Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report vbc.exe_

Overview

General Information

Sample Name:vbc.exe_ (renamed file extension from exe_ to exe)
Analysis ID:502670
MD5:a665b705b9381b33aaa9e307fe340af7
SHA1:a6fba4f009921b1de9d524047bcb7fa0e571a116
SHA256:dc07322ef1652695b5e85bfd5d6da8c5b6c311d26ff13eb18a390cd4b7232203
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • vbc.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\vbc.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • vbc.exe (PID: 6404 cmdline: C:\Users\user\Desktop\vbc.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • BnevyAj.exe (PID: 4624 cmdline: 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 6176 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • BnevyAj.exe (PID: 3144 cmdline: 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 5840 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 4640 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@croatiahunt.com", "Password": "VilaVrgade852", "Host": "mail.croatiahunt.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.vbc.exe.3a55230.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.vbc.exe.3a55230.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    11.2.BnevyAj.exe.37d5230.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 28 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 16.2.BnevyAj.exe.3725230.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@croatiahunt.com", "Password": "VilaVrgade852", "Host": "mail.croatiahunt.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: vbc.exeVirustotal: Detection: 30%Perma Link
                      Source: vbc.exeMetadefender: Detection: 22%Perma Link
                      Source: vbc.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeMetadefender: Detection: 22%Perma Link
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeReversingLabs: Detection: 44%
                      Source: 14.2.BnevyAj.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.BnevyAj.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.vbc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: vbc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: global trafficTCP traffic: 192.168.2.4:49884 -> 116.202.174.203:587
                      Source: global trafficTCP traffic: 192.168.2.4:49884 -> 116.202.174.203:587
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://MpOtQG.com
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.c
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: vbc.exe, 00000004.00000003.909645922.00000000067D7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: vbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpString found in binary or memory: http://croatiahunt.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: vbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpString found in binary or memory: http://mail.croatiahunt.com
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: vbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://ryfE27WOGC.c
                      Source: vbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://ryfE27WOGC.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: vbc.exe, 00000000.00000003.668894572.000000000580D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: vbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: vbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldTF
                      Source: vbc.exe, 00000000.00000003.664625275.00000000057EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: vbc.exe, 00000000.00000003.666659224.00000000057D6000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: vbc.exe, 00000000.00000003.666529673.00000000057D6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: vbc.exe, 00000000.00000003.666467941.00000000057D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/l
                      Source: vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                      Source: vbc.exe, 00000000.00000003.666028561.00000000057DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comUz
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comgz
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.croatiahunt.com

