Analysis Report sample2.bin

Overview

General Information

Sample Name:	sample2.bin (renamed file extension from bin to exe)
Analysis ID:	339443
MD5:	b0f2d519ccae5bf1435264e0979770ce
SHA1:	212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
SHA256:	a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected AgentTesla

Yara detected AntiVM_3

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sample2.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Avira: detection malicious, Label: TR/Kryptik.bkfmg

Found malware configuration

Source: sample2.exe.5652.1.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	ReversingLabs: Detection: 80%

Multi AV Scanner detection for submitted file

Source: sample2.exe	Metadefender: Detection: 25%			Perma Link
Source: sample2.exe	ReversingLabs: Detection: 80%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.sample2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.nwama.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.2.nwama.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05FF13C2 CryptUnprotectData,	1_2_05FF13C2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05FF1387 CryptUnprotectData,	1_2_05FF1387
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_05C11066 CryptUnprotectData,	11_2_05C11066
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_05C1102B CryptUnprotectData,	11_2_05C1102B

Compliance:

Uses 32bit PE files

Source: sample2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sample2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://eu0j0ejPMgs9.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.91.198.143 208.91.198.143

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp, nwama.exe, 00000012.00000002.992391711.0000000002DDC000.00000004.00000001.sdmp	String found in binary or memory: http://eu0j0ejPMgs9.com
Source: sample2.exe, 00000001.00000003.724871830.00000000013B4000.00000004.00000001.sdmp	String found in binary or memory: http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classes
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: sample2.exe, 00000000.00000003.645220057.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comep
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comg
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: sample2.exe, 00000000.00000003.645020096.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: sample2.exe, 00000000.00000003.647869153.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: sample2.exe, 00000000.00000003.648321789.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmltF1
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: sample2.exe, 00000000.00000003.648093017.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers;
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: sample2.exe, 00000000.00000003.649192807.0000000005045000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: sample2.exe, 00000000.00000003.647892711.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersZ
Source: sample2.exe, 00000000.00000003.647942862.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTFN
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsivFw
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueS
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuec
Source: sample2.exe, 00000000.00000003.642777953.000000000502B000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: sample2.exe, 00000000.00000003.642811892.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicx
Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.cT
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn)
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnLog
Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnb
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnc
Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cns-m
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.m.
Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comK
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krrad
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krt
Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com.
Source: sample2.exe, 00000000.00000003.642940134.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comm
Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: sample2.exe, 00000000.00000003.643012662.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comnm.
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\sample2.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\sample2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Creates a DirectInput object (often for capturing keystrokes)

Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\sample2.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large strings

Source: sample2.exe, ClassCore.cs	Long String: Length: 86015
Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: nwama.exe.1.dr, ClassCore.cs	Long String: Length: 86015
Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs	Long String: Length: 86015

Contains functionality to call native functions

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D109DA NtQuerySystemInformation,	0_2_06D109DA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1086A NtQueryInformationProcess,	0_2_06D1086A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D10848 NtQueryInformationProcess,	0_2_06D10848
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1099F NtQuerySystemInformation,	0_2_06D1099F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B362 NtQuerySystemInformation,	1_2_0163B362
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B331 NtQuerySystemInformation,	1_2_0163B331
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A609DA NtQuerySystemInformation,	10_2_06A609DA
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6086A NtQueryInformationProcess,	10_2_06A6086A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6099F NtQuerySystemInformation,	10_2_06A6099F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A60848 NtQueryInformationProcess,	10_2_06A60848

