Loading ...

Play interactive tourEdit tour

Analysis Report Port Inquiry 34009294342.xls.exe

Overview

General Information

Sample Name:Port Inquiry 34009294342.xls.exe
Analysis ID:289554
MD5:80e2c73a933c0e75232da335f4311c94
SHA1:e4afe2e11a32f5a9807e90ce55c83b1dbae061e2
SHA256:1a8573f9acba3f7d8863043223fb1d6ef4b52ad5bb4cdcb5e178e935b25b40e3
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Port Inquiry 34009294342.xls.exe (PID: 5800 cmdline: 'C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe' MD5: 80E2C73A933C0E75232DA335F4311C94)
    • timeout.exe (PID: 5672 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 2708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WerFault.exe (PID: 3764 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5800 -ip 5800 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • newapp.exe (PID: 6308 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 80E2C73A933C0E75232DA335F4311C94)
    • timeout.exe (PID: 6932 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • newapp.exe (PID: 4880 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 80E2C73A933C0E75232DA335F4311C94)
    • newapp.exe (PID: 2708 cmdline: C:\Users\user\AppData\Roaming\newapp\newapp.exe MD5: 80E2C73A933C0E75232DA335F4311C94)
  • newapp.exe (PID: 4856 cmdline: 'C:\Users\user\AppData\Roaming\newapp\newapp.exe' MD5: 80E2C73A933C0E75232DA335F4311C94)
    • timeout.exe (PID: 1120 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "oHatZ6LhZz1", "URL: ": "http://evzVOJLfNup.com", "To: ": "", "ByHost: ": "smtp.stevenlkornsteinlawfirm.com:587", "Password: ": "SXeB66op8WzoY", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.619200548.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.621890479.000000000291C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.621890479.000000000291C000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.619190494.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            20.2.newapp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.Port Inquiry 34009294342.xls.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Double ExtensionShow sources
                Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, CommandLine: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, CommandLine|base64offset|contains: "z, Image: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, NewProcessName: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, OriginalFileName: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, ParentCommandLine: 'C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe' , ParentImage: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, ParentProcessId: 5800, ProcessCommandLine: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe, ProcessId: 6708

