Loading ...

Play interactive tourEdit tour

Analysis Report IMG-160920.exe

Overview

General Information

Sample Name:IMG-160920.exe
Analysis ID:286322
MD5:81441eeda354ba7c3cfa514fdfc78805
SHA1:e81da88d92f8f8971f6d5c5470e37c34952a5e4e
SHA256:cbf17be11ce84c79b4d9dfe27a46fd7f3482acd6ae4bb191f5bb3ab92bb82b5b
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • IMG-160920.exe (PID: 4764 cmdline: 'C:\Users\user\Desktop\IMG-160920.exe' MD5: 81441EEDA354BA7C3CFA514FDFC78805)
    • schtasks.exe (PID: 5752 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • IMG-160920.exe (PID: 6468 cmdline: {path} MD5: 81441EEDA354BA7C3CFA514FDFC78805)
  • newApp.exe (PID: 4844 cmdline: 'C:\Users\user\AppData\Roaming\newApp\newApp.exe' MD5: 81441EEDA354BA7C3CFA514FDFC78805)
    • schtasks.exe (PID: 2124 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7183.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • newApp.exe (PID: 7112 cmdline: {path} MD5: 81441EEDA354BA7C3CFA514FDFC78805)
  • newApp.exe (PID: 4704 cmdline: 'C:\Users\user\AppData\Roaming\newApp\newApp.exe' MD5: 81441EEDA354BA7C3CFA514FDFC78805)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "j4F3JVhrWLP", "URL: ": "https://DkHXam25ZkvKonHdh.org", "To: ": "adele.tay@bayard--presse.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "oULEh", "From: ": "adele.tay@bayard--presse.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000014.00000002.655923866.00000000032A2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.655923866.00000000032A2000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000011.00000002.469857342.00000000042BD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000014.00000002.651313108.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.newApp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.IMG-160920.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\IMG-160920.exe' , ParentImage: C:\Users\user\Desktop\IMG-160920.exe, ParentProcessId: 4764, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp', ProcessId: 5752

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: newApp.exe.7112.20.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "j4F3JVhrWLP", "URL: ": "https://DkHXam25ZkvKonHdh.org", "To: ": "adele.tay@bayard--presse.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "oULEh", "From: ": "adele.tay@bayard--presse.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeVirustotal: Detection: 20%Perma Link
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeReversingLabs: Detection: 50%
                Source: C:\Users\user\AppData\Roaming\xDXJEysGAlDqc.exeVirustotal: Detection: 20%Perma Link
                Source: C:\Users\user\AppData\Roaming\xDXJEysGAlDqc.exeReversingLabs: Detection: 50%
                Multi AV Scanner detection for submitted fileShow sources
                Source: IMG-160920.exeVirustotal: Detection: 20%Perma Link
                Source: IMG-160920.exeReversingLabs: Detection: 50%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\xDXJEysGAlDqc.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: IMG-160920.exeJoe Sandbox ML: detected
                Source: 20.2.newApp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 6.2.IMG-160920.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 208.91.198.143:587
                Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                Source: global trafficTCP traffic: 192.168.2.3:49742 -> 208.91.198.143:587
                Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                Source: IMG-160920.exe, 00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmp, IMG-160920.exe, 00000006.00000002.651424033.0000000000402000.00000040.00000001.sdmp, newApp.exe, 00000011.00000002.469857342.00000000042BD000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.651313108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://127.0.0.1:
                Source: IMG-160920.exe, 00000006.00000002.659345277.0000000002DDF000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.656601741.0000000003402000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: newApp.exe, 00000014.00000002.662857969.0000000006A30000.00000004.00000001.sdmpString found in binary or memory: http://crt.usertrumGX
                Source: IMG-160920.exe, 00000006.00000002.659345277.0000000002DDF000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.656601741.0000000003402000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                Source: IMG-160920.exe, 00000000.00000002.400282505.00000000034F1000.00000004.00000001.sdmp, newApp.exe, 00000011.00000002.466382072.00000000037A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: IMG-160920.exe, 00000000.00000002.400282505.00000000034F1000.00000004.00000001.sdmp, newApp.exe, 00000011.00000002.463263452.0000000003261000.00000004.00000001.sdmp, newApp.exe, 00000015.00000002.472626292.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: IMG-160920.exe, 00000006.00000002.659276244.0000000002DD2000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.656601741.0000000003402000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: newApp.exe, 00000014.00000002.656694636.000000000342B000.00000004.00000001.sdmpString found in binary or memory: https://DkHXam25ZkvKonHdh.org
                Source: IMG-160920.exe, 00000006.00000003.422891709.0000000000CD4000.00000004.00000001.sdmpString found in binary or memory: https://DkHXam25ZkvKonHdh.org853321935-2125563209-4053062332-1002_Classes
                Source: IMG-160920.exe, 00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmp, IMG-160920.exe, 00000006.00000002.651424033.0000000000402000.00000040.00000001.sdmp, newApp.exe, 00000011.00000002.469857342.00000000042BD000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.651313108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: IMG-160920.exe, 00000006.00000002.659345277.0000000002DDF000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.656601741.0000000003402000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: IMG-160920.exe, 00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmp, IMG-160920.exe, 00000006.00000002.651424033.0000000000402000.00000040.00000001.sdmp, newApp.exe, 00000011.00000002.469857342.00000000042BD000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.651313108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: IMG-160920.exe, 00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmp, IMG-160920.exe, 00000006.00000002.651424033.0000000000402000.00000040.00000001.sdmp, newApp.exe, 00000011.00000002.469857342.00000000042BD000.00000004.00000001.sdmp, newApp.exe, 00000014.00000002.651313108.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/U

                System Summary:

                barindex
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 0_2_01A190F00_2_01A190F0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 0_2_01A1FD080_2_01A1FD08
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 0_2_01A19FB80_2_01A19FB8
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4A2206_2_00F4A220
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4A5686_2_00F4A568
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4F9706_2_00F4F970
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4CDF86_2_00F4CDF8
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4AE386_2_00F4AE38
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F412606_2_00F41260
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4F9606_2_00F4F960
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F43FB76_2_00F43FB7
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F45F036_2_00F45F03
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_0537D4206_2_0537D420
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_05376FF06_2_05376FF0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_053748606_2_05374860
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_053768C46_2_053768C4
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_05374BC06_2_05374BC0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_05377AC06_2_05377AC0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_0537D4106_2_0537D410
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_053787B26_2_053787B2
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_0537C31D6_2_0537C31D
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_0537C2A96_2_0537C2A9
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_0537BEF86_2_0537BEF8
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_053779D06_2_053779D0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_053748486_2_05374848
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_05374BB06_2_05374BB0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DEC206_2_062DEC20
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D34E06_2_062D34E0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D5CF06_2_062D5CF0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D89586_2_062D8958
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D6E686_2_062D6E68
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D6E586_2_062D6E58
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D96E16_2_062D96E1
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D67106_2_062D6710
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DEC136_2_062DEC13
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D9C686_2_062D9C68
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D9C786_2_062D9C78
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D5CE36_2_062D5CE3
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DA5606_2_062DA560
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D5D716_2_062D5D71
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DA5706_2_062DA570
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DCD586_2_062DCD58
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D52286_2_062D5228
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D52386_2_062D5238
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D3ABD6_2_062D3ABD
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DC2986_2_062DC298
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DB3396_2_062DB339
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DB3766_2_062DB376
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D4BE06_2_062D4BE0
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DC8466_2_062DC846
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D59066_2_062D5906
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D09566_2_062D0956
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D61A86_2_062D61A8
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D619B6_2_062D619B
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DB1E86_2_062DB1E8
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062DB1E16_2_062DB1E1
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_031190F017_2_031190F0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_03119FB817_2_03119FB8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_0311FD0817_2_0311FD08
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F4B7817_2_052F4B78
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F2BF817_2_052F2BF8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F5A5017_2_052F5A50
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F22C817_2_052F22C8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F440917_2_052F4409
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F1C5017_2_052F1C50
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F2EBA17_2_052F2EBA
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F2EC817_2_052F2EC8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F000617_2_052F0006
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F004017_2_052F0040
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F28C817_2_052F28C8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F28D817_2_052F28D8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F2BE917_2_052F2BE9
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F1BE217_2_052F1BE2
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F227017_2_052F2270
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F5A4017_2_052F5A40
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0316A22020_2_0316A220
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0316A56820_2_0316A568
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_031624D420_2_031624D4