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: vbc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADD064
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADF298
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADF296
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_014BBA18
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_014B69A0
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F046A0
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F04630
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_05947540
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_05942548
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059494F8
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_05946C70
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1D064
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1F296
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1F298
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CDCAF8
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CD6D90
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CD6DA0
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_027546A0
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275463B
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_02754693
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275DA00
                      Source: vbc.exe, 00000000.00000002.680415873.00000000003B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll< vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGDufUjPAGIrcCocQttaA.exe4 vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs vbc.exe
                      Source: vbc.exe, 00000004.00000000.679006892.0000000000BE4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGDufUjPAGIrcCocQttaA.exe4 vs vbc.exe
                      Source: vbc.exe, 00000004.00000002.929243029.0000000000F88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs vbc.exe
                      Source: vbc.exeBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe DC07322EF1652695B5E85BFD5D6DA8C5B6C311D26FF13EB18A390CD4B7232203
                      Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: BnevyAj.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: vbc.exeVirustotal: Detection: 30%
                      Source: vbc.exeMetadefender: Detection: 22%
                      Source: vbc.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Users\user\Desktop\vbc.exeJump to behavior
                      Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\vbc.exe 'C:\Users\user\Desktop\vbc.exe'
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@2/1
                      Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 4.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: vbc.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.vbc.exe.340000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.vbc.exe.340000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: BnevyAj.exe.4.dr, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.2.vbc.exe.b70000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.vbc.exe.b70000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 11.2.BnevyAj.exe.230000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 11.0.BnevyAj.exe.230000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 14.2.BnevyAj.exe.470000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 14.0.BnevyAj.exe.470000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 16.0.BnevyAj.exe.40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 16.2.BnevyAj.exe.40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.0.BnevyAj.exe.30000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.2.BnevyAj.exe.30000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 18.2.BnevyAj.exe.5e0000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E63665 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E6366E push cs; retf
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60FD2 push eax; ret
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60FDA pushad ; ret
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60F9C pushad ; ret
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F0DD38 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C12018 push ebx; retf
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F63665 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F6366E push cs; retf
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60FDB push eax; ret
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60F9C push eax; ret
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60F45 push es; retf
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F634BE pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F6346C pushad ; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80231606159
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80231606159
                      Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to dropped file
                      Source: C:\Users\user\Desktop\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BnevyAjJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BnevyAjJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\vbc.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.vbc.exe.2801570.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.24d1524.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.2581524.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4624, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 3144, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\vbc.exe TID: 7092Thread sleep time: -46038s >= -30000s
                      Source: C:\Users\user\Desktop\vbc.exe TID: 6964Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\vbc.exe TID: 4936Thread sleep time: -18446744073709540s >= -30000s
                      Source: C:\Users\user\Desktop\vbc.exe TID: 5704Thread sleep count: 721 > 30
                      Source: C:\Users\user\Desktop\vbc.exe TID: 5704Thread sleep count: 9117 > 30
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 4552Thread sleep time: -42962s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 6128Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3000Thread sleep count: 31 > 30
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3000Thread sleep time: -28592453314249787s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3176Thread sleep count: 4359 > 30
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 3176Thread sleep count: 5458 > 30
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 4812Thread sleep time: -31879s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 5708Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 6784Thread sleep time: -16602069666338586s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 5192Thread sleep count: 8542 > 30
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe TID: 5192Thread sleep count: 1290 > 30
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\vbc.exeWindow / User API: threadDelayed 721
                      Source: C:\Users\user\Desktop\vbc.exeWindow / User API: threadDelayed 9117
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 4359
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 5458
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 8542
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWindow / User API: threadDelayed 1290
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 46038
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 42962
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 31879
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeThread delayed: delay time: 922337203685477
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\vbc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\vbc.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeMemory written: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: vbc.exe, 00000004.00000002.931330746.00000000018A0000.00000002.00020000.sdmp, BnevyAj.exe, 0000000E.00000002.930350035.0000000001150000.00000002.00020000.sdmp, BnevyAj.exe, 00000012.00000002.930566306.0000000001300000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.362bd80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3904960.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.36dbd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.395bd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.3684960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.35d4960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4624, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 3144, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4640, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4640, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.BnevyAj.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.3725230.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3a55230.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.362bd80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.3904960.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.37d5230.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.36dbd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.vbc.exe.395bd80.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.BnevyAj.exe.3684960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.BnevyAj.exe.35d4960.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7088, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4624, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 6176, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 3144, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: BnevyAj.exe PID: 4640, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 502670 Sample: vbc.exe_ Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AgentTesla 2->47 49 4 other signatures 2->49 6 vbc.exe 6 2->6         started        10 BnevyAj.exe 3 2->10         started        12 BnevyAj.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\...\vbc.exe.log, ASCII 6->25 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->53 14 vbc.exe 2 5 6->14         started        55 Multi AV Scanner detection for dropped file 10->55 57 Injects a PE file into a foreign processes 10->57 19 BnevyAj.exe 2 10->19         started        21 BnevyAj.exe 2 12->21         started        23 BnevyAj.exe 12->23         started        signatures5 process6 dnsIp7 31 croatiahunt.com 116.202.174.203, 49884, 587 HETZNER-ASDE Germany 14->31 33 mail.croatiahunt.com 14->33 27 C:\Users\user\AppData\Roaming\...\BnevyAj.exe, PE32 14->27 dropped 29 C:\Users\user\...\BnevyAj.exe:Zone.Identifier, ASCII 14->29 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 2 other signatures 14->41 file8 signatures9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      vbc.exe30%VirustotalBrowse
                      vbc.exe23%MetadefenderBrowse
                      vbc.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe23%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe44%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.2.BnevyAj.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      18.2.BnevyAj.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      4.2.vbc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      windowsupdate.s.llnwi.net0%VirustotalBrowse
                      croatiahunt.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.sajatypeworks.com.0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://ryfE27WOGC.c0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnp0%URL Reputationsafe
                      http://MpOtQG.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnt0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.founder.com.cn/cn/l0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sajatypeworks.comgz0%Avira URL Cloudsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://mail.croatiahunt.com0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://crl.c0%Avira URL Cloudsafe
                      http://www.sajatypeworks.comUz0%Avira URL Cloudsafe
                      http://croatiahunt.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comldTF0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.htmlr0%Avira URL Cloudsafe
                      http://ryfE27WOGC.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      windowsupdate.s.llnwi.net
                      		178.79.242.0
                      		truefalseunknown
                      croatiahunt.com
                      		116.202.174.203
                      		truetrueunknown
                      mail.croatiahunt.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.sajatypeworks.com.vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                          		high
                          http://ryfE27WOGC.cvbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/?vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.tiro.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.collada.org/2005/11/COLLADASchema9Donevbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnpvbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://MpOtQG.comBnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cntvbc.exe, 00000000.00000003.666028561.00000000057DD000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/lvbc.exe, 00000000.00000003.666467941.00000000057D8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.ipify.org%GETMozilla/5.0BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.fonts.comvbc.exe, 00000000.00000003.664625275.00000000057EB000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleasevbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comgzvbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sakkal.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://mail.croatiahunt.comvbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://DynDns.comDynDNSBnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://sectigo.com/CPS0vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%havbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comavbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%$vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.carterandcone.comlvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/vbc.exe, 00000000.00000003.666529673.00000000057D6000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnvbc.exe, 00000000.00000003.666659224.00000000057D6000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-user.htmlvbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://crl.cvbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sajatypeworks.comUzvbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://croatiahunt.comvbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comldTFvbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.ascendercorp.com/typedesigners.htmlrvbc.exe, 00000000.00000003.668894572.000000000580D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpfalse
                                            		high
                                            http://ryfE27WOGC.comvbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            116.202.174.203
                                            		croatiahunt.comGermany
                                            		24940HETZNER-ASDEtrue