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: newapp.exe.2708.20.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "oHatZ6LhZz1", "URL: ": "http://evzVOJLfNup.com", "To: ": "", "ByHost: ": "smtp.stevenlkornsteinlawfirm.com:587", "Password: ": "SXeB66op8WzoY", "From: ": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Port Inquiry 34009294342.xls.exeVirustotal: Detection: 28%Perma Link
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Port Inquiry 34009294342.xls.exeJoe Sandbox ML: detected
                Source: 20.2.newapp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 3.2.Port Inquiry 34009294342.xls.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49730 -> 208.91.199.224:587
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49740 -> 208.91.199.223:587
                Source: global trafficTCP traffic: 192.168.2.3:49730 -> 208.91.199.224:587
                Source: global trafficTCP traffic: 192.168.2.3:49740 -> 208.91.199.223:587
                Source: Joe Sandbox ViewIP Address: 37.120.174.218 37.120.174.218
                Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
                Source: Joe Sandbox ViewIP Address: 208.91.199.224 208.91.199.224
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficTCP traffic: 192.168.2.3:49730 -> 208.91.199.224:587
                Source: global trafficTCP traffic: 192.168.2.3:49740 -> 208.91.199.223:587
                Source: unknownDNS traffic detected: queries for: paste.nrecom.net
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.622137713.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: newapp.exe, 00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370749376.0000000002DBA000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421037194.0000000000ADB000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370593294.0000000002CE5000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421631906.0000000002995000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370593294.0000000002CE5000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421631906.0000000002995000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370749376.0000000002DBA000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421037194.0000000000ADB000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370749376.0000000002DBA000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421037194.0000000000ADB000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: newapp.exe, 00000014.00000002.621890479.000000000291C000.00000004.00000001.sdmpString found in binary or memory: http://evzVOJLfNup.com
                Source: newapp.exe, 00000014.00000002.621890479.000000000291C000.00000004.00000001.sdmpString found in binary or memory: http://evzVOJLfNup.com0
                Source: newapp.exe, 00000014.00000003.444424176.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://evzVOJLfNup.comla
                Source: newapp.exe, 00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: http://gAwEfW.com
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370749376.0000000002DBA000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421037194.0000000000ADB000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370593294.0000000002CE5000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp, newapp.exe, 0000000B.00000002.421631906.0000000002995000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370749376.0000000002DBA000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371221462.0000000002DBA000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421903522.0000000002A69000.00000004.00000001.sdmpString found in binary or memory: http://paste.nrecom.net
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370567194.0000000002CB1000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371021056.0000000002CB1000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421579626.0000000002961000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370749376.0000000002DBA000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371221462.0000000002DBA000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421903522.0000000002A69000.00000004.00000001.sdmpString found in binary or memory: http://server5.nrecom.net
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.622450321.0000000002E28000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.622153613.00000000029A6000.00000004.00000001.sdmpString found in binary or memory: http://smtp.stevenlkornsteinlawfirm.com
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.622450321.0000000002E28000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.622153613.00000000029A6000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: newapp.exe, 00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.371333131.0000000003D31000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000003.00000002.619190494.0000000000402000.00000040.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.372101960.0000000003D31000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.427229741.00000000039E1000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.619200548.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.622137713.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370728868.0000000002D9F000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371201034.0000000002D9F000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421888916.0000000002A60000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370567194.0000000002CB1000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371021056.0000000002CB1000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421579626.0000000002961000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.net
                Source: newapp.exe, 0000000B.00000002.421579626.0000000002961000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421752596.00000000029F8000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.net/view/raw/4dc33d46
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370672059.0000000002D52000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371164565.0000000002D52000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421752596.00000000029F8000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.net/view/raw/5093
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370672059.0000000002D52000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000000.00000002.370792149.0000000002DFC000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371248501.0000000002DFC000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371164565.0000000002D52000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421987005.0000000002AAC000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421752596.00000000029F8000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.net/view/raw/5093546d
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370672059.0000000002D52000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371164565.0000000002D52000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.421752596.00000000029F8000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.net/view/raw/5093d
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.370792149.0000000002DFC000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.371248501.0000000002DFC000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.netD80l
                Source: newapp.exe, 0000000B.00000002.421987005.0000000002AAC000.00000004.00000001.sdmpString found in binary or memory: https://paste.nrecom.netD80lp
                Source: Port Inquiry 34009294342.xls.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.371333131.0000000003D31000.00000004.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000003.00000002.619190494.0000000000402000.00000040.00000001.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.372101960.0000000003D31000.00000004.00000001.sdmp, newapp.exe, 0000000B.00000002.427229741.00000000039E1000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.619200548.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.622137713.0000000002D21000.00000004.00000001.sdmp, newapp.exe, 00000014.00000002.621780206.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to behavior
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370530335.0000000000EBA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_0111D300 NtSetInformationThread,0_2_0111D300
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_0111D8C1 NtSetInformationThread,0_2_0111D8C1
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DFD8C8 NtSetInformationThread,11_2_00DFD8C8
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DFD8C1 NtSetInformationThread,11_2_00DFD8C1
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_011160300_2_01116030
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_011197100_2_01119710
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_011167A80_2_011167A8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_011128B00_2_011128B0
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_011118B80_2_011118B8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_011128A60_2_011128A6
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_011C46803_2_011C4680
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_011C358C3_2_011C358C
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_011C46303_2_011C4630
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_011C46703_2_011C4670
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_011CD0903_2_011CD090
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_011C53703_2_011C5370
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_060E65003_2_060E6500
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_060E71183_2_060E7118
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_060E8CD83_2_060E8CD8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_060E68483_2_060E6848
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_060E22113_2_060E2211
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_0640BAE03_2_0640BAE0
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_064020103_2_06402010
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_064122F83_2_064122F8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_064159783_2_06415978
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_0641B7A83_2_0641B7A8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_064104983_2_06410498
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06411B983_2_06411B98
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DF603011_2_00DF6030
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DF971011_2_00DF9710
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DF28B011_2_00DF28B0
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DF18B811_2_00DF18B8
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 11_2_00DF28A811_2_00DF28A8
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 17_2_016C1DEC17_2_016C1DEC
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 17_2_016C28A617_2_016C28A6
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 17_2_016C18B817_2_016C18B8
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_00D6468020_2_00D64680
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_00D6358C20_2_00D6358C
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_00D6459220_2_00D64592
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_00D6537020_2_00D65370
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_0606564020_2_06065640
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_0606186020_2_06061860
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_060620B020_2_060620B0
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_0606B40820_2_0606B408
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_0610263820_2_06102638
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_0610BBC820_2_0610BBC8
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_0610201020_2_06102010
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_06102D7020_2_06102D70
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_06109D5820_2_06109D58
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_063CD0D820_2_063CD0D8
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeCode function: 20_2_063C815820_2_063C8158
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5800 -ip 5800
                Source: Port Inquiry 34009294342.xls.exeStatic PE information: invalid certificate
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.369858068.00000000009F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename:\_F vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.371333131.0000000003D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.373103291.00000000052D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.619742556.0000000000BB7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000000.367645139.0000000000A20000.00000002.00020000.sdmpBinary or memory string: OriginalFilename:\_F vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.625135463.0000000005E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.620987202.000000000102A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.625980790.00000000063C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.626320111.00000000065B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000003.00000002.625958980.00000000063B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370530335.0000000000EBA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.375104672.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.374346244.00000000052D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.371102530.0000000002CFC000.00000004.00000001.sdmpBinary or memory string: OriginalFilename:\_F vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.372101960.0000000003D31000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exeBinary or memory string: OriginalFilename:\_F vs Port Inquiry 34009294342.xls.exe
                Source: Port Inquiry 34009294342.xls.exe, ?????????????????????.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: newapp.exe.3.dr, ?????????????????????.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370520723.0000000000EB0000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbcx
                Source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.375049191.0000000005DE0000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/3@9/4
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile created: C:\Users\user\AppData\Roaming\newappJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2708:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
                Source: Port Inquiry 34009294342.xls.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Port Inquiry 34009294342.xls.exeVirustotal: Detection: 28%
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile read: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe 'C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5800 -ip 5800
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe 'C:\Users\user\AppData\Roaming\newapp\newapp.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exe
                Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess created: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exe C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Users\user\AppData\Roaming\newapp\newapp.exe C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Port Inquiry 34009294342.xls.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Port Inquiry 34009294342.xls.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                Source: Binary string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbcx source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370520723.0000000000EB0000.00000004.00000020.sdmp
                Source: Binary string: OPort Inquiry 34009294342.xls.PDBQ source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.369979998.0000000000D88000.00000004.00000010.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370462743.0000000000D88000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdbQ source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbP source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: mscorlib.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.375049191.0000000005DE0000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.PDB source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.369979998.0000000000D88000.00000004.00000010.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370462743.0000000000D88000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb7 source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb* source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: *.pdb source: newapp.exe
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\Port Inquiry 34009294342.xls.PDB)S source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp
                Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370599497.0000000000F28000.00000004.00000020.sdmp
                Source: Binary string: jVisualBasic.pdb source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.369979998.0000000000D88000.00000004.00000010.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370462743.0000000000D88000.00000004.00000001.sdmp
                Source: Binary string: .pdb8X source: Port Inquiry 34009294342.xls.exe, 00000000.00000002.369979998.0000000000D88000.00000004.00000010.sdmp, Port Inquiry 34009294342.xls.exe, 00000006.00000000.370462743.0000000000D88000.00000004.00000001.sdmp
                Source: Binary string: \??\C:\Windows\mscorlib.pdb'2 source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbl; source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370634103.0000000000F45000.00000004.00000020.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.370571746.0000000000EF0000.00000004.00000020.sdmp
                Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: Port Inquiry 34009294342.xls.exe, 00000006.00000000.375049191.0000000005DE0000.00000004.00000001.sdmp
                Source: Binary string: *.pdboNo package directories reported due to opt out of ngen.1Searching directory for:=Error searching directory for:KError enumerating package directories!Error examining: source: Port Inquiry 34009294342.xls.exe
                Source: newapp.exe.3.drStatic PE information: real checksum: 0x30fc7 should be: 0x3e0b2
                Source: Port Inquiry 34009294342.xls.exeStatic PE information: real checksum: 0x30fc7 should be: 0x3e0b2
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 0_2_009C2FF0 push cs; ret 0_2_009C2FF1
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F41 push es; retf 3_2_06406F48
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F49 push es; retf 3_2_06406F78
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06401F72 push eax; ret 3_2_06401F79
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F79 push es; retf 3_2_06406F7C
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F7D push es; retf 3_2_06406F84
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F3D push es; retf 3_2_06406F40
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FC1 push es; retf 3_2_06406FC4
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FC5 push es; retf 3_2_06406FC8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FC9 push es; retf 3_2_06406FCC
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FCD push es; retf 3_2_06406FD0
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FD1 push es; retf 3_2_06406FD4
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FD5 push es; retf 3_2_06406FD8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FD9 push es; retf 3_2_06406FDC
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FDD push es; retf 3_2_06406FE0
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FE1 push es; retf 3_2_06406FE4
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FE5 push es; retf 3_2_06406FE8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FE9 push es; retf 3_2_06406FEC
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FED push es; retf 3_2_06406FF0
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FF1 push es; retf 3_2_06406FF4
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FF5 push es; retf 3_2_06406FF8
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FF9 push es; retf 3_2_06406FFC
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FFD push es; retf 3_2_06407000
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F85 push es; retf 3_2_06406F88
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F89 push es; retf 3_2_06406F8C
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F8D push es; retf 3_2_06406F90
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F91 push es; retf 3_2_06406F94
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F95 push es; retf 3_2_06406F98
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F99 push es; retf 3_2_06406F9C
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406F9D push es; retf 3_2_06406FA0
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeCode function: 3_2_06406FA1 push es; retf 3_2_06406FA4
                Source: initial sampleStatic PE information: section name: .text entropy: 7.26498408592
                Source: initial sampleStatic PE information: section name: .text entropy: 7.26498408592
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile created: C:\Users\user\AppData\Roaming\newapp\newapp.exeJump to dropped file
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newappJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeFile opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | deleteJump to behavior
                Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                Source: Possible double extension: xls.exeStatic PE information: Port Inquiry 34009294342.xls.exe
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Port Inquiry 34009294342.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\newapp\newapp.exeProcess information set: NOOPENFILEERRORBOX