Detected potential crypto function

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_00592379	0_2_00592379
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE2DC8	0_2_04DE2DC8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE45C0	0_2_04DE45C0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE25E8	0_2_04DE25E8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE0928	0_2_04DE0928
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE36D0	0_2_04DE36D0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEAE18	0_2_04DEAE18
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9A17	0_2_04DE9A17
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9C90	0_2_04DE9C90
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE44BB	0_2_04DE44BB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9CA0	0_2_04DE9CA0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5C70	0_2_04DE5C70
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5C60	0_2_04DE5C60
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6410	0_2_04DE6410
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6400	0_2_04DE6400
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6838	0_2_04DE6838
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE2555	0_2_04DE2555
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEA2F8	0_2_04DEA2F8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5EF8	0_2_04DE5EF8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEA2E7	0_2_04DEA2E7
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE1AE0	0_2_04DE1AE0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5298	0_2_04DE5298
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5288	0_2_04DE5288
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6678	0_2_04DE6678
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6669	0_2_04DE6669
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6230	0_2_04DE6230
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6220	0_2_04DE6220
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEDFD0	0_2_04DEDFD0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE33EF	0_2_04DE33EF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DECF50	0_2_04DECF50
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_00593EF3	0_2_00593EF3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_00EE2379	1_2_00EE2379
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E110	1_2_0592E110
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E940	1_2_0592E940
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05920006	1_2_05920006
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F770	1_2_0592F770
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E100	1_2_0592E100
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E8C0	1_2_0592E8C0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E930	1_2_0592E930
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592ED76	1_2_0592ED76
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592EDE3	1_2_0592EDE3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F760	1_2_0592F760
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F0AA	1_2_0592F0AA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AB0	1_2_06548AB0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06540717	1_2_06540717
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545F18	1_2_06545F18
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065483B8	1_2_065483B8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541C6F	1_2_06541C6F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545080	1_2_06545080
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06544948	1_2_06544948
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541E43	1_2_06541E43
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542E07	1_2_06542E07
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654863A	1_2_0654863A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654222D	1_2_0654222D
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065422D5	1_2_065422D5
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542EFA	1_2_06542EFA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541EEB	1_2_06541EEB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541E97	1_2_06541E97
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06547280	1_2_06547280
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542281	1_2_06542281
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543281	1_2_06543281
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542EA3	1_2_06542EA3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AAC	1_2_06548AAC
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AA9	1_2_06548AA9
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542B4F	1_2_06542B4F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06547378	1_2_06547378
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654236E	1_2_0654236E
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542710	1_2_06542710
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545F10	1_2_06545F10
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654331D	1_2_0654331D
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541FD8	1_2_06541FD8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065423C2	1_2_065423C2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542BFD	1_2_06542BFD
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542FED	1_2_06542FED
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542F96	1_2_06542F96
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541F84	1_2_06541F84
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542BA6	1_2_06542BA6
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542C54	1_2_06542C54
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543044	1_2_06543044
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545C43	1_2_06545C43
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654E848	1_2_0654E848
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545070	1_2_06545070
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542416	1_2_06542416
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548017	1_2_06548017
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654202C	1_2_0654202C
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065420D4	1_2_065420D4
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065464D8	1_2_065464D8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065430F2	1_2_065430F2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541CF3	1_2_06541CF3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065428EF	1_2_065428EF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541C9F	1_2_06541C9F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654309B	1_2_0654309B
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542080	1_2_06542080
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065424AF	1_2_065424AF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06540717	1_2_06540717
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542CAB	1_2_06542CAB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542D59	1_2_06542D59
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541D47	1_2_06541D47
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543149	1_2_06543149
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542D02	1_2_06542D02
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545102	1_2_06545102
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654393A	1_2_0654393A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542128	1_2_06542128
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065479F8	1_2_065479F8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065431E5	1_2_065431E5
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065479E7	1_2_065479E7
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541DEF	1_2_06541DEF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541D9B	1_2_06541D9B
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654258F	1_2_0654258F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542188	1_2_06542188
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542DB0	1_2_06542DB0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_00EE3EF3	1_2_00EE3EF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_007C2379	10_2_007C2379
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05010928	10_2_05010928
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012D88	10_2_05012D88
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050145C0	10_2_050145C0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050125E8	10_2_050125E8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019A17	10_2_05019A17
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501AE18	10_2_0501AE18
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050136D0	10_2_050136D0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015108	10_2_05015108
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012555	10_2_05012555
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05014591	10_2_05014591
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050125A1	10_2_050125A1
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012DC8	10_2_05012DC8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016400	10_2_05016400
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016410	10_2_05016410
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016839	10_2_05016839
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015C60	10_2_05015C60
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015C70	10_2_05015C70
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019C90	10_2_05019C90
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019CA0	10_2_05019CA0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050144BB	10_2_050144BB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050154F2	10_2_050154F2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501CF50	10_2_0501CF50
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501DFD0	10_2_0501DFD0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016220	10_2_05016220
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016230	10_2_05016230
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501666A	10_2_0501666A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016678	10_2_05016678
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015292	10_2_05015292
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015298	10_2_05015298
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05011AE0	10_2_05011AE0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501A2E7	10_2_0501A2E7
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501A2F8	10_2_0501A2F8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015EF8	10_2_05015EF8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_007C3EF3	10_2_007C3EF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_00AE2379	11_2_00AE2379
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8AB8	11_2_062A8AB8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A0717	11_2_062A0717
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A83C0	11_2_062A83C0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1C6F	11_2_062A1C6F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A5088	11_2_062A5088
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A4950	11_2_062A4950
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A222D	11_2_062A222D
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7A00	11_2_062A7A00
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2E07	11_2_062A2E07
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8642	11_2_062A8642
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1E43	11_2_062A1E43
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2EA3	11_2_062A2EA3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8AB4	11_2_062A8AB4
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7288	11_2_062A7288
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2281	11_2_062A2281
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3281	11_2_062A3281
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1E97	11_2_062A1E97
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1EEB	11_2_062A1EEB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2EFA	11_2_062A2EFA
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A22D5	11_2_062A22D5
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A331D	11_2_062A331D
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2710	11_2_062A2710
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A236E	11_2_062A236E
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2B4F	11_2_062A2B4F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2BA6	11_2_062A2BA6
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7380	11_2_062A7380
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1F84	11_2_062A1F84
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2F96	11_2_062A2F96
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2FED	11_2_062A2FED
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2BFD	11_2_062A2BFD
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A23C2	11_2_062A23C2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1FD8	11_2_062A1FD8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A202C	11_2_062A202C
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A801F	11_2_062A801F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2416	11_2_062A2416
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A5078	11_2_062A5078
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3044	11_2_062A3044
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062AE850	11_2_062AE850
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2C54	11_2_062A2C54
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2CAB	11_2_062A2CAB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A0717	11_2_062A0717
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A24AF	11_2_062A24AF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2080	11_2_062A2080
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A309B	11_2_062A309B
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1C9F	11_2_062A1C9F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A28EF	11_2_062A28EF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A64E0	11_2_062A64E0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A30F2	11_2_062A30F2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1CF3	11_2_062A1CF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A20D4	11_2_062A20D4
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2128	11_2_062A2128
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A393A	11_2_062A393A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A493F	11_2_062A493F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A510A	11_2_062A510A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2D02	11_2_062A2D02
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3149	11_2_062A3149
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1D47	11_2_062A1D47
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2D59	11_2_062A2D59
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2DB0	11_2_062A2DB0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2188	11_2_062A2188
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A258F	11_2_062A258F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1D9B	11_2_062A1D9B
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1DEF	11_2_062A1DEF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A79EF	11_2_062A79EF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A31E5	11_2_062A31E5
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_00AE3EF3	11_2_00AE3EF3

Sample file is different than original file name gathered from version info

Source: sample2.exe	Binary or memory string: OriginalFilename vs sample2.exe
Source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDefender Protect.dllB vs sample2.exe
Source: sample2.exe, 00000000.00000000.641747188.0000000000592000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
Source: sample2.exe, 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
Source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs sample2.exe
Source: sample2.exe	Binary or memory string: OriginalFilename vs sample2.exe
Source: sample2.exe, 00000001.00000002.987673444.000000000044C000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
Source: sample2.exe, 00000001.00000002.987712878.0000000000EE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
Source: sample2.exe, 00000001.00000002.997574179.0000000005770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs sample2.exe
Source: sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
Source: sample2.exe, 00000001.00000002.999762206.00000000066D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs sample2.exe
Source: sample2.exe, 00000001.00000002.999470130.0000000006600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs sample2.exe
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs sample2.exe
Source: sample2.exe	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe

Uses 32bit PE files

Source: sample2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: sample2.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nwama.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.sample2.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.sample2.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 18.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/10@3/2

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1051A AdjustTokenPrivileges,	0_2_06D1051A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D104E3 AdjustTokenPrivileges,	0_2_06D104E3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B1E6 AdjustTokenPrivileges,	1_2_0163B1E6
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B1AF AdjustTokenPrivileges,	1_2_0163B1AF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6051A AdjustTokenPrivileges,	10_2_06A6051A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A604E3 AdjustTokenPrivileges,	10_2_06A604E3

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Mutant created: \Sessions\1\BaseNamedObjects\KXEawVjqkPnOFR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:900:120:WilError_01

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Temp\nwama

Jump to behavior

Source: sample2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sample2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: sample2.exe	Metadefender: Detection: 25%
Source: sample2.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\sample2.exe

File read: C:\Users\user\Desktop\sample2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sample2.exe 'C:\Users\user\Desktop\sample2.exe'
Source: unknown	Process created: C:\Users\user\Desktop\sample2.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Users\user\Desktop\sample2.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Source: C:\Users\user\Desktop\sample2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: sample2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sample2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: sample2.exe, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nwama.exe.1.dr, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE8872 push cs; retf	0_2_04DE8873
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE8B24 push esp; retf	0_2_04DE8B25
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654B3E0 push es; retf	1_2_0654E60C
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543E06 push es; ret	1_2_06543E08
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548575 pushfd ; ret	1_2_0654857E
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05018872 push cs; retf	10_2_05018873
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05018B24 push esp; retf	10_2_05018B25
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062AB3E8 push es; retf	11_2_062AE630
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A857B pushfd ; ret	11_2_062A8586

Source: initial sample	Static PE information: section name: .text entropy: 7.05584068406
Source: initial sample	Static PE information: section name: .text entropy: 7.05584068406

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sample2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwama			Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwama			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\sample2.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: sample2.exe, 00000000.00000002.659352287.0000000002CA1000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720364250.0000000002E91000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: sample2.exe, 00000000.00000002.659352287.0000000002CA1000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720364250.0000000002E91000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\sample2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\sample2.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe TID: 6492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe TID: 6760	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe TID: 6760	Thread sleep time: -60500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6796	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6796	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 1320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 4088	Thread sleep time: -49000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\sample2.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\sample2.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Last function: Thread delayed

Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: nwama.exe, 0000000B.00000002.989383094.0000000001282000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW2
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: nwama.exe, 0000000B.00000002.989659236.00000000012FD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\sample2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\sample2.exe

Code function: 1_2_06540717 KiUserExceptionDispatcher,LdrInitializeThunk,

1_2_06540717

Enables debug privileges

Source: C:\Users\user\Desktop\sample2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sample2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\sample2.exe	Memory written: C:\Users\user\Desktop\sample2.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Memory written: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Memory written: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Users\user\Desktop\sample2.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\sample2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY
Source: Yara match	File source: 1.2.sample2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\sample2.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal WLAN passwords

Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY
Source: Yara match	File source: 1.2.sample2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.91.198.143	unknown	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	false

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
us2.smtp.mailhostbox.com	208.91.198.143	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://eu0j0ejPMgs9.com	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sample2.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Avira: detection malicious, Label: TR/Kryptik.bkfmg

Found malware configuration

Source: sample2.exe.5652.1.memstr

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	ReversingLabs: Detection: 80%

Multi AV Scanner detection for submitted file

Source: sample2.exe	Metadefender: Detection: 25%			Perma Link
Source: sample2.exe	ReversingLabs: Detection: 80%

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.sample2.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 18.2.nwama.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 11.2.nwama.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05FF13C2 CryptUnprotectData,	1_2_05FF13C2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05FF1387 CryptUnprotectData,	1_2_05FF1387
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_05C11066 CryptUnprotectData,	11_2_05C11066
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_05C1102B CryptUnprotectData,	11_2_05C1102B

Compliance:

Uses 32bit PE files

Source: sample2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sample2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://eu0j0ejPMgs9.com

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 208.91.198.143 208.91.198.143

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587

Source: unknown

DNS traffic detected: queries for: us2.smtp.mailhostbox.com

Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp, nwama.exe, 00000012.00000002.992391711.0000000002DDC000.00000004.00000001.sdmp	String found in binary or memory: http://eu0j0ejPMgs9.com
Source: sample2.exe, 00000001.00000003.724871830.00000000013B4000.00000004.00000001.sdmp	String found in binary or memory: http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classes
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: sample2.exe, 00000000.00000003.645220057.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comep
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comg
Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comhly
Source: sample2.exe, 00000000.00000003.645020096.000000000504E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: sample2.exe, 00000000.00000003.647869153.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: sample2.exe, 00000000.00000003.648321789.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmltF1
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: sample2.exe, 00000000.00000003.648093017.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers;
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: sample2.exe, 00000000.00000003.649192807.0000000005045000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: sample2.exe, 00000000.00000003.647892711.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersZ
Source: sample2.exe, 00000000.00000003.647942862.0000000005049000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comM.TTFN
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comsivFw
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueS
Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuec
Source: sample2.exe, 00000000.00000003.642777953.000000000502B000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: sample2.exe, 00000000.00000003.642811892.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicx
Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.cT
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn)
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnLog
Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnb
Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnc
Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cns-m
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.m.
Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comK
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krrad
Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krt
Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com.
Source: sample2.exe, 00000000.00000003.642940134.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comm
Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: sample2.exe, 00000000.00000003.643012662.000000000502B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comnm.
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\sample2.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\sample2.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Creates a DirectInput object (often for capturing keystrokes)

Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\sample2.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large strings

Source: sample2.exe, ClassCore.cs	Long String: Length: 86015
Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: nwama.exe.1.dr, ClassCore.cs	Long String: Length: 86015
Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs	Long String: Length: 86015
Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs	Long String: Length: 86015
Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs	Long String: Length: 86015

Contains functionality to call native functions

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D109DA NtQuerySystemInformation,	0_2_06D109DA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1086A NtQueryInformationProcess,	0_2_06D1086A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D10848 NtQueryInformationProcess,	0_2_06D10848
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1099F NtQuerySystemInformation,	0_2_06D1099F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B362 NtQuerySystemInformation,	1_2_0163B362
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B331 NtQuerySystemInformation,	1_2_0163B331
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A609DA NtQuerySystemInformation,	10_2_06A609DA
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6086A NtQueryInformationProcess,	10_2_06A6086A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6099F NtQuerySystemInformation,	10_2_06A6099F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A60848 NtQueryInformationProcess,	10_2_06A60848

Detected potential crypto function

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_00592379	0_2_00592379
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE2DC8	0_2_04DE2DC8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE45C0	0_2_04DE45C0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE25E8	0_2_04DE25E8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE0928	0_2_04DE0928
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE36D0	0_2_04DE36D0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEAE18	0_2_04DEAE18
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9A17	0_2_04DE9A17
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9C90	0_2_04DE9C90
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE44BB	0_2_04DE44BB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE9CA0	0_2_04DE9CA0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5C70	0_2_04DE5C70
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5C60	0_2_04DE5C60
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6410	0_2_04DE6410
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6400	0_2_04DE6400
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6838	0_2_04DE6838
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE2555	0_2_04DE2555
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEA2F8	0_2_04DEA2F8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5EF8	0_2_04DE5EF8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEA2E7	0_2_04DEA2E7
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE1AE0	0_2_04DE1AE0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5298	0_2_04DE5298
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE5288	0_2_04DE5288
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6678	0_2_04DE6678
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6669	0_2_04DE6669
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6230	0_2_04DE6230
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE6220	0_2_04DE6220
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DEDFD0	0_2_04DEDFD0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE33EF	0_2_04DE33EF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DECF50	0_2_04DECF50
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_00593EF3	0_2_00593EF3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_00EE2379	1_2_00EE2379
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E110	1_2_0592E110
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E940	1_2_0592E940
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_05920006	1_2_05920006
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F770	1_2_0592F770
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E100	1_2_0592E100
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E8C0	1_2_0592E8C0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592E930	1_2_0592E930
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592ED76	1_2_0592ED76
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592EDE3	1_2_0592EDE3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F760	1_2_0592F760
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0592F0AA	1_2_0592F0AA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AB0	1_2_06548AB0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06540717	1_2_06540717
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545F18	1_2_06545F18
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065483B8	1_2_065483B8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541C6F	1_2_06541C6F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545080	1_2_06545080
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06544948	1_2_06544948
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541E43	1_2_06541E43
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542E07	1_2_06542E07
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654863A	1_2_0654863A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654222D	1_2_0654222D
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065422D5	1_2_065422D5
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542EFA	1_2_06542EFA
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541EEB	1_2_06541EEB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541E97	1_2_06541E97
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06547280	1_2_06547280
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542281	1_2_06542281
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543281	1_2_06543281
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542EA3	1_2_06542EA3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AAC	1_2_06548AAC
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548AA9	1_2_06548AA9
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542B4F	1_2_06542B4F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06547378	1_2_06547378
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654236E	1_2_0654236E
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542710	1_2_06542710
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545F10	1_2_06545F10
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654331D	1_2_0654331D
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541FD8	1_2_06541FD8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065423C2	1_2_065423C2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542BFD	1_2_06542BFD
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542FED	1_2_06542FED
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542F96	1_2_06542F96
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541F84	1_2_06541F84
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542BA6	1_2_06542BA6
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542C54	1_2_06542C54
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543044	1_2_06543044
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545C43	1_2_06545C43
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654E848	1_2_0654E848
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545070	1_2_06545070
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542416	1_2_06542416
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548017	1_2_06548017
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654202C	1_2_0654202C
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065420D4	1_2_065420D4
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065464D8	1_2_065464D8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065430F2	1_2_065430F2
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541CF3	1_2_06541CF3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065428EF	1_2_065428EF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541C9F	1_2_06541C9F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654309B	1_2_0654309B
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542080	1_2_06542080
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065424AF	1_2_065424AF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06540717	1_2_06540717
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542CAB	1_2_06542CAB
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542D59	1_2_06542D59
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541D47	1_2_06541D47
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543149	1_2_06543149
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542D02	1_2_06542D02
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06545102	1_2_06545102
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654393A	1_2_0654393A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542128	1_2_06542128
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065479F8	1_2_065479F8
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065431E5	1_2_065431E5
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_065479E7	1_2_065479E7
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541DEF	1_2_06541DEF
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06541D9B	1_2_06541D9B
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654258F	1_2_0654258F
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542188	1_2_06542188
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06542DB0	1_2_06542DB0
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_00EE3EF3	1_2_00EE3EF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_007C2379	10_2_007C2379
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05010928	10_2_05010928
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012D88	10_2_05012D88
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050145C0	10_2_050145C0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050125E8	10_2_050125E8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019A17	10_2_05019A17
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501AE18	10_2_0501AE18
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050136D0	10_2_050136D0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015108	10_2_05015108
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012555	10_2_05012555
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05014591	10_2_05014591
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050125A1	10_2_050125A1
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05012DC8	10_2_05012DC8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016400	10_2_05016400
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016410	10_2_05016410
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016839	10_2_05016839
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015C60	10_2_05015C60
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015C70	10_2_05015C70
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019C90	10_2_05019C90
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05019CA0	10_2_05019CA0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050144BB	10_2_050144BB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_050154F2	10_2_050154F2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501CF50	10_2_0501CF50
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501DFD0	10_2_0501DFD0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016220	10_2_05016220
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016230	10_2_05016230
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501666A	10_2_0501666A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05016678	10_2_05016678
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015292	10_2_05015292
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015298	10_2_05015298
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05011AE0	10_2_05011AE0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501A2E7	10_2_0501A2E7
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_0501A2F8	10_2_0501A2F8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05015EF8	10_2_05015EF8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_007C3EF3	10_2_007C3EF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_00AE2379	11_2_00AE2379
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8AB8	11_2_062A8AB8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A0717	11_2_062A0717
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A83C0	11_2_062A83C0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1C6F	11_2_062A1C6F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A5088	11_2_062A5088
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A4950	11_2_062A4950
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A222D	11_2_062A222D
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7A00	11_2_062A7A00
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2E07	11_2_062A2E07
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8642	11_2_062A8642
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1E43	11_2_062A1E43
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2EA3	11_2_062A2EA3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A8AB4	11_2_062A8AB4
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7288	11_2_062A7288
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2281	11_2_062A2281
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3281	11_2_062A3281
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1E97	11_2_062A1E97
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1EEB	11_2_062A1EEB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2EFA	11_2_062A2EFA
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A22D5	11_2_062A22D5
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A331D	11_2_062A331D
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2710	11_2_062A2710
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A236E	11_2_062A236E
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2B4F	11_2_062A2B4F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2BA6	11_2_062A2BA6
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A7380	11_2_062A7380
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1F84	11_2_062A1F84
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2F96	11_2_062A2F96
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2FED	11_2_062A2FED
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2BFD	11_2_062A2BFD
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A23C2	11_2_062A23C2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1FD8	11_2_062A1FD8
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A202C	11_2_062A202C
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A801F	11_2_062A801F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2416	11_2_062A2416
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A5078	11_2_062A5078
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3044	11_2_062A3044
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062AE850	11_2_062AE850
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2C54	11_2_062A2C54
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2CAB	11_2_062A2CAB
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A0717	11_2_062A0717
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A24AF	11_2_062A24AF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2080	11_2_062A2080
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A309B	11_2_062A309B
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1C9F	11_2_062A1C9F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A28EF	11_2_062A28EF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A64E0	11_2_062A64E0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A30F2	11_2_062A30F2
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1CF3	11_2_062A1CF3
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A20D4	11_2_062A20D4
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2128	11_2_062A2128
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A393A	11_2_062A393A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A493F	11_2_062A493F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A510A	11_2_062A510A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2D02	11_2_062A2D02
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A3149	11_2_062A3149
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1D47	11_2_062A1D47
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2D59	11_2_062A2D59
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2DB0	11_2_062A2DB0
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A2188	11_2_062A2188
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A258F	11_2_062A258F
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1D9B	11_2_062A1D9B
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A1DEF	11_2_062A1DEF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A79EF	11_2_062A79EF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A31E5	11_2_062A31E5
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_00AE3EF3	11_2_00AE3EF3

Sample file is different than original file name gathered from version info

Source: sample2.exe	Binary or memory string: OriginalFilename vs sample2.exe
Source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDefender Protect.dllB vs sample2.exe
Source: sample2.exe, 00000000.00000000.641747188.0000000000592000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
Source: sample2.exe, 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
Source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs sample2.exe
Source: sample2.exe	Binary or memory string: OriginalFilename vs sample2.exe
Source: sample2.exe, 00000001.00000002.987673444.000000000044C000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
Source: sample2.exe, 00000001.00000002.987712878.0000000000EE2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
Source: sample2.exe, 00000001.00000002.997574179.0000000005770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewbemdisp.tlbj% vs sample2.exe
Source: sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
Source: sample2.exe, 00000001.00000002.999762206.00000000066D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs sample2.exe
Source: sample2.exe, 00000001.00000002.999470130.0000000006600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs sample2.exe
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs sample2.exe
Source: sample2.exe	Binary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe

Uses 32bit PE files

Source: sample2.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: sample2.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nwama.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 1.2.sample2.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.sample2.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 11.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 18.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 18.2.nwama.exe.400000.0.unpack, nhx.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/10@3/2

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D1051A AdjustTokenPrivileges,	0_2_06D1051A
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_06D104E3 AdjustTokenPrivileges,	0_2_06D104E3
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B1E6 AdjustTokenPrivileges,	1_2_0163B1E6
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0163B1AF AdjustTokenPrivileges,	1_2_0163B1AF
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A6051A AdjustTokenPrivileges,	10_2_06A6051A
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_06A604E3 AdjustTokenPrivileges,	10_2_06A604E3

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Mutant created: \Sessions\1\BaseNamedObjects\KXEawVjqkPnOFR
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:900:120:WilError_01

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Temp\nwama

Jump to behavior

Source: sample2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\sample2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: sample2.exe	Metadefender: Detection: 25%
Source: sample2.exe	ReversingLabs: Detection: 80%

Source: C:\Users\user\Desktop\sample2.exe

File read: C:\Users\user\Desktop\sample2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sample2.exe 'C:\Users\user\Desktop\sample2.exe'
Source: unknown	Process created: C:\Users\user\Desktop\sample2.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Users\user\Desktop\sample2.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Source: C:\Users\user\Desktop\sample2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: sample2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\sample2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: sample2.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: sample2.exe, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: nwama.exe.1.dr, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs	.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE8872 push cs; retf	0_2_04DE8873
Source: C:\Users\user\Desktop\sample2.exe	Code function: 0_2_04DE8B24 push esp; retf	0_2_04DE8B25
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_0654B3E0 push es; retf	1_2_0654E60C
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06543E06 push es; ret	1_2_06543E08
Source: C:\Users\user\Desktop\