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:502670
                                            Start date:14.10.2021
                                            Start time:08:44:15
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 12m 8s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:vbc.exe_ (renamed file extension from exe_ to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:25
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@11/4@2/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 0.1% (good quality ratio 0%)
                                            • Quality average: 17.8%
                                            • Quality standard deviation: 26.1%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 20.199.120.182, 23.203.141.148, 20.199.120.151, 20.82.209.183, 8.247.248.249, 8.247.248.223, 8.247.244.221, 2.20.178.33, 2.20.178.24, 20.54.110.249, 52.251.79.25, 40.112.88.60, 20.199.120.85
                                            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:45:17API Interceptor731x Sleep call for process: vbc.exe modified
                                            08:45:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BnevyAj C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                            08:45:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BnevyAj C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                            08:45:56API Interceptor891x Sleep call for process: BnevyAj.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            116.202.174.203SecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exeGet hashmaliciousBrowse
                                              DHL consignment number_600595460.xlsxGet hashmaliciousBrowse
                                                Po____211110.exeGet hashmaliciousBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  windowsupdate.s.llnwi.netREMITTANCE-54324.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  Farbestfoods.AP Summary.2752.htmlGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  iAuPyHuUkk.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  HqiJ8HpbxU.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  PEKv5PX7Wq.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  R6QyqCNJgljVTjY.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  SsbgfSoVLC.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  pvHBhNUyIm.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  Request For New Qoute - Ist Order.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  569vj51Zrs.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  correction HAWB.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  correction HAWB.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  Statement of Account.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  Statement of Account.exeGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  jh6KzwrXQp.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  heX1kOkwqy.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  mixsix_20211013-084409.exeGet hashmaliciousBrowse
                                                  • 178.79.242.0
                                                  2rd Quater Order Quotation.zip.xlsGet hashmaliciousBrowse
                                                  • 178.79.242.128
                                                  DOC REC EIPT.htmlGet hashmaliciousBrowse
                                                  • 178.79.242.128

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  HETZNER-ASDEGR01DtRd0N.exeGet hashmaliciousBrowse
                                                  • 88.99.75.82
                                                  Payment_Swift,png.exeGet hashmaliciousBrowse
                                                  • 78.46.56.160
                                                  PO 211011-021A.exeGet hashmaliciousBrowse
                                                  • 136.243.159.53
                                                  S27f5MP8UeGet hashmaliciousBrowse
                                                  • 5.75.211.8
                                                  75lT7DuXrs.exeGet hashmaliciousBrowse
                                                  • 168.119.93.163
                                                  #Ud83d#Udcde-youse.guia-644-46204-282109.htmGet hashmaliciousBrowse
                                                  • 95.217.53.76
                                                  6Vk012xoynGet hashmaliciousBrowse
                                                  • 144.79.90.35
                                                  tmDSSwkOAMGet hashmaliciousBrowse
                                                  • 94.130.40.209
                                                  8r3HRghvXXGet hashmaliciousBrowse
                                                  • 95.217.66.142
                                                  ARK Survival legit hack by Spyro.exeGet hashmaliciousBrowse
                                                  • 135.181.170.169
                                                  M12s7KNFDg.exeGet hashmaliciousBrowse
                                                  • 138.201.79.103
                                                  NBA 2K21 Cheat by Spyro.exeGet hashmaliciousBrowse
                                                  • 135.181.170.169
                                                  Gsdqz.dllGet hashmaliciousBrowse
                                                  • 116.203.98.109
                                                  4tOOUNDwaW.exeGet hashmaliciousBrowse
                                                  • 188.34.163.98
                                                  7ofFMoirr5.exeGet hashmaliciousBrowse
                                                  • 188.34.163.98
                                                  HUTWMrDhov.dllGet hashmaliciousBrowse
                                                  • 116.203.98.109
                                                  SecuriteInfo.com.W32.AIDetect.malware1.10225.exeGet hashmaliciousBrowse
                                                  • 188.34.163.98
                                                  0q3K4qJqQT.exeGet hashmaliciousBrowse
                                                  • 88.99.75.82
                                                  SecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exeGet hashmaliciousBrowse
                                                  • 116.202.174.203
                                                  FTdhc25gn8.exeGet hashmaliciousBrowse
                                                  • 88.99.75.82

