Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vbc.exe

Overview

General Information

Sample Name:vbc.exe
Analysis ID:562293
MD5:345ebabc50767d04f3457fa7790a8777
SHA1:f822fa282003b1a3f9301156aa5639a6928b93fd
SHA256:2ca98a5a8b6bdd9eac1fdf5c05e42792883dea0ae402a6148bc6f04204cc6b72
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • vbc.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\vbc.exe" MD5: 345EBABC50767D04F3457FA7790A8777)
    • vbc.exe (PID: 6736 cmdline: C:\Users\user\Desktop\vbc.exe MD5: 345EBABC50767D04F3457FA7790A8777)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://primesinsured.com/", "Username": "oil1@primesinsured.com", "Password": "R0r?~C#w}a*s"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000B.00000000.329971875.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000000.329971875.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000B.00000000.329385221.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.vbc.exe.25ad8bc.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
              0.2.vbc.exe.25ad8bc.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
              • 0x8860:$v1: SbieDll.dll
              • 0x887a:$v2: USER
              • 0x8886:$v3: SANDBOX
              • 0x8898:$v4: VIRUS
              • 0x88e8:$v4: VIRUS
              • 0x88a6:$v5: MALWARE
              • 0x88b8:$v6: SCHMIDTI
              • 0x88cc:$v7: CURRENTUSER
              11.0.vbc.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.0.vbc.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  11.0.vbc.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x30c4a:$s1: get_kbok
                  • 0x3157e:$s2: get_CHoo
                  • 0x321d9:$s3: set_passwordIsSet
                  • 0x30a4e:$s4: get_enableLog
                  • 0x350f3:$s8: torbrowser
                  • 0x33acf:$s10: logins
                  • 0x33447:$s11: credential
                  • 0x2fe39:$g1: get_Clipboard
                  • 0x2fe47:$g2: get_Keyboard
                  • 0x2fe54:$g3: get_Password
                  • 0x3142c:$g4: get_CtrlKeyDown
                  • 0x3143c:$g5: get_ShiftKeyDown
                  • 0x3144d:$g6: get_AltKeyDown
                  Click to see the 29 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.vbc.exe.35c3d80.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://primesinsured.com/", "Username": "oil1@primesinsured.com", "Password": "R0r?~C#w}a*s"}
                  Antivirus detection for URL or domain
                  Source: ftp://primesinsured.com/oil1Avira URL Cloud: Label: malware
                  Source: http://primesinsured.comAvira URL Cloud: Label: malware
                  Machine Learning detection for sample
                  Source: vbc.exeJoe Sandbox ML: detected
                  Source: 11.2.vbc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.0.vbc.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.0.vbc.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.0.vbc.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.0.vbc.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.0.vbc.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                  Source: vbc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: CallConvFastca.pdbx2 source: vbc.exe
                  Source: Binary string: CallConvFastca.pdb source: vbc.exe

                  Networking

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                  Source: TrafficSnort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49812 -> 199.188.206.78:21
                  Source: TrafficSnort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.3:49813 -> 199.188.206.78:12034
                  Source: vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://primesinsured.com/oil1
                  Source: vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://FujuYs.com
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blog.iandreev.com/
                  Source: vbc.exe, 00000000.00000003.288085898.00000000054B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wl
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: vbc.exe, 0000000B.00000002.552364653.0000000000C15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                  Source: vbc.exe, 0000000B.00000002.553724547.0000000002B3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://primesinsured.com
                  Source: vbc.exe, 0000000B.00000002.553724547.0000000002B3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: vbc.exe, 00000000.00000003.295478848.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.295650010.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: vbc.exe, 00000000.00000003.305314451.00000000054BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: vbc.exe, 00000000.00000003.320831898.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers;YHB
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: vbc.exe, 00000000.00000003.319218724.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersi
                  Source: vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                  Source: vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomp
                  Source: vbc.exe, 00000000.00000003.305314451.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                  Source: vbc.exe, 00000000.00000003.319218724.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                  Source: vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comicF
                  Source: vbc.exe, 00000000.00000003.305314451.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu
                  Source: vbc.exe, 00000000.00000003.321182512.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.319218724.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.335938157.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321670315.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321479989.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                  Source: vbc.exe, 00000000.00000003.321182512.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320831898.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321670315.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321479989.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commFQ
                  Source: vbc.exe, 00000000.00000003.320831898.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commi
                  Source: vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comp
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: vbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
                  Source: vbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.293797382.00000000054B5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.293458280.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: vbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-n%U
                  Source: vbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns-cUUfBc
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: vbc.exe, 00000000.00000003.298537749.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296903307.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.298820030.00000000054BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: vbc.exe, 00000000.00000003.296903307.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
                  Source: vbc.exe, 00000000.00000003.298537749.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.298820030.00000000054BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                  Source: vbc.exe, 00000000.00000003.296903307.00000000054BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/
                  Source: vbc.exe, 00000000.00000003.300582206.00000000054E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                  Source: vbc.exe, 00000000.00000003.294353802.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292252659.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.289073327.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296400065.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294783206.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294577733.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297070022.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296519635.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297183571.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288494722.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.295211744.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296861565.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288094358.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290579536.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288206661.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288301726.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292091403.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288611613.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292994787.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290816348.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290719007.00000000054CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: vbc.exe, 00000000.00000003.294353802.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292252659.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.289073327.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296400065.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294783206.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294577733.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297070022.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296519635.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297183571.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288494722.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.295211744.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296861565.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288094358.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290579536.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288206661.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288301726.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292091403.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288611613.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292994787.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290816348.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290719007.00000000054CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.298484465.00000000054E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: vbc.exe, 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vknyDOC1PaH7u.com
                  Source: vbc.exe, 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vknyDOC1PaH7u.comD
                  Source: vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: unknownDNS traffic detected: queries for: primesinsured.com

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.vbc.exe.25ad8bc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 11.0.vbc.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.vbc.exe.35c3d80.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 11.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 11.0.vbc.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.vbc.exe.35f9da0.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 11.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.vbc.exe.262cd90.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                  Source: 0.2.vbc.exe.35c3d80.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.vbc.exe.35f9da0.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: Process Memory Space: vbc.exe PID: 6736, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  .NET source code contains very large array initializations
                  Source: 11.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.csLarge array initialization: .cctor: array initializer size 11947
                  Source: 11.0.vbc.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.csLarge array initialization: .cctor: array initializer size 11947
                  Source: 11.0.vbc.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.csLarge array initialization: .cctor: array initializer size 11947
                  Source: 11.0.vbc.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b1FA04608u002dF754u002d4784u002d9D27u002d53158C5E6177u007d/u003451A691Bu002d4BE7u002d43E4u002dB9BEu002d1BBD2F43E201.csLarge array initialization: .cctor: array initializer size 11947
                  Source: vbc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                  Source: 0.2.vbc.exe.25ad8bc.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 11.0.vbc.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.vbc.exe.35c3d80.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 11.0.vbc.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 11.0.vbc.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.vbc.exe.35f9da0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 11.0.vbc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.vbc.exe.262cd90.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                  Source: 0.2.vbc.exe.35c3d80.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.vbc.exe.35f9da0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: vbc.exe PID: 6736, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_000F82BC
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04A875FA
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04A87608
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04A8784A
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_04A87858
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_077A0040
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_077A001B
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_005982BC
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_010247A0
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_010246B0
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_05D16508
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_05D17120
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_05D190D8
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_05D16850
                  Source: C:\Users\user\Desktop\vbc.exeProcess Stats: CPU usage > 98%
                  Source: vbc.exe, 00000000.00000002.333499841.00000000025BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCallConvFastca.exe4 vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.333499841.00000000025BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.333499841.00000000025BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: i,\\StringFileInfo\\000004B0\\OriginalFilename vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe4 vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.331822022.00000000001C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCallConvFastca.exe4 vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe4 vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs vbc.exe
                  Source: vbc.exe, 00000000.00000002.337462496.0000000007650000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs vbc.exe
                  Source: vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe4 vs vbc.exe
                  Source: vbc.exe, 0000000B.00000000.328508532.0000000000666000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCallConvFastca.exe4 vs vbc.exe
                  Source: vbc.exeBinary or memory string: OriginalFilenameCallConvFastca.exe4 vs vbc.exe
                  Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Users\user\Desktop\vbc.exe:Zone.IdentifierJump to behavior
                  Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\vbc.exe "C:\Users\user\Desktop\vbc.exe"
                  Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                  Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                  Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@1/0
                  Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: vbc.exe, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: vbc.exe, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.vbc.exe.f0000.0.unpack, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.0.vbc.exe.f0000.0.unpack, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.vbc.exe.f0000.0.unpack, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.vbc.exe.f0000.0.unpack, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 11.0.vbc.exe.590000.0.unpack, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 11.0.vbc.exe.590000.0.unpack, Oz/uT.csCryptographic APIs: 'CreateDecryptor'
                  Source: 11.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 11.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: CallConvFastca.pdbx2 source: vbc.exe
                  Source: Binary string: CallConvFastca.pdb source: vbc.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: vbc.exe, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.vbc.exe.f0000.0.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.2.vbc.exe.f0000.0.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 11.0.vbc.exe.590000.0.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 11.0.vbc.exe.590000.11.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 11.0.vbc.exe.590000.3.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 11.0.vbc.exe.590000.9.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 11.0.vbc.exe.590000.7.unpack, va/x0.cs.Net Code: eQb System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: vbc.exe, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 0.0.vbc.exe.f0000.0.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 0.2.vbc.exe.f0000.0.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 11.0.vbc.exe.590000.0.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 11.0.vbc.exe.590000.11.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 11.0.vbc.exe.590000.3.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 11.0.vbc.exe.590000.9.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: 11.0.vbc.exe.590000.7.unpack, Oz/uT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_077A3C4F pushfd ; retf
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_077A3CA3 push edx; retf
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_077A4486 push ebx; ret
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_05D17AE8 push 8BF04589h; iretd
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: 0.2.vbc.exe.25ad8bc.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.262cd90.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6908, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\vbc.exe TID: 6912Thread sleep time: -39878s >= -30000s
                  Source: C:\Users\user\Desktop\vbc.exe TID: 6956Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\vbc.exe TID: 2056Thread sleep time: -18446744073709540s >= -30000s
                  Source: C:\Users\user\Desktop\vbc.exe TID: 240Thread sleep count: 3384 > 30
                  Source: C:\Users\user\Desktop\vbc.exe TID: 240Thread sleep count: 6428 > 30
                  Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\vbc.exeWindow / User API: threadDelayed 3384
                  Source: C:\Users\user\Desktop\vbc.exeWindow / User API: threadDelayed 6428
                  Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\vbc.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 39878
                  Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\vbc.exeThread delayed: delay time: 922337203685477
                  Source: vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe4
                  Source: vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: qnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe
                  Source: vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: vbc.exe, 0000000B.00000002.554785822.0000000005E70000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo6V
                  Source: vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: InternalNameqnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed.exe(
                  Source: vbc.exe, 0000000B.00000002.552944691.0000000000F30000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDedt
                  Source: vbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000B.00000002.552944691.0000000000F30000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000002.552364653.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: qnrBzDfMzbzuUrHfqQEmuMLnIDuCnyDed
                  Source: vbc.exe, 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Users\user\Desktop\vbc.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\vbc.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\vbc.exeMemory written: C:\Users\user\Desktop\vbc.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Users\user\Desktop\vbc.exe VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\Desktop\vbc.exeCode function: 11_2_05D15594 GetUserNameW,

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35c3d80.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35f9da0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35c3d80.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35f9da0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.329971875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.329385221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.550450348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6908, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6736, type: MEMORYSTR
                  Source: Yara matchFile source: 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6736, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.12.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35c3d80.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.8.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35f9da0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35c3d80.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.vbc.exe.35f9da0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.329971875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.329385221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.550450348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6908, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6736, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation                  		Path Interception111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping211
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium1
                  Encrypted Channel                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                  Non-Application Layer Protocol                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                  Application Layer Protocol                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items21
                  Software Packing                  		DCSync113
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  vbc.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  11.2.vbc.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  11.0.vbc.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                  11.0.vbc.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                  11.0.vbc.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                  11.0.vbc.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                  11.0.vbc.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.founder.com.cn/cns-cUUfBc0%Avira URL Cloudsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://blog.iandreev.com/0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.founder.c0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/s/0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  https://vknyDOC1PaH7u.com0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.fontbureau.comgrita0%URL Reputationsafe
                  http://www.fontbureau.commFQ0%Avira URL Cloudsafe
                  http://en.wl0%Avira URL Cloudsafe
                  http://FujuYs.com0%Avira URL Cloudsafe
                  http://www.fontbureau.comicF0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://vknyDOC1PaH7u.comD0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.fontbureau.commi0%Avira URL Cloudsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sajatypeworks.come0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.founder.com.cn/cnl-n%U0%Avira URL Cloudsafe
                  ftp://primesinsured.com/oil1100%Avira URL Cloudmalware
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://primesinsured.com100%Avira URL Cloudmalware
                  http://blog.iandreev.com0%Avira URL Cloudsafe
                  http://www.fontbureau.comcomp0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                  http://www.fontbureau.comd0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.monotype.0%URL Reputationsafe
                  http://www.fontbureau.comm0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.fontbureau.comp0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/es-e0%URL Reputationsafe
                  http://go.microsoft.c0%URL Reputationsafe
                  http://www.fontbureau.comitu0%URL Reputationsafe
                  http://www.fontbureau.comals0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  primesinsured.com
                  		199.188.206.78
                  		truetrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.founder.com.cn/cns-cUUfBcvbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://127.0.0.1:HTTP/1.1vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://blog.iandreev.com/vbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/?vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThevbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.cvbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/s/vbc.exe, 00000000.00000003.296903307.00000000054BB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.goodfont.co.krvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comvbc.exe, 00000000.00000003.294353802.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292252659.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.289073327.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296400065.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294783206.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294577733.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297070022.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296519635.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297183571.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288494722.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.295211744.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296861565.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288094358.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290579536.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288206661.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288301726.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292091403.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288611613.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292994787.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290816348.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290719007.00000000054CB000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersivbc.exe, 00000000.00000003.319218724.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.typography.netDvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://vknyDOC1PaH7u.comvbc.exe, 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/cThevbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comgritavbc.exe, 00000000.00000003.319218724.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.commFQvbc.exe, 00000000.00000003.321182512.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320831898.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321670315.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321479989.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://en.wlvbc.exe, 00000000.00000003.288085898.00000000054B6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://FujuYs.comvbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comicFvbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleasevbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://vknyDOC1PaH7u.comDvbc.exe, 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleasevbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.commivbc.exe, 00000000.00000003.320831898.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zhongyicts.com.cnvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 0000000B.00000002.553724547.0000000002B3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sajatypeworks.comevbc.exe, 00000000.00000003.294353802.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292252659.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.289073327.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296400065.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294783206.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.294577733.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297070022.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296519635.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.297183571.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288494722.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.295211744.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296861565.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288094358.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290579536.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288206661.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288301726.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292091403.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.288611613.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.292994787.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290816348.00000000054CB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.290719007.00000000054CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.298484465.00000000054E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0vbc.exe, 00000000.00000003.295478848.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.295650010.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comvbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://DynDns.comDynDNSvbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnl-n%Uvbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      ftp://primesinsured.com/oil1vbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%havbc.exe, 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://primesinsured.comvbc.exe, 0000000B.00000002.553724547.0000000002B3E000.00000004.00000800.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://blog.iandreev.comvbc.exe, 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers;YHBvbc.exe, 00000000.00000003.320831898.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comcompvbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/jp/vbc.exe, 00000000.00000003.298537749.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.298820030.00000000054BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comdvbc.exe, 00000000.00000003.305314451.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comlvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnvbc.exe, 00000000.00000003.294003102.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.293797382.00000000054B5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.293458280.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlvbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/cabarga.htmlvbc.exe, 00000000.00000003.305314451.00000000054BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.monotype.vbc.exe, 00000000.00000003.300582206.00000000054E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.commvbc.exe, 00000000.00000003.321182512.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.319218724.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.335938157.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321670315.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.320318684.00000000054B7000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.321479989.00000000054B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/vbc.exe, 00000000.00000003.298537749.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.296903307.00000000054BB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.298820030.00000000054BD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.compvbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/es-evbc.exe, 00000000.00000003.296903307.00000000054BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8vbc.exe, 00000000.00000002.336191347.0000000006742000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://go.microsoft.cvbc.exe, 0000000B.00000002.552364653.0000000000C15000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comituvbc.exe, 00000000.00000003.305314451.00000000054BD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comalsvbc.exe, 00000000.00000003.306388872.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000000.00000003.306108860.00000000054BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:562293
                                                Start date:28.01.2022
                                                Start time:18:24:41
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 22s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:vbc.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:24
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@3/1@1/0
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 0.5% (good quality ratio 0.4%)
                                                • Quality average: 51.5%
                                                • Quality standard deviation: 37.4%
                                                HCA Information:
                                                • Successful, ratio: 95%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:25:53API Interceptor601x Sleep call for process: vbc.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\vbc.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):6.572883902569515
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                File name:vbc.exe
                                                File size:860672
                                                MD5:345ebabc50767d04f3457fa7790a8777
                                                SHA1:f822fa282003b1a3f9301156aa5639a6928b93fd
                                                SHA256:2ca98a5a8b6bdd9eac1fdf5c05e42792883dea0ae402a6148bc6f04204cc6b72
                                                SHA512:8894559509ebd53a56a4649c25cb2380da6717c9171f7cb86b2df138463a4cf6979f27a81dfba6114621f169dbca17ee6e4ff44b6c4c4bafe2a74bad4e402b31
                                                SSDEEP:12288:v56/UhZo9xs63fvQAfo8y5gypOqw//wEkbpyXrf5r+2SF:v56/U/oF3RjSRQspy7fdgF
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.............................2... ...@....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4d329e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x61F3F50C [Fri Jan 28 13:52:12 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd32500x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x5c0.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xd31fb0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xd12a40xd1400False0.51688041368data6.57823573107IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .sdata0xd40000x1e80x200False0.861328125data6.64649889161IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .rsrc0xd60000x5c00x600False0.42578125data4.09889762567IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xd80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xd60a00x334data
                                                RT_MANIFEST0xd63d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2016
                                                Assembly Version1.0.0.0
                                                InternalNameCallConvFastca.exe
                                                FileVersion1.0.0.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameOthelloCS
                                                ProductVersion1.0.0.0
                                                FileDescriptionOthelloCS
                                                OriginalFilenameCallConvFastca.exe

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                01/28/22-18:27:40.739079TCP2029927ET TROJAN AgentTesla Exfil via FTP4981221192.168.2.3199.188.206.78
                                                01/28/22-18:27:40.904440TCP2029928ET TROJAN AgentTesla HTML System Info Report Exfil via FTP4981312034192.168.2.3199.188.206.78

                                                Network Port Distribution

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jan 28, 2022 18:27:39.212869883 CET5510253192.168.2.38.8.8.8
                                                Jan 28, 2022 18:27:39.232491016 CET53551028.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Jan 28, 2022 18:27:39.212869883 CET192.168.2.38.8.8.80x12a6Standard query (0)primesinsured.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Jan 28, 2022 18:27:39.232491016 CET8.8.8.8192.168.2.30x12a6No error (0)primesinsured.com199.188.206.78A (IP address)IN (0x0001)

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:18:25:33
                                                Start date:28/01/2022
                                                Path:C:\Users\user\Desktop\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\vbc.exe"
                                                Imagebase:0xf0000
                                                File size:860672 bytes
                                                MD5 hash:345EBABC50767D04F3457FA7790A8777
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.333271160.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.333599110.0000000002618000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.334205520.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:11
                                                Start time:18:25:55
                                                Start date:28/01/2022
                                                Path:C:\Users\user\Desktop\vbc.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\vbc.exe
                                                Imagebase:0x590000
                                                File size:860672 bytes
                                                MD5 hash:345EBABC50767D04F3457FA7790A8777
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000000.328761278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.329971875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000000.329971875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.329385221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000000.329385221.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.550450348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000002.550450348.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.553640678.0000000002AB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 0000000B.00000002.553475685.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000B.00000000.328353324.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                Disassembly

                                                No disassembly