90058eed09bb477
                                                        • Instruction ID: b589f6cfb72ca22e5daeb7dffc3759fdf68df840d6f2f23dbc30d1db87fd3718
                                                        • Opcode Fuzzy Hash: cb9b1fe94f0df6d2df919636c783509ba6b119f15607ed23c90058eed09bb477
                                                        • Instruction Fuzzy Hash: 442106B69002489FDB10CF99D444AEEFBF8EB88360F14842AD555A7650C375A946CFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F0C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 314 2f0c198-2f0c1da 317 2f0c1e0 314->317 318 2f0c1dc-2f0c1de 314->318 319 2f0c1e5-2f0c1f0 317->319 318->319 320 2f0c251-2f0c25e 319->320 321 2f0c1f2-2f0c223 RtlEncodePointer 319->321 323 2f0c225-2f0c22b 321->323 324 2f0c22c-2f0c24c 321->324 323->324 324->320
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 02F0C212
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 1030383a2264b1f1ac0f2b101d2961bef27f08887255236cedd35bfb7450b3fa
                                                        • Instruction ID: a623f359d8a9bb5f02627ecb6d7dc13bbf7fedaad40a0710b26ff7385d2f380a
                                                        • Opcode Fuzzy Hash: 1030383a2264b1f1ac0f2b101d2961bef27f08887255236cedd35bfb7450b3fa
                                                        • Instruction Fuzzy Hash: DF11A9719003098FDB20CFA9D58879EBBF8FB48394F20852AD445E7681C7396944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02F03300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 326 2f03300-2f040f0 328 2f040f2-2f040f5 326->328 329 2f040f8-2f04123 GetModuleHandleW 326->329 328->329 330 2f04125-2f0412b 329->330 331 2f0412c-2f04140 329->331 330->331
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02F04116
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.931743381.0000000002F00000.00000040.00000001.sdmp, Offset: 02F00000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_2f00000_vbc.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: e0f800f9c0e0714fd2965d351cd26c5311bfde74d27dbc9839caf30b8c6b621a
                                                        • Instruction ID: 0b4f2633f924d2a26fc5eae0cff9fd0a23c313841535eea79a358b62af0d119a
                                                        • Opcode Fuzzy Hash: e0f800f9c0e0714fd2965d351cd26c5311bfde74d27dbc9839caf30b8c6b621a
                                                        • Instruction Fuzzy Hash: ED1146B6D006498FDB20DF9AD484BDEFBF4EF48254F10842ADA29B7640C375A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BA8E8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 333 14ba8e8-14bb862 OleInitialize 335 14bb86b-14bb888 333->335 336 14bb864-14bb86a 333->336 336->335
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 014BB855
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930593886.00000000014B0000.00000040.00000010.sdmp, Offset: 014B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14b0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: 13f2d1e474613105b98418fdc541f522f827de938635e9426aa7b4d7ac175ced
                                                        • Instruction ID: 5dcf3c00c85197e96d16e01b57052c368e8e28686268f1fc2a7594fd07aaeddf
                                                        • Opcode Fuzzy Hash: 13f2d1e474613105b98418fdc541f522f827de938635e9426aa7b4d7ac175ced
                                                        • Instruction Fuzzy Hash: 6F1115B59006489FCB20CF99D488BDEFBF8EB48324F24886AD519B7310C375A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014BB7F8, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 339 14bb7f8-14bb862 OleInitialize 340 14bb86b-14bb888 339->340 341 14bb864-14bb86a 339->341 341->340
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 014BB855
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930593886.00000000014B0000.00000040.00000010.sdmp, Offset: 014B0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14b0000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Initialize
                                                        • String ID:
                                                        • API String ID: 2538663250-0
                                                        • Opcode ID: ea3f1773e07e9d023940bc2933243ef23881477cdc9fcd902ab087adf75c94b7
                                                        • Instruction ID: 2d98c94ff4c6445b27088e4b2ce3b1be1fa3142ccb16884f7f38a2e6bc07a960
                                                        • Opcode Fuzzy Hash: ea3f1773e07e9d023940bc2933243ef23881477cdc9fcd902ab087adf75c94b7
                                                        • Instruction Fuzzy Hash: 881115B59006498FCB20CFD9E4897DEBBF4EB48324F14882AD519B7710C375A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014CD01C, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930655304.00000000014CD000.00000040.00000001.sdmp, Offset: 014CD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14cd000_vbc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 19bd3adf4a3a4907e501af39ea0e50c95182ce628b655f6ec7c93683842b9b0c
                                                        • Instruction ID: a74433483c49d915d45c5d14c4e746cf5b6418a1cb9ed858fa467ed76400b328
                                                        • Opcode Fuzzy Hash: 19bd3adf4a3a4907e501af39ea0e50c95182ce628b655f6ec7c93683842b9b0c
                                                        • Instruction Fuzzy Hash: 6C2125B9904200DFCB55CF98D8C0B16BBA5FB84B58F20C97ED84A4B356C336D847CAA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 014CD006, Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.930655304.00000000014CD000.00000040.00000001.sdmp, Offset: 014CD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_14cd000_vbc.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 029b3e22b451d304ae4d725829db579580ff9ffc933480e1a21aa19f8765a0b1
                                                        • Instruction ID: c2690bdd266d089056eddd882bdf857e8a9667c9971ac6cc789a6e4f42f4d183
                                                        • Opcode Fuzzy Hash: 029b3e22b451d304ae4d725829db579580ff9ffc933480e1a21aa19f8765a0b1
                                                        • Instruction Fuzzy Hash: 2B2183755093808FCB12CF24D594716BF71EB46214F28C5EFD8458B667C33A980ACBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Analysis Process: BnevyAj.exe PID: 4624 Parent PID: 3424 BnevyAj.exeCOMMON