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exeGet hashmaliciousBrowse
                                                    DHL consignment number_600595460.xlsxGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BnevyAj.exe.log
                                                      Process:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1308
                                                      Entropy (8bit):5.348115897127242
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                      MD5:832D6A22CE7798D72609B9C21B4AF152
                                                      SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                      SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                      SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log
                                                      Process:C:\Users\user\Desktop\vbc.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1308
                                                      Entropy (8bit):5.348115897127242
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                      MD5:832D6A22CE7798D72609B9C21B4AF152
                                                      SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                      SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                      SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Process:C:\Users\user\Desktop\vbc.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):564736
                                                      Entropy (8bit):7.0819561487133305
                                                      Encrypted:false
                                                      SSDEEP:6144:0MkhBXuLbabNr+o6RxQbACvuj8qLhT7uu5ziEjPY2hL1Vkebv0duOjwYB:vSBXuLbalbMebAr9LNu3KY8L1u+0j1
                                                      MD5:A665B705B9381B33AAA9E307FE340AF7
                                                      SHA1:A6FBA4F009921B1DE9D524047BCB7FA0E571A116
                                                      SHA-256:DC07322EF1652695B5E85BFD5D6DA8C5B6C311D26FF13EB18A390CD4B7232203
                                                      SHA-512:B7E7FF96DCE12935C71B6E6B6FC74652CD08725D8DE29A91E35B0D4F8F351D14F371E2D48A3AB5FE733003764AF09B6BE6DC6D943112B596FA2B09A7638BBAEE
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 23%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 44%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.BackDoor.SpyBotNET.25.23695.exe, Detection: malicious, Browse
                                                      • Filename: DHL consignment number_600595460.xlsx, Detection: malicious, Browse
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.fa..............0..(...t......RF... ...`....@.. ....................................@..................................F..O....`..(q........................................................................... ............... ..H............text...X&... ...(.................. ..`.rsrc...(q...`...r...*..............@..@.reloc..............................@..B................4F......H.......Lb...O......Y...`................................................0..V.........}......*.*s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....|....(....Z.{.....|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....|....(..........-....X.....|....(..........-......,...o!.....sB........|....(.....|....(....s"
                                                      C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\vbc.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.0819561487133305
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:vbc.exe
                                                      File size:564736
                                                      MD5:a665b705b9381b33aaa9e307fe340af7
                                                      SHA1:a6fba4f009921b1de9d524047bcb7fa0e571a116
                                                      SHA256:dc07322ef1652695b5e85bfd5d6da8c5b6c311d26ff13eb18a390cd4b7232203
                                                      SHA512:b7e7ff96dce12935c71b6e6b6fc74652cd08725d8de29a91e35b0d4f8f351d14f371e2d48a3ab5fe733003764af09b6be6dc6d943112b596fa2b09a7638bbaee
                                                      SSDEEP:6144:0MkhBXuLbabNr+o6RxQbACvuj8qLhT7uu5ziEjPY2hL1Vkebv0duOjwYB:vSBXuLbalbMebAr9LNu3KY8L1u+0j1
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S.fa..............0..(...t......RF... ...`....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:0c529252d9cce41b

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x464652
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x61668753 [Wed Oct 13 07:14:27 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x646000x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x27128.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x626580x62800False0.889331178617data7.80231606159IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x660000x271280x27200False0.141298921725data3.94408724321IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x8e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0x662200xe8acdata
                                                      RT_ICON0x74acc0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x75b740x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x7811c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                      RT_ICON0x7c3440x10828dBase III DBT, version number 0, next free block index 40
                                                      RT_GROUP_ICON0x8cb6c0x14data
                                                      RT_GROUP_ICON0x8cb800x4cdata
                                                      RT_VERSION0x8cbcc0x370data
                                                      RT_MANIFEST0x8cf3c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightCopyright Gottschalks 2011
                                                      Assembly Version1.0.0.0
                                                      InternalNameIsolatedStorageFi.exe
                                                      FileVersion1.0.0.0
                                                      CompanyNameGottschalks
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameMapEditor1
                                                      ProductVersion1.0.0.0
                                                      FileDescriptionMapEditor1
                                                      OriginalFilenameIsolatedStorageFi.exe

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 14, 2021 08:47:05.213349104 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.235928059 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.236557007 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.534688950 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.536415100 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.557899952 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.558201075 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.581259966 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.623823881 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.685749054 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.714250088 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714277029 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714293003 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714304924 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.714365959 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.714437008 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.716888905 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.753770113 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:05.775552988 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:05.826987982 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.164921045 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.186460972 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.188076973 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.211909056 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.213227987 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.243670940 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.244704962 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.266201973 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.266877890 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.299679041 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.300473928 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.321907997 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.324021101 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.324489117 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.326102972 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.326271057 CEST49884587192.168.2.4116.202.174.203
                                                      Oct 14, 2021 08:47:06.345870972 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.345899105 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.347266912 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.347373962 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.348305941 CEST58749884116.202.174.203192.168.2.4
                                                      Oct 14, 2021 08:47:06.390258074 CEST49884587192.168.2.4116.202.174.203

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 14, 2021 08:47:04.976264000 CEST6242053192.168.2.48.8.8.8
                                                      Oct 14, 2021 08:47:05.003859997 CEST53624208.8.8.8192.168.2.4
                                                      Oct 14, 2021 08:47:05.035196066 CEST6057953192.168.2.48.8.8.8
                                                      Oct 14, 2021 08:47:05.062493086 CEST53605798.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Oct 14, 2021 08:47:04.976264000 CEST192.168.2.48.8.8.80x6a38Standard query (0)mail.croatiahunt.comA (IP address)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.035196066 CEST192.168.2.48.8.8.80xc729Standard query (0)mail.croatiahunt.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Oct 14, 2021 08:45:57.393074989 CEST8.8.8.8192.168.2.40x91c9No error (0)windowsupdate.s.llnwi.net178.79.242.0A (IP address)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.003859997 CEST8.8.8.8192.168.2.40x6a38No error (0)mail.croatiahunt.comcroatiahunt.comCNAME (Canonical name)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.003859997 CEST8.8.8.8192.168.2.40x6a38No error (0)croatiahunt.com116.202.174.203A (IP address)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.062493086 CEST8.8.8.8192.168.2.40xc729No error (0)mail.croatiahunt.comcroatiahunt.comCNAME (Canonical name)IN (0x0001)
                                                      Oct 14, 2021 08:47:05.062493086 CEST8.8.8.8192.168.2.40xc729No error (0)croatiahunt.com116.202.174.203A (IP address)IN (0x0001)

                                                      SMTP Packets

                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                      Oct 14, 2021 08:47:05.534688950 CEST58749884116.202.174.203192.168.2.4220-srv1.kuhada.com ESMTP Exim 4.94.2 #2 Thu, 14 Oct 2021 08:47:05 +0200
                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                      220 and/or bulk e-mail.
                                                      Oct 14, 2021 08:47:05.536415100 CEST49884587192.168.2.4116.202.174.203EHLO 980108
                                                      Oct 14, 2021 08:47:05.557899952 CEST58749884116.202.174.203192.168.2.4250-srv1.kuhada.com Hello 980108 [102.129.143.33]
                                                      250-SIZE 52428800
                                                      250-8BITMIME
                                                      250-PIPELINING
                                                      250-PIPE_CONNECT
                                                      250-AUTH PLAIN LOGIN
                                                      250-STARTTLS
                                                      250 HELP
                                                      Oct 14, 2021 08:47:05.558201075 CEST49884587192.168.2.4116.202.174.203STARTTLS
                                                      Oct 14, 2021 08:47:05.581259966 CEST58749884116.202.174.203192.168.2.4220 TLS go ahead

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: vbc.exe PID: 7088 Parent PID: 6032

                                                      General

                                                      Start time:08:45:09
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\Desktop\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\vbc.exe'
                                                      Imagebase:0x340000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Analysis Process: vbc.exe PID: 6404 Parent PID: 7088

                                                      General

                                                      Start time:08:45:18
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\Desktop\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\vbc.exe
                                                      Imagebase:0xb70000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Analysis Process: BnevyAj.exe PID: 4624 Parent PID: 3424

                                                      General

                                                      Start time:08:45:54
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                                                      Imagebase:0x230000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, Author: Joe Security
                                                      Antivirus matches:
                                                      • Detection: 23%, Metadefender, Browse
                                                      • Detection: 44%, ReversingLabs
                                                      Reputation:low

                                                      Analysis Process: BnevyAj.exe PID: 6176 Parent PID: 4624

                                                      General

                                                      Start time:08:45:56
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Imagebase:0x470000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Analysis Process: BnevyAj.exe PID: 3144 Parent PID: 3424

                                                      General

                                                      Start time:08:46:02
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                                                      Imagebase:0x40000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Analysis Process: BnevyAj.exe PID: 5840 Parent PID: 3144

                                                      General

                                                      Start time:08:46:06
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Imagebase:0x30000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      Analysis Process: BnevyAj.exe PID: 4640 Parent PID: 3144

                                                      General

                                                      Start time:08:46:06
                                                      Start date:14/10/2021
                                                      Path:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                                                      Imagebase:0x5e0000
                                                      File size:564736 bytes
                                                      MD5 hash:A665B705B9381B33AAA9E307FE340AF7
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmp, Author: Joe Security
                                                      Reputation:low

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >