Loading ...

Play interactive tourEdit tour

Windows Analysis Report vbc.exe_

Overview

General Information

Sample Name:vbc.exe_ (renamed file extension from exe_ to exe)
Analysis ID:502670
MD5:a665b705b9381b33aaa9e307fe340af7
SHA1:a6fba4f009921b1de9d524047bcb7fa0e571a116
SHA256:dc07322ef1652695b5e85bfd5d6da8c5b6c311d26ff13eb18a390cd4b7232203
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • vbc.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\vbc.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • vbc.exe (PID: 6404 cmdline: C:\Users\user\Desktop\vbc.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • BnevyAj.exe (PID: 4624 cmdline: 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 6176 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • BnevyAj.exe (PID: 3144 cmdline: 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe' MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 5840 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
    • BnevyAj.exe (PID: 4640 cmdline: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe MD5: A665B705B9381B33AAA9E307FE340AF7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@croatiahunt.com", "Password": "VilaVrgade852", "Host": "mail.croatiahunt.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.vbc.exe.3a55230.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.vbc.exe.3a55230.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    11.2.BnevyAj.exe.37d5230.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 28 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 16.2.BnevyAj.exe.3725230.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@croatiahunt.com", "Password": "VilaVrgade852", "Host": "mail.croatiahunt.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: vbc.exeVirustotal: Detection: 30%Perma Link
                      Source: vbc.exeMetadefender: Detection: 22%Perma Link
                      Source: vbc.exeReversingLabs: Detection: 33%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeMetadefender: Detection: 22%Perma Link
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeReversingLabs: Detection: 44%
                      Source: 14.2.BnevyAj.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.BnevyAj.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.vbc.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: vbc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: global trafficTCP traffic: 192.168.2.4:49884 -> 116.202.174.203:587
                      Source: global trafficTCP traffic: 192.168.2.4:49884 -> 116.202.174.203:587
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: http://MpOtQG.com
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.c
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: vbc.exe, 00000004.00000003.909645922.00000000067D7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: vbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpString found in binary or memory: http://croatiahunt.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: vbc.exe, 00000004.00000002.933794203.00000000032B0000.00000004.00000001.sdmpString found in binary or memory: http://mail.croatiahunt.com
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: vbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://ryfE27WOGC.c
                      Source: vbc.exe, 00000004.00000002.933635766.0000000003263000.00000004.00000001.sdmpString found in binary or memory: http://ryfE27WOGC.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: vbc.exe, 00000000.00000003.668894572.000000000580D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.765416031.0000000002531000.00000004.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786078448.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: vbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: vbc.exe, 00000000.00000003.680066703.00000000057D0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldTF
                      Source: vbc.exe, 00000000.00000003.664625275.00000000057EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: vbc.exe, 00000000.00000003.666659224.00000000057D6000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: vbc.exe, 00000000.00000003.666529673.00000000057D6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: vbc.exe, 00000000.00000003.666467941.00000000057D8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/l
                      Source: vbc.exe, 00000000.00000003.666236612.00000000057D7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
                      Source: vbc.exe, 00000000.00000003.666028561.00000000057DD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmp, vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comUz
                      Source: vbc.exe, 00000000.00000003.664039768.00000000057D3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comgz
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: vbc.exe, 00000000.00000002.685762484.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: vbc.exe, 00000004.00000003.909588018.00000000067A8000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 0000000B.00000002.766014828.0000000003539000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.928744553.0000000000402000.00000040.00000001.sdmp, BnevyAj.exe, 00000010.00000002.786781735.0000000003489000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.928744367.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: vbc.exe, 00000004.00000002.931931603.0000000002F41000.00000004.00000001.sdmp, BnevyAj.exe, 0000000E.00000002.931844597.00000000029A1000.00000004.00000001.sdmp, BnevyAj.exe, 00000012.00000002.931305015.0000000002991000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.croatiahunt.com

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bC8123CFFu002d1084u002d4755u002dA068u002d115455E50C0Au007d/u00351EA55F5u002dCE7Fu002d4200u002dB2DEu002d07232B8B50DB.csLarge array initialization: .cctor: array initializer size 11948
                      Source: vbc.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADD0640_2_00ADD064
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADF2980_2_00ADF298
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_00ADF2960_2_00ADF296
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_014BBA184_2_014BBA18
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_014B69A04_2_014B69A0
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F046A04_2_02F046A0
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F046304_2_02F04630
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059475404_2_05947540
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059425484_2_05942548
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_059494F84_2_059494F8
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_05946C704_2_05946C70
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1D06411_2_00C1D064
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1F29611_2_00C1F296
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C1F29811_2_00C1F298
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CDCAF811_2_06CDCAF8
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CD6D9011_2_06CD6D90
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06CD6DA011_2_06CD6DA0
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_027546A014_2_027546A0
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275463B14_2_0275463B
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275469314_2_02754693
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 14_2_0275DA0014_2_0275DA00
                      Source: vbc.exe, 00000000.00000002.680415873.00000000003B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll< vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.682512073.00000000037B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGDufUjPAGIrcCocQttaA.exe4 vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs vbc.exe
                      Source: vbc.exe, 00000000.00000002.681665906.00000000027B1000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs vbc.exe
                      Source: vbc.exe, 00000004.00000000.679006892.0000000000BE4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: vbc.exe, 00000004.00000002.928707796.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGDufUjPAGIrcCocQttaA.exe4 vs vbc.exe
                      Source: vbc.exe, 00000004.00000002.929243029.0000000000F88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs vbc.exe
                      Source: vbc.exeBinary or memory string: OriginalFilenameIsolatedStorageFi.exe6 vs vbc.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe DC07322EF1652695B5E85BFD5D6DA8C5B6C311D26FF13EB18A390CD4B7232203
                      Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: BnevyAj.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: vbc.exeVirustotal: Detection: 30%
                      Source: vbc.exeMetadefender: Detection: 22%
                      Source: vbc.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Users\user\Desktop\vbc.exeJump to behavior
                      Source: vbc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\vbc.exe 'C:\Users\user\Desktop\vbc.exe'
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe 'C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe'
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe
                      Source: C:\Users\user\Desktop\vbc.exeProcess created: C:\Users\user\Desktop\vbc.exe C:\Users\user\Desktop\vbc.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@2/1
                      Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 4.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.BnevyAj.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: vbc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: vbc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: vbc.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.vbc.exe.340000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.vbc.exe.340000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: BnevyAj.exe.4.dr, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.2.vbc.exe.b70000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 4.0.vbc.exe.b70000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 11.2.BnevyAj.exe.230000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 11.0.BnevyAj.exe.230000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 14.2.BnevyAj.exe.470000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 14.0.BnevyAj.exe.470000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 16.0.BnevyAj.exe.40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 16.2.BnevyAj.exe.40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.0.BnevyAj.exe.30000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 17.2.BnevyAj.exe.30000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 18.2.BnevyAj.exe.5e0000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E63665 push FFFFFF8Bh; iretd 0_2_06E63667
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E6366E push cs; retf 0_2_06E6366F
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60FD2 push eax; ret 0_2_06E60FD9
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60FDA pushad ; ret 0_2_06E60FD1
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 0_2_06E60F9C pushad ; ret 0_2_06E60FD1
                      Source: C:\Users\user\Desktop\vbc.exeCode function: 4_2_02F0DD38 push FFFFFF8Bh; iretd 4_2_02F0DD3B
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_00C12018 push ebx; retf 11_2_00C1207A
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F63665 push FFFFFF8Bh; iretd 11_2_06F63667
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F6366E push cs; retf 11_2_06F6366F
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60FDB push eax; ret 11_2_06F60FD9
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60F9C push eax; ret 11_2_06F60FD9
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F60F45 push es; retf 11_2_06F60F48
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F634BE pushad ; retf 11_2_06F634BF
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeCode function: 11_2_06F6346C pushad ; retf 11_2_06F6346D
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80231606159
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.80231606159
                      Source: C:\Users\user\Desktop\vbc.exeFile created: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeJump to dropped file
                      Source: C:\Users\user\Desktop\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BnevyAjJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BnevyAjJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\vbc.exeFile opened: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\BnevyAj\BnevyAj.exeProcess information set: NOOPENFILEERRORBOX