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0316AE3820_2_0316AE38
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0316CDF820_2_0316CDF8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0316125020_2_03161250
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_03165F0220_2_03165F02
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06846B4820_2_06846B48
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684F8B020_2_0684F8B0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684004020_2_06840040
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068459D020_2_068459D0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068431D020_2_068431D0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684850020_2_06848500
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684E90020_2_0684E900
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06845E8820_2_06845E88
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684AEB820_2_0684AEB8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684AEC820_2_0684AEC8
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684CA3B20_2_0684CA3B
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684A24320_2_0684A243
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684A25020_2_0684A250
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06845A5120_2_06845A51
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06845E7B20_2_06845E7B
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068437AD20_2_068437AD
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06844F0B20_2_06844F0B
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06844F1820_2_06844F18
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_06846B3F20_2_06846B3F
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684BF7820_2_0684BF78
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684F8A020_2_0684F8A0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068448D020_2_068448D0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684E8F020_2_0684E8F0
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684B01920_2_0684B019
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684B05620_2_0684B056
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684247420_2_06842474
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068401C620_2_068401C6
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068459CB20_2_068459CB
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_068455E620_2_068455E6
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684C52620_2_0684C526
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684994820_2_06849948
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684995820_2_06849958
                Source: IMG-160920.exe, 00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs IMG-160920.exe
                Source: IMG-160920.exe, 00000000.00000002.404152758.000000000454E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJLHKUhhrlsSlAqxAlbvVOnpHcphBBJwyqvtQl.exe4 vs IMG-160920.exe
                Source: IMG-160920.exe, 00000000.00000002.406128923.000000000487F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevjn.exe: vs IMG-160920.exe
                Source: IMG-160920.exe, 00000000.00000002.400282505.00000000034F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs IMG-160920.exe
                Source: IMG-160920.exe, 00000000.00000002.409433596.000000000C7F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs IMG-160920.exe
                Source: IMG-160920.exe, 00000000.00000002.409694108.000000000C8F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs IMG-160920.exe
                Source: IMG-160920.exe, 00000000.00000002.409694108.000000000C8F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.653267709.00000000007A4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamevjn.exe: vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.654544869.0000000000C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.664488045.00000000062E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.664538199.00000000062F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.662643577.00000000050B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.653423228.0000000000B37000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.651424033.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameJLHKUhhrlsSlAqxAlbvVOnpHcphBBJwyqvtQl.exe4 vs IMG-160920.exe
                Source: IMG-160920.exe, 00000006.00000002.664293960.00000000062C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs IMG-160920.exe
                Source: IMG-160920.exeBinary or memory string: OriginalFilenamevjn.exe: vs IMG-160920.exe
                Source: IMG-160920.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: xDXJEysGAlDqc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: newApp.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/7@2/2
                Source: C:\Users\user\Desktop\IMG-160920.exeFile created: C:\Users\user\AppData\Roaming\xDXJEysGAlDqc.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4660:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
                Source: C:\Users\user\Desktop\IMG-160920.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7DC.tmpJump to behavior
                Source: IMG-160920.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\IMG-160920.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\IMG-160920.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\IMG-160920.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\IMG-160920.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: IMG-160920.exeVirustotal: Detection: 20%
                Source: IMG-160920.exeReversingLabs: Detection: 50%
                Source: C:\Users\user\Desktop\IMG-160920.exeFile read: C:\Users\user\Desktop\IMG-160920.exe:Zone.IdentifierJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\IMG-160920.exe 'C:\Users\user\Desktop\IMG-160920.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\IMG-160920.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newApp\newApp.exe 'C:\Users\user\AppData\Roaming\newApp\newApp.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7183.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newApp\newApp.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newApp\newApp.exe 'C:\Users\user\AppData\Roaming\newApp\newApp.exe'
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess created: C:\Users\user\Desktop\IMG-160920.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7183.tmp'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess created: C:\Users\user\AppData\Roaming\newApp\newApp.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: IMG-160920.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: IMG-160920.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: IMG-160920.exeStatic file information: File size 1248768 > 1048576
                Source: IMG-160920.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x130400
                Source: IMG-160920.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)Show sources
                Source: IMG-160920.exe, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: xDXJEysGAlDqc.exe.0.dr, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 0.0.IMG-160920.exe.fc0000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 0.2.IMG-160920.exe.fc0000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: newApp.exe.6.dr, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 6.2.IMG-160920.exe.670000.1.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 6.0.IMG-160920.exe.670000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 17.2.newApp.exe.e70000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 17.0.newApp.exe.e70000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                Source: 20.0.newApp.exe.dc0000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, kH?Sk?V??R }, null, null)
                .NET source code contains potential unpackerShow sources
                Source: IMG-160920.exe, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: xDXJEysGAlDqc.exe.0.dr, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.IMG-160920.exe.fc0000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.IMG-160920.exe.fc0000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: newApp.exe.6.dr, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 6.2.IMG-160920.exe.670000.1.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 6.0.IMG-160920.exe.670000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 17.2.newApp.exe.e70000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 17.0.newApp.exe.e70000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 20.0.newApp.exe.dc0000.0.unpack, T?Z?x?wGx?UJ/?zsP?VLGo.cs.Net Code: Mu??U?I?Mu?Z? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_00F4DA89 push ebx; ret 6_2_00F4DA8A
                Source: C:\Users\user\Desktop\IMG-160920.exeCode function: 6_2_062D33F0 push eax; ret 6_2_062D33FD
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 17_2_052F41A0 push edx; iretd 17_2_052F41A1
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0316BE10 push 0000005Eh; ret 20_2_0316BE0E
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeCode function: 20_2_0684D408 push D80683CCh; retf 20_2_0684D40D
                Source: initial sampleStatic PE information: section name: .text entropy: 7.89767331857
                Source: initial sampleStatic PE information: section name: .text entropy: 7.89767331857
                Source: initial sampleStatic PE information: section name: .text entropy: 7.89767331857
                Source: C:\Users\user\Desktop\IMG-160920.exeFile created: C:\Users\user\AppData\Roaming\xDXJEysGAlDqc.exeJump to dropped file
                Source: C:\Users\user\Desktop\IMG-160920.exeFile created: C:\Users\user\AppData\Roaming\newApp\newApp.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\xDXJEysGAlDqc' /XML 'C:\Users\user\AppData\Local\Temp\tmp7DC.tmp'
                Source: C:\Users\user\Desktop\IMG-160920.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newAppJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newAppJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\IMG-160920.exeFile opened: C:\Users\user\AppData\Roaming\newApp\newApp.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM_3Show sources
                Source: Yara matchFile source: Process Memory Space: newApp.exe PID: 4844, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IMG-160920.exe PID: 4764, type: MEMORY
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\IMG-160920.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\IMG-160920.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: IMG-160920.exe, 00000000.00000002.400282505.00000000034F1000.00000004.00000001.sdmp, newApp.exe, 00000011.00000002.468696827.0000000003AA4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: IMG-160920.exe, 00000000.00000002.400282505.00000000034F1000.00000004.00000001.sdmp, newApp.exe, 00000011.00000002.468696827.0000000003AA4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newApp\newApp.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exeWindow / User API: threadDelayed 427Jump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exe TID: 2280Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exe TID: 4856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exe TID: 4988Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\IMG-160920.exe TI