                                                        Execution Graph

                                                        Execution Coverage:10.4%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:199
                                                        Total number of Limit Nodes:11

                                                        Graph

                                                        execution_graph 23799 c1c5d0 23800 c1c636 23799->23800 23804 c1c781 23800->23804 23808 c1c790 23800->23808 23801 c1c6e5 23805 c1c790 23804->23805 23811 c1affc 23805->23811 23809 c1affc DuplicateHandle 23808->23809 23810 c1c7be 23809->23810 23810->23801 23812 c1c7f8 DuplicateHandle 23811->23812 23813 c1c7be 23812->23813 23813->23801 23982 6f626c0 23983 6f626de 23982->23983 23984 6f626e8 23982->23984 23987 6f62713 23983->23987 23992 6f62728 23983->23992 23988 6f62728 23987->23988 23991 6f62755 23988->23991 23997 6f61f9c 23988->23997 23991->23984 23993 6f62736 23992->23993 23996 6f62755 23992->23996 23994 6f61f9c FindCloseChangeNotification 23993->23994 23995 6f62751 23994->23995 23995->23984 23996->23984 23998 6f628a0 FindCloseChangeNotification 23997->23998 23999 6f62751 23998->23999 23999->23984 23814 c1a1d8 23815 c1a1e7 23814->23815 23818 c1a2c0 23814->23818 23826 c1a2d0 23814->23826 23819 c1a2e3 23818->23819 23820 c1a2fb 23819->23820 23834 c1a548 23819->23834 23838 c1a558 23819->23838 23820->23815 23821 c1a2f3 23821->23820 23822 c1a4f8 GetModuleHandleW 23821->23822 23823 c1a525 23822->23823 23823->23815 23827 c1a2e3 23826->23827 23829 c1a2fb 23827->23829 23832 c1a548 LoadLibraryExW 23827->23832 23833 c1a558 LoadLibraryExW 23827->23833 23828 c1a2f3 23828->23829 23830 c1a4f8 GetModuleHandleW 23828->23830 23829->23815 23831 c1a525 23830->23831 23831->23815 23832->23828 23833->23828 23835 c1a558 23834->23835 23837 c1a591 23835->23837 23842 c19da0 23835->23842 23837->23821 23839 c1a56c 23838->23839 23840 c1a591 23839->23840 23841 c19da0 LoadLibraryExW 23839->23841 23840->23821 23841->23840 23843 c1a738 LoadLibraryExW 23842->23843 23845 c1a7b1 23843->23845 23845->23837 24000 c152b8 24001 c152d4 24000->24001 24004 c14fb0 24001->24004 24003 c15314 24005 c14fbb 24004->24005 24008 c15234 24005->24008 24007 c15999 24007->24003 24009 c1523f 24008->24009 24012 c15254 24009->24012 24011 c15a95 24011->24007 24013 c1525f 24012->24013 24016 c15284 24013->24016 24015 c15b7a 24015->24011 24017 c1528f 24016->24017 24020 c15604 24017->24020 24019 c15c79 24019->24015 24022 c1560f 24020->24022 24021 c17e3c 24021->24019 24022->24021 24025 c1c2f8 24022->24025 24030 c1c308 24022->24030 24026 c1c2fd 24025->24026 24027 c1c34d 24026->24027 24035 c1c4a8 24026->24035 24039 c1c4b8 24026->24039 24027->24021 24031 c1c329 24030->24031 24032 c1c34d 24031->24032 24033 c1c4a8 2 API calls 24031->24033 24034 c1c4b8 2 API calls 24031->24034 24032->24021 24033->24032 24034->24032 24037 c1c4ae 24035->24037 24036 c1c4ff 24036->24027 24037->24036 24043 c1af74 24037->24043 24040 c1c4c5 24039->24040 24041 c1c4ff 24040->24041 24042 c1af74 2 API calls 24040->24042 24041->24027 24042->24041 24044 c1af7f 24043->24044 24046 c1d1f8 24044->24046 24047 c1cd94 24044->24047 24046->24046 24048 c1cd9f 24047->24048 24049 c15604 2 API calls 24048->24049 24050 c1d267 24049->24050 24054 c1efda 24050->24054 24060 c1efe8 24050->24060 24051 c1d2a0 24051->24046 24055 c1ef94 24054->24055 24055->24054 24056 c1f025 24055->24056 24057 c1f240 LoadLibraryExW GetModuleHandleW 24055->24057 24058 c1f250 LoadLibraryExW GetModuleHandleW 24055->24058 24059 c1f288 LoadLibraryExW GetModuleHandleW 24055->24059 24056->24051 24057->24056 24058->24056 24059->24056 24062 c1f065 24060->24062 24063 c1f019 24060->24063 24061 c1f025 24061->24051 24062->24051 24063->24061 24064 c1f240 LoadLibraryExW GetModuleHandleW 24063->24064 24065 c1f250 LoadLibraryExW GetModuleHandleW 24063->24065 24066 c1f288 LoadLibraryExW GetModuleHandleW 24063->24066 24064->24062 24065->24062 24066->24062 23846 6cdf020 23847 6cdf042 23846->23847 23848 6cdf654 23847->23848 23850 6cdf750 23847->23850 23851 6cdf765 23850->23851 23854 6cdf790 23851->23854 23855 6cdf7aa 23854->23855 23858 6cdfc60 23855->23858 23856 6cdf77a 23856->23847 23859 6cdfc75 23858->23859 23860 6cdfc8a 23859->23860 23872 6f60816 23859->23872 23877 6f60d8d 23859->23877 23881 6f6050d 23859->23881 23885 6f6070c 23859->23885 23890 6f60c7c 23859->23890 23896 6f6017e 23859->23896 23899 6f60b9e 23859->23899 23904 6f60930 23859->23904 23913 6f609f3 23859->23913 23916 6f605d3 23859->23916 23919 6f60616 23859->23919 23860->23856 23873 6f60533 23872->23873 23874 6f60833 23872->23874 23922 6cdea10 23873->23922 23878 6f60bdd 23877->23878 23879 6f60c01 23878->23879 23880 6cdea10 WriteProcessMemory 23878->23880 23879->23860 23880->23879 23882 6f60517 23881->23882 23884 6cdea10 WriteProcessMemory 23882->23884 23883 6f60554 23884->23883 23886 6f6071b 23885->23886 23887 6f60268 23886->23887 23926 6f610a3 23886->23926 23930 6f610a8 23886->23930 23891 6f60c89 23890->23891 23938 6f6124f 23891->23938 23946 6f61208 23891->23946 23950 6f61218 23891->23950 23892 6f60268 23962 6cdec98 23896->23962 23900 6f60ba3 23899->23900 23902 6f60268 23900->23902 23903 6cdea10 WriteProcessMemory 23900->23903 23901 6f60c01 23901->23860 23903->23901 23905 6f6093d 23904->23905 23906 6f60cb3 23904->23906 23966 6f611c8 23905->23966 23970 6f611b8 23905->23970 23908 6f6124f 3 API calls 23906->23908 23909 6f61218 ResumeThread 23906->23909 23910 6f61208 ResumeThread 23906->23910 23907 6f60268 23908->23907 23909->23907 23910->23907 23974 6cdeb00 23913->23974 23978 6cde950 23916->23978 23921 6cdea10 WriteProcessMemory 23919->23921 23920 6f60268 23921->23920 23923 6cdea58 WriteProcessMemory 23922->23923 23925 6cdeaaf 23923->23925 23927 6f610bd 23926->23927 23934 6cde878 23927->23934 23931 6f610bd 23930->23931 23933 6cde878 SetThreadContext 23931->23933 23932 6f610d6 23932->23887 23933->23932 23935 6cde8bd SetThreadContext 23934->23935 23937 6cde905 23935->23937 23937->23887 23939 6f61256 23938->23939 23940 6f6121b 23938->23940 23945 6f613eb 23939->23945 23958 6f614e0 PostMessageW 23939->23958 23960 6f614db PostMessageW 23939->23960 23954 6cde7c8 23940->23954 23945->23892 23947 6f6121b 23946->23947 23949 6cde7c8 ResumeThread 23947->23949 23948 6f61243 23948->23892 23949->23948 23951 6f6121b 23950->23951 23953 6cde7c8 ResumeThread 23951->23953 23952 6f61243 23952->23892 23953->23952 23955 6cde808 ResumeThread 23954->23955 23957 6cde839 23955->23957 23957->23892 23959 6f6154c 23958->23959 23959->23939 23961 6f6154c 23960->23961 23961->23939 23963 6cded21 CreateProcessA 23962->23963 23965 6cdeee3 23963->23965 23967 6f611dd 23966->23967 23969 6cde878 SetThreadContext 23967->23969 23968 6f611f6 23968->23907 23969->23968 23971 6f611c9 23970->23971 23973 6cde878 SetThreadContext 23971->23973 23972 6f611f6 23972->23907 23973->23972 23975 6cdeb4b ReadProcessMemory 23974->23975 23977 6cdeb8f 23975->23977 23979 6cde990 VirtualAllocEx 23978->23979 23981 6cde9cd 23979->23981

                                                        Executed Functions

                                                        Function 06CDEC98, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 575 6cdec98-6cded2d 577 6cded2f-6cded39 575->577 578 6cded66-6cded86 575->578 577->578 579 6cded3b-6cded3d 577->579 583 6cdedbf-6cdedee 578->583 584 6cded88-6cded92 578->584 581 6cded3f-6cded49 579->581 582 6cded60-6cded63 579->582 585 6cded4d-6cded5c 581->585 586 6cded4b 581->586 582->578 594 6cdee27-6cdeee1 CreateProcessA 583->594 595 6cdedf0-6cdedfa 583->595 584->583 587 6cded94-6cded96 584->587 585->585 588 6cded5e 585->588 586->585 589 6cdedb9-6cdedbc 587->589 590 6cded98-6cdeda2 587->590 588->582 589->583 592 6cdeda4 590->592 593 6cdeda6-6cdedb5 590->593 592->593 593->593 596 6cdedb7 593->596 606 6cdeeea-6cdef70 594->606 607 6cdeee3-6cdeee9 594->607 595->594 597 6cdedfc-6cdedfe 595->597 596->589 599 6cdee21-6cdee24 597->599 600 6cdee00-6cdee0a 597->600 599->594 601 6cdee0c 600->601 602 6cdee0e-6cdee1d 600->602 601->602 602->602 603 6cdee1f 602->603 603->599 617 6cdef80-6cdef84 606->617 618 6cdef72-6cdef76 606->618 607->606 619 6cdef94-6cdef98 617->619 620 6cdef86-6cdef8a 617->620 618->617 621 6cdef78 618->621 623 6cdefa8-6cdefac 619->623 624 6cdef9a-6cdef9e 619->624 620->619 622 6cdef8c 620->622 621->617 622->619 626 6cdefbe-6cdefc5 623->626 627 6cdefae-6cdefb4 623->627 624->623 625 6cdefa0 624->625 625->623 628 6cdefdc 626->628 629 6cdefc7-6cdefd6 626->629 627->626 629->628
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CDEECE
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.769824745.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6cd0000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 352302f1aca0ad8012db0db8944b3d03b1bb9ea0961190c7f0bc571775d4949b
                                                        • Instruction ID: 3fdfc5e95d0f3297276d37333aed08a89e281c51c993ceba21b1d00b941a07eb
                                                        • Opcode Fuzzy Hash: 352302f1aca0ad8012db0db8944b3d03b1bb9ea0961190c7f0bc571775d4949b
                                                        • Instruction Fuzzy Hash: 62913A71D00219CFDF64CFA8C8807EEBAB2FF48314F148569D919AB290DB749A85CF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1A2D0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 631 c1a2d0-c1a2d8 632 c1a2e3-c1a2e5 631->632 633 c1a2de call c19d3c 631->633 634 c1a2e7 632->634 635 c1a2fb-c1a2ff 632->635 633->632 685 c1a2ed call c1a548 634->685 686 c1a2ed call c1a558 634->686 636 c1a301-c1a30b 635->636 637 c1a313-c1a354 635->637 636->637 642 c1a361-c1a36f 637->642 643 c1a356-c1a35e 637->643 638 c1a2f3-c1a2f5 638->635 640 c1a430-c1a4f0 638->640 680 c1a4f2-c1a4f5 640->680 681 c1a4f8-c1a523 GetModuleHandleW 640->681 645 c1a371-c1a376 642->645 646 c1a393-c1a395 642->646 643->642 647 c1a381 645->647 648 c1a378-c1a37f call c19d48 645->648 649 c1a398-c1a39f 646->649 652 c1a383-c1a391 647->652 648->652 653 c1a3a1-c1a3a9 649->653 654 c1a3ac-c1a3b3 649->654 652->649 653->654 656 c1a3c0-c1a3c9 call c19d58 654->656 657 c1a3b5-c1a3bd 654->657 661 c1a3d6-c1a3db 656->661 662 c1a3cb-c1a3d3 656->662 657->656 664 c1a3f9-c1a406 661->664 665 c1a3dd-c1a3e4 661->665 662->661 672 c1a429-c1a42f 664->672 673 c1a408-c1a426 664->673 665->664 666 c1a3e6-c1a3f6 call c19d68 call c19d78 665->666 666->664 673->672 680->681 682 c1a525-c1a52b 681->682 683 c1a52c-c1a540 681->683 682->683 685->638 686->638
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1A516
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.765016948.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_c10000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: 1997b6bd022c175cf8c211c95610b371451bd86b1214b397be9e59a27bee038d
                                                        • Instruction ID: 738782615a6b909eea62264fd1c349ba4c1426f9d2f0b8fa4940c8ced0b5a6ae
                                                        • Opcode Fuzzy Hash: 1997b6bd022c175cf8c211c95610b371451bd86b1214b397be9e59a27bee038d
                                                        • Instruction Fuzzy Hash: 0A714570A00B058FDB24DF6AD04579AB7F1FF89304F00892EE09AD7A50D775E985DB92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06CDEA10, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 781 6cdea10-6cdea5e 783 6cdea6e-6cdeaad WriteProcessMemory 781->783 784 6cdea60-6cdea6c 781->784 786 6cdeaaf-6cdeab5 783->786 787 6cdeab6-6cdeae6 783->787 784->783 786->787
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CDEAA0
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.769824745.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6cd0000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: bcee7c3b069bdd14d6474389919a5e9bf6f0329d4cd96b85991e4c152fea04e2
                                                        • Instruction ID: be5be5ae5c643186e878f671eeda9aa35aa64ff27321d7cda13dcade1cd854c2
                                                        • Opcode Fuzzy Hash: bcee7c3b069bdd14d6474389919a5e9bf6f0329d4cd96b85991e4c152fea04e2
                                                        • Instruction Fuzzy Hash: FA2127B59003499FCF10CFA9C884BEEBBF5FF48314F10882AE919A7240D7789944CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1C7F0, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 791 c1c7f0-c1c88c DuplicateHandle 792 c1c895-c1c8b2 791->792 793 c1c88e-c1c894 791->793 793->792
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1C7BE,?,?,?,?,?), ref: 00C1C87F
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.765016948.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_c10000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: cb3ee43eef8ea5b229e266d76e5c2fa42323c2d88034da96aba74b99628646e3
                                                        • Instruction ID: 88627b76e6c5355fc5fbe41475e01a37a11ceae37bf26ddf224f141631fc7889
                                                        • Opcode Fuzzy Hash: cb3ee43eef8ea5b229e266d76e5c2fa42323c2d88034da96aba74b99628646e3
                                                        • Instruction Fuzzy Hash: 4B2105B59002489FDB10CFA9D884ADEFFF8EB48320F14842AE919A7350D374A944DFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1AFFC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 796 c1affc-c1c88c DuplicateHandle 798 c1c895-c1c8b2 796->798 799 c1c88e-c1c894 796->799 799->798
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C1C7BE,?,?,?,?,?), ref: 00C1C87F
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.765016948.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_c10000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 52b17b73171b730727d5a0a69daab560f09ef6dab387e2462ed96184ef923ebe
                                                        • Instruction ID: a986060befce2384086dd6a80517e87611499d5c8fa5ae4ae21a94aceab76cf3
                                                        • Opcode Fuzzy Hash: 52b17b73171b730727d5a0a69daab560f09ef6dab387e2462ed96184ef923ebe
                                                        • Instruction Fuzzy Hash: 9F2119B5D00208AFDB10CF99D884ADEBBF8FB48310F14842AE915B7350D374A944DFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06CDEB00, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 812 6cdeb00-6cdeb8d ReadProcessMemory 815 6cdeb8f-6cdeb95 812->815 816 6cdeb96-6cdebc6 812->816 815->816
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CDEB80
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.769824745.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6cd0000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 2716e904da49920c6bd6d520b78360c57d7a954816929eedb2c4fbfcd97f6a85
                                                        • Instruction ID: 509b415bbacd16c8c69e0f2d5b03b1a018cf5933ef2615060739d10b7a019168
                                                        • Opcode Fuzzy Hash: 2716e904da49920c6bd6d520b78360c57d7a954816929eedb2c4fbfcd97f6a85
                                                        • Instruction Fuzzy Hash: F02116B19003499FCB10CFA9C884AEEBBF5FF48324F50882AE519A7240C7749944DBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06CDE878, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 802 6cde878-6cde8c3 804 6cde8c5-6cde8d1 802->804 805 6cde8d3-6cde903 SetThreadContext 802->805 804->805 807 6cde90c-6cde93c 805->807 808 6cde905-6cde90b 805->808 808->807
                                                        APIs
                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 06CDE8F6
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.769824745.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6cd0000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: ContextThread
                                                        • String ID:
                                                        • API String ID: 1591575202-0
                                                        • Opcode ID: 4ca179e41ec79a86bf972c2ca2f06c40555ec6fbd84ecf3ac82d830759732b21
                                                        • Instruction ID: 4f91b269fb82c322a0eb399716a795083daea67f9e1c13bb475b64c9bb3888bf
                                                        • Opcode Fuzzy Hash: 4ca179e41ec79a86bf972c2ca2f06c40555ec6fbd84ecf3ac82d830759732b21
                                                        • Instruction Fuzzy Hash: 60214971D003099FDB50CFAAC8847EFBBF9EF48224F54842AD519A7240CB789985CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1A731, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 820 c1a731-c1a778 822 c1a780-c1a7af LoadLibraryExW 820->822 823 c1a77a-c1a77d 820->823 824 c1a7b1-c1a7b7 822->824 825 c1a7b8-c1a7d5 822->825 823->822 824->825
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1A591,00000800,00000000,00000000), ref: 00C1A7A2
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.765016948.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_c10000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: b20ed5268fd5de49658b11cd022592ce7b9a8b1e2bdb08cf553684854884d7d0
                                                        • Instruction ID: 18e8dc0c2e7fb9944fcabb075fa331348db8b23cfb77a6cc27e53f832add6ce1
                                                        • Opcode Fuzzy Hash: b20ed5268fd5de49658b11cd022592ce7b9a8b1e2bdb08cf553684854884d7d0
                                                        • Instruction Fuzzy Hash: DC1117B59002499FDB10CFAAD444BDEFBF8AF49324F14842AD515A7200C375A545CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C19DA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 828 c19da0-c1a778 830 c1a780-c1a7af LoadLibraryExW 828->830 831 c1a77a-c1a77d 828->831 832 c1a7b1-c1a7b7 830->832 833 c1a7b8-c1a7d5 830->833 831->830 832->833
                                                        APIs
                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00C1A591,00000800,00000000,00000000), ref: 00C1A7A2
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.765016948.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_c10000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad
                                                        • String ID:
                                                        • API String ID: 1029625771-0
                                                        • Opcode ID: 74fca1b38d4d6cef2f8cd7a7d7bd6822ba4eed793a2226f7163da8c755b61e47
                                                        • Instruction ID: de0cbcc86c94bf52136020764b76e8650babf4896000d31aa4bbfdc6794f7451
                                                        • Opcode Fuzzy Hash: 74fca1b38d4d6cef2f8cd7a7d7bd6822ba4eed793a2226f7163da8c755b61e47
                                                        • Instruction Fuzzy Hash: 1A1117B69012499FDB10CF9AD444BDEFBF4EB48324F14842AD525A7240C375AA85CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06CDE950, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 836 6cde950-6cde9cb VirtualAllocEx 839 6cde9cd-6cde9d3 836->839 840 6cde9d4-6cde9f9 836->840 839->840
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CDE9BE
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.769824745.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6cd0000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: 781a2c958c0eaf03f4e301c8355326c778707188a2bef3f4380e73c665eaec88
                                                        • Instruction ID: 9daa405f657a02b1bc5d7a775334694a000cf359a8d3af27f0eb8d7feb03ccd5
                                                        • Opcode Fuzzy Hash: 781a2c958c0eaf03f4e301c8355326c778707188a2bef3f4380e73c665eaec88
                                                        • Instruction Fuzzy Hash: C11149759002499FCF10DFA9D844BEFBBF9EF48324F14882AD515A7250C7759944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06F61F9C, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06F62751,?,?), ref: 06F628F8
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.770136509.0000000006F60000.00000040.00000001.sdmp, Offset: 06F60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6f60000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: 737c2abf8658991fa1242b0f0ca9cae12de910eaa545d20ba2ec1057455442b9
                                                        • Instruction ID: 9188c73d79396868818d4d27852bc95cfcb3b3236540d89d0f2c911fc7e8fc0d
                                                        • Opcode Fuzzy Hash: 737c2abf8658991fa1242b0f0ca9cae12de910eaa545d20ba2ec1057455442b9
                                                        • Instruction Fuzzy Hash: 71116AB18003498FDB10CF9AC4447DEBBF4EB48324F10842AE555B7340C338A644CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06F62898, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06F62751,?,?), ref: 06F628F8
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.770136509.0000000006F60000.00000040.00000001.sdmp, Offset: 06F60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6f60000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: ChangeCloseFindNotification
                                                        • String ID:
                                                        • API String ID: 2591292051-0
                                                        • Opcode ID: b5672db12bee7155d7f52ef848dcab6e95fa624e944e2b9be14f4d3cf7a2756b
                                                        • Instruction ID: 9b34f281fd1976e571ab4072e86cb03cb77d55b2ba2f7f8058da17ea28a339c6
                                                        • Opcode Fuzzy Hash: b5672db12bee7155d7f52ef848dcab6e95fa624e944e2b9be14f4d3cf7a2756b
                                                        • Instruction Fuzzy Hash: 62113AB58003499FCB10CFA9D845BDEBBF4EB48324F14842AD555A7640C778A584CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06CDE7C8, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.769824745.0000000006CD0000.00000040.00000001.sdmp, Offset: 06CD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6cd0000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 2f6ad1ea69cbfc51d57e0bee7bfab76be87633f8c3f2cea2b220ef3a2d039a07
                                                        • Instruction ID: df6f8af903c03aaa466787a97597c615adbe66810193c25849eb8aae9fc5f2cb
                                                        • Opcode Fuzzy Hash: 2f6ad1ea69cbfc51d57e0bee7bfab76be87633f8c3f2cea2b220ef3a2d039a07
                                                        • Instruction Fuzzy Hash: 84113AB1D002488BCB14DFAAD8447EFFBF9EF48224F14882AC519A7240C775A944CFA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00C1A4B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00C1A516
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.765016948.0000000000C10000.00000040.00000001.sdmp, Offset: 00C10000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_c10000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: f940dcb2bcecc1d723ae24f94cc9df891234219b0891a08bf50da41ec6188f3b
                                                        • Instruction ID: f20071352d294bc65bef30868b31e038af45e0ec5be6edcba3d99147a3695936
                                                        • Opcode Fuzzy Hash: f940dcb2bcecc1d723ae24f94cc9df891234219b0891a08bf50da41ec6188f3b
                                                        • Instruction Fuzzy Hash: DE11D2B5D006498FDB10CF9AD444BDEFBF5EB49324F14842AD429B7600C375A585CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06F614DB, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06F6153D
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.770136509.0000000006F60000.00000040.00000001.sdmp, Offset: 06F60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6f60000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 45e2f7211612250d2d31da670dd07eec3ccbccd59de84f4e398798021393faee
                                                        • Instruction ID: 16dad09a3edde311e0bdc637a08aeef1e08227e8a04934644a31f35e90a06aba
                                                        • Opcode Fuzzy Hash: 45e2f7211612250d2d31da670dd07eec3ccbccd59de84f4e398798021393faee
                                                        • Instruction Fuzzy Hash: F011E5B58002499FDB10DF9AD885BDEFFF8EB48324F14841AE559A7600D375A984CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 06F614E0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,?,?,?), ref: 06F6153D
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.770136509.0000000006F60000.00000040.00000001.sdmp, Offset: 06F60000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_6f60000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: MessagePost
                                                        • String ID:
                                                        • API String ID: 410705778-0
                                                        • Opcode ID: 7a1ee5483defc64f0df442d1cdd7b800928ac73aa6ec5a3525822060ef347cd4
                                                        • Instruction ID: 2c47a38dc61bda487f4ea3e8c65abe178991647bb338f094cd5faedd0e4a9ebd
                                                        • Opcode Fuzzy Hash: 7a1ee5483defc64f0df442d1cdd7b800928ac73aa6ec5a3525822060ef347cd4
                                                        • Instruction Fuzzy Hash: 8411E5B58003499FDB10CF9AD885BDEFBF8EB48324F14841AE555A7600C375A984CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00A7D1D4, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.764799477.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_a7d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2c7f8e3e202e0b6df46450fb73ce1a9d4e944f18c9f945088d9c2f589313adcd
                                                        • Instruction ID: 9ee4ca14d209659ab05556c6a6fad26914416534986ddec42182711f6a358e7b
                                                        • Opcode Fuzzy Hash: 2c7f8e3e202e0b6df46450fb73ce1a9d4e944f18c9f945088d9c2f589313adcd
                                                        • Instruction Fuzzy Hash: 0E21F2B5604204EFDB01DF50D9C0BA6BBB5FF84314F24CAADE84D5B242C336E846CAA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00A7D01C, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.764799477.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_a7d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 53a57a5a708141e96c67b3158c2a219f69a3eac741f76a9f9a25e25dc3e3ff98
                                                        • Instruction ID: 461f4c65aa2680df4631595b84356107c960bd3e1e58a94803b31e3aeeb36ab3
                                                        • Opcode Fuzzy Hash: 53a57a5a708141e96c67b3158c2a219f69a3eac741f76a9f9a25e25dc3e3ff98
                                                        • Instruction Fuzzy Hash: 0721CF755042449FCB14DF24D9C4B66BBB9FB84314F24C969D84E4B246C33AD847CA61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00A7D017, Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.764799477.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_a7d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b86f2de99ec1161d51e18b5338a86f7dc671da5c7bfce76c4b26265ca7ca4586
                                                        • Instruction ID: b8ee9c853fbb94b67660369ea9e26fddd5cdcdab4c6f4369521e7cb4afdfed2e
                                                        • Opcode Fuzzy Hash: b86f2de99ec1161d51e18b5338a86f7dc671da5c7bfce76c4b26265ca7ca4586
                                                        • Instruction Fuzzy Hash: 02118B75504280DFCB11CF14E9C4B15BBB1FB84324F28C6AAD84A4B656C33AD85BCBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00A7D1CF, Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.764799477.0000000000A7D000.00000040.00000001.sdmp, Offset: 00A7D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_a7d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b86f2de99ec1161d51e18b5338a86f7dc671da5c7bfce76c4b26265ca7ca4586
                                                        • Instruction ID: 71823ec7bccf1e934cb4ea5e12b074595dbe1a8e61a207177c28076966b271a1
                                                        • Opcode Fuzzy Hash: b86f2de99ec1161d51e18b5338a86f7dc671da5c7bfce76c4b26265ca7ca4586
                                                        • Instruction Fuzzy Hash: B0118B75504280DFCB11CF10D9C4B55BBB1FF84324F28C6A9D8494B656C33AD84ACBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Analysis Process: BnevyAj.exe PID: 6176 Parent PID: 4624 BnevyAj.exeCOMMON

                                                        Execution Graph

                                                        Execution Coverage:10.2%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:97
                                                        Total number of Limit Nodes:6

                                                        Graph

                                                        execution_graph 13866 275ba10 13867 275ba24 13866->13867 13870 275bc5a 13867->13870 13876 275be56 13870->13876 13881 275be3c 13870->13881 13886 275bd30 13870->13886 13891 275bd40 13870->13891 13877 275be69 13876->13877 13878 275be7b 13876->13878 13896 275c189 13877->13896 13901 275c138 13877->13901 13882 275bdef 13881->13882 13882->13881 13883 275be7b 13882->13883 13884 275c189 RtlEncodePointer 13882->13884 13885 275c138 RtlEncodePointer 13882->13885 13884->13883 13885->13883 13887 275bd40 13886->13887 13888 275be7b 13887->13888 13889 275c189 RtlEncodePointer 13887->13889 13890 275c138 RtlEncodePointer 13887->13890 13889->13888 13890->13888 13892 275bd84 13891->13892 13893 275be7b 13892->13893 13894 275c189 RtlEncodePointer 13892->13894 13895 275c138 RtlEncodePointer 13892->13895 13894->13893 13895->13893 13897 275c192 13896->13897 13898 275c132 13896->13898 13905 275c198 13898->13905 13899 275c166 13899->13878 13902 275c156 13901->13902 13904 275c198 RtlEncodePointer 13902->13904 13903 275c166 13903->13878 13904->13903 13906 275c1d2 13905->13906 13907 275c1fc RtlEncodePointer 13906->13907 13908 275c225 13906->13908 13907->13908 13908->13899 13952 2756940 GetCurrentProcess 13953 27569b3 13952->13953 13954 27569ba GetCurrentThread 13952->13954 13953->13954 13955 27569f7 GetCurrentProcess 13954->13955 13956 27569f0 13954->13956 13957 2756a2d 13955->13957 13956->13955 13958 2756a55 GetCurrentThreadId 13957->13958 13959 2756a86 13958->13959 13909 257d01c 13910 257d034 13909->13910 13911 257d08e 13910->13911 13916 275359c 13910->13916 13924 2757b8b 13910->13924 13932 2755238 13910->13932 13936 2755248 13910->13936 13917 27535a7 13916->13917 13918 2757bf1 13917->13918 13921 2757be1 13917->13921 13948 275779c 13918->13948 13920 2757bef 13940 2757d13 13921->13940 13944 2757d18 13921->13944 13927 2757bbd 13924->13927 13925 2757bf1 13926 275779c CallWindowProcW 13925->13926 13929 2757bef 13926->13929 13927->13925 13928 2757be1 13927->13928 13930 2757d13 CallWindowProcW 13928->13930 13931 2757d18 CallWindowProcW 13928->13931 13930->13929 13931->13929 13933 2755248 13932->13933 13934 275359c CallWindowProcW 13933->13934 13935 275528f 13934->13935 13935->13911 13937 275526e 13936->13937 13938 275359c CallWindowProcW 13937->13938 13939 275528f 13938->13939 13939->13911 13942 2757d26 13940->13942 13941 275779c CallWindowProcW 13941->13942 13942->13941 13943 2757e13 13942->13943 13943->13920 13946 2757d26 13944->13946 13945 275779c CallWindowProcW 13945->13946 13946->13945 13947 2757e13 13946->13947 13947->13920 13949 27577a7 13948->13949 13950 2757ee2 CallWindowProcW 13949->13950 13951 2757e91 13949->13951 13950->13951 13951->13920 13960 2756b68 DuplicateHandle 13961 2756bfe 13960->13961 13962 27515a8 13963 27515d7 13962->13963 13966 2751328 13963->13966 13965 27516fc 13967 2751333 13966->13967 13971 2753660 13967->13971 13975 275365b 13967->13975 13968 2751c42 13968->13965 13972 275368a 13971->13972 13973 2753731 13972->13973 13979 275500f 13972->13979 13976 275368a 13975->13976 13977 2753731 13976->13977 13978 275500f CreateWindowExW 13976->13978 13978->13977 13980 275503e 13979->13980 13981 2755049 13980->13981 13982 2755153 CreateWindowExW 13980->13982 13981->13973 13983 27551b4 13982->13983 13983->13983

                                                        Executed Functions

                                                        Function 0275691F, Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 027569A0
                                                        • GetCurrentThread.KERNEL32 ref: 027569DD
                                                        • GetCurrentProcess.KERNEL32 ref: 02756A1A
                                                        • GetCurrentThreadId.KERNEL32 ref: 02756A73
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: b030c58f6ccf84f1d9e77637c08e8a5efd82a7b13cabb246575dd3e36ddc3508
                                                        • Instruction ID: 0456ddeadc1e34cc4aa9b9596149cd53d1356ddb9def17da9d06fc485b6f028e
                                                        • Opcode Fuzzy Hash: b030c58f6ccf84f1d9e77637c08e8a5efd82a7b13cabb246575dd3e36ddc3508
                                                        • Instruction Fuzzy Hash: 0E5188B09046888FDB10CFA9D548BDEFBF4EF48304F14846EE449A7351D7749884CB66
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02756940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetCurrentProcess.KERNEL32 ref: 027569A0
                                                        • GetCurrentThread.KERNEL32 ref: 027569DD
                                                        • GetCurrentProcess.KERNEL32 ref: 02756A1A
                                                        • GetCurrentThreadId.KERNEL32 ref: 02756A73
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: Current$ProcessThread
                                                        • String ID:
                                                        • API String ID: 2063062207-0
                                                        • Opcode ID: f9d1fd39f043419fe10ffc9adab2d6cf9317cbfadc864a763d553b4b00992ad3
                                                        • Instruction ID: 02ada1a833c0f493ecb113e26d07bf7c516b585cc0c9b523ddeedb36ae8b98a5
                                                        • Opcode Fuzzy Hash: f9d1fd39f043419fe10ffc9adab2d6cf9317cbfadc864a763d553b4b00992ad3
                                                        • Instruction Fuzzy Hash: 715165B49006488FDB14CFA9D548BEEFBF5EF88314F208469E419A7350D774A884CF66
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0275500F, Relevance: 1.7, APIs: 1, Instructions: 158COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 40 275500f-2755047 42 275507d-27550f6 40->42 43 2755049-2755070 call 2753574 40->43 45 2755101-2755108 42->45 46 27550f8-27550fe 42->46 47 2755075-2755076 43->47 48 2755113-27551b2 CreateWindowExW 45->48 49 275510a-2755110 45->49 46->45 51 27551b4-27551ba 48->51 52 27551bb-27551f3 48->52 49->48 51->52 56 27551f5-27551f8 52->56 57 2755200 52->57 56->57 58 2755201 57->58 58->58
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d58e5b2d3967d6b4d7e29b6f6f43f2e5dfd187e7ac475eaf5d5b2ab135bbe1a6
                                                        • Instruction ID: cbaaaf7ec36138a6d8702509d06de293af19b3051f2e1375880e0eb93c548096
                                                        • Opcode Fuzzy Hash: d58e5b2d3967d6b4d7e29b6f6f43f2e5dfd187e7ac475eaf5d5b2ab135bbe1a6
                                                        • Instruction Fuzzy Hash: D86112B1C05248AFDF01CFA5C884ACDBFB2BF49304F65816AE908AB221D7759845CF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02755084, Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 59 2755084-27550f6 60 2755101-2755108 59->60 61 27550f8-27550fe 59->61 62 2755113-275514b 60->62 63 275510a-2755110 60->63 61->60 64 2755153-27551b2 CreateWindowExW 62->64 63->62 65 27551b4-27551ba 64->65 66 27551bb-27551f3 64->66 65->66 70 27551f5-27551f8 66->70 71 2755200 66->71 70->71 72 2755201 71->72 72->72
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027551A2
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 3df414806da2be042e5a972e2b24b5b3f20a417b6d99b7ec32ec6fc9a9a2f969
                                                        • Instruction ID: 8bcbe1cacb2a3de2640082cad126d2fe4fd7dcfb4986f8b0cf363787a213c834
                                                        • Opcode Fuzzy Hash: 3df414806da2be042e5a972e2b24b5b3f20a417b6d99b7ec32ec6fc9a9a2f969
                                                        • Instruction Fuzzy Hash: 8F51CDB1D003189FDB14CF99D880ADEFFB5BF48314F64822AE819AB210D7B49885CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02755090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 73 2755090-27550f6 74 2755101-2755108 73->74 75 27550f8-27550fe 73->75 76 2755113-275514b 74->76 77 275510a-2755110 74->77 75->74 78 2755153-27551b2 CreateWindowExW 76->78 77->76 79 27551b4-27551ba 78->79 80 27551bb-27551f3 78->80 79->80 84 27551f5-27551f8 80->84 85 2755200 80->85 84->85 86 2755201 85->86 86->86
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027551A2
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 6f9fa5257cb85405029c6936194c905a533c563dbdb33b9bad24229c31c81100
                                                        • Instruction ID: 33cd031703a8ec2e46caa9f7937f258a9e022f27497a7acc779e2b1b776dc593
                                                        • Opcode Fuzzy Hash: 6f9fa5257cb85405029c6936194c905a533c563dbdb33b9bad24229c31c81100
                                                        • Instruction Fuzzy Hash: D441BDB1D003189FDB14CF99C884ADEFFB5BF48314F64852AE819AB210D7B4A885CF90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0275779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 87 275779c-2757e84 90 2757f34-2757f54 call 275359c 87->90 91 2757e8a-2757e8f 87->91 99 2757f57-2757f64 90->99 92 2757e91-2757ec8 91->92 93 2757ee2-2757f1a CallWindowProcW 91->93 101 2757ed1-2757ee0 92->101 102 2757eca-2757ed0 92->102 96 2757f23-2757f32 93->96 97 2757f1c-2757f22 93->97 96->99 97->96 101->99 102->101
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 02757F09
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 3dbce91c4ff6b2e0bb580fe6811812bd614e0a4bfecb71fa1e795567970b72bf
                                                        • Instruction ID: 23a65463297b67e136124923b13104d9e81f6256b326dc7cad180b739a7ebee6
                                                        • Opcode Fuzzy Hash: 3dbce91c4ff6b2e0bb580fe6811812bd614e0a4bfecb71fa1e795567970b72bf
                                                        • Instruction Fuzzy Hash: 674149B5A003159FDB14CF99C488BAAFBF5FF88314F248459E819AB321D374A941CFA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02756B61, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 104 2756b61-2756bfc DuplicateHandle 105 2756c05-2756c22 104->105 106 2756bfe-2756c04 104->106 106->105
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02756BEF
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 20a5a6bf80a23dfdbd1ed9720ef52b137e78ecb5ef459c4519b467d71357e0ad
                                                        • Instruction ID: ec48dabbbf0119a188df1d0aebd4f6fe101235485a32a227c6b770081d54cda1
                                                        • Opcode Fuzzy Hash: 20a5a6bf80a23dfdbd1ed9720ef52b137e78ecb5ef459c4519b467d71357e0ad
                                                        • Instruction Fuzzy Hash: 072114B5900248DFDB00CFA9D584ADEFBF9FB08320F14842AE915A3210D378A945DF60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 02756B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 109 2756b68-2756bfc DuplicateHandle 110 2756c05-2756c22 109->110 111 2756bfe-2756c04 109->111 111->110
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02756BEF
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: e1a3bad67d1b615d010e1fdcaac15933f88224eed063c563aa6af0ff31c2d87a
                                                        • Instruction ID: e05750987005499532d327bc01c50d0ca81b62e0f4f6ee4a5d43500d589fecd2
                                                        • Opcode Fuzzy Hash: e1a3bad67d1b615d010e1fdcaac15933f88224eed063c563aa6af0ff31c2d87a
                                                        • Instruction Fuzzy Hash: 3521D3B5900258AFDB10CFA9D984ADEFBF8FB48324F14842AE915A3310D374A944DFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0275C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 114 275c198-275c1da 117 275c1e0 114->117 118 275c1dc-275c1de 114->118 119 275c1e5-275c1f0 117->119 118->119 120 275c251-275c25e 119->120 121 275c1f2-275c223 RtlEncodePointer 119->121 123 275c225-275c22b 121->123 124 275c22c-275c24c 121->124 123->124 124->120
                                                        APIs
                                                        • RtlEncodePointer.NTDLL(00000000), ref: 0275C212
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.931274165.0000000002750000.00000040.00000001.sdmp, Offset: 02750000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_2750000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID: EncodePointer
                                                        • String ID:
                                                        • API String ID: 2118026453-0
                                                        • Opcode ID: 89643d180ac38bcc56f6a5e2e2d4159572ff1d7b6c863e19c2a1e23fc9e4df39
                                                        • Instruction ID: 95d351202a8cf01b29413b257cc65c2fa86fc52c74420cbd90825e3834ff2e7e
                                                        • Opcode Fuzzy Hash: 89643d180ac38bcc56f6a5e2e2d4159572ff1d7b6c863e19c2a1e23fc9e4df39
                                                        • Instruction Fuzzy Hash: 45119AB19003048FDB20CFA9D54879FBBF8EB48714F20852ED805A7641D779A944CFA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0256D53C, Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.930655746.000000000256D000.00000040.00000001.sdmp, Offset: 0256D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_256d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eb75c6094f306f9412b67fb621ce96b18a0534ccd84e080f2cf58d6b16ea15fc
                                                        • Instruction ID: 7c19f60d68a9c1c3ac03039e8387919f70017b4c8f05bd59f2de3872b938728f
                                                        • Opcode Fuzzy Hash: eb75c6094f306f9412b67fb621ce96b18a0534ccd84e080f2cf58d6b16ea15fc
                                                        • Instruction Fuzzy Hash: 2C2133B1205244DFDF11DF10D8C8B66BF75FB98328F208D69E8054B646C336D846CAA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0257D01C, Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.930767164.000000000257D000.00000040.00000001.sdmp, Offset: 0257D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_257d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c35180d005bd48f39f7358f29fdc563717338093c65f918e94a134c4fc5cf3f3
                                                        • Instruction ID: 44dea38a53978c9cfd3dfe03d862a9ac24cda423b3ca61c6c3f0f25fca7eacf9
                                                        • Opcode Fuzzy Hash: c35180d005bd48f39f7358f29fdc563717338093c65f918e94a134c4fc5cf3f3
                                                        • Instruction Fuzzy Hash: 95212275544204DFDB10CF20E8C4B26BBB5FF84314F24C96DD80A4B246D33BD846CA61
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0257D006, Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.930767164.000000000257D000.00000040.00000001.sdmp, Offset: 0257D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_257d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 459252ab4d1331a13b9ef4bb74492a49d69a5d9efa2d63347bcaf61814ddccee
                                                        • Instruction ID: edbe01df5f64db5db30bf303d1cf14aba277f01a84e6cd030ab8412ae33d87ba
                                                        • Opcode Fuzzy Hash: 459252ab4d1331a13b9ef4bb74492a49d69a5d9efa2d63347bcaf61814ddccee
                                                        • Instruction Fuzzy Hash: 412150755493C08FCB12CF24D994B15BF71FF46214F28C5EAD8898B657C33A944ACB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0256D537, Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000E.00000002.930655746.000000000256D000.00000040.00000001.sdmp, Offset: 0256D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_14_2_256d000_BnevyAj.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a8fea46d4023bfcb84ee4c65d7b8a7c4edfa59c4fb92f6e4ed5640399c80934a
                                                        • Instruction ID: d47395163123b8cebb8299b2d3224702aa04091947741f9d08c913b3baea7319
                                                        • Opcode Fuzzy Hash: a8fea46d4023bfcb84ee4c65d7b8a7c4edfa59c4fb92f6e4ed5640399c80934a
                                                        • Instruction Fuzzy Hash: 8011E676504280CFCF12CF10D9C4B26BF72FB84324F24C6A9D8494B656C336D45ACBA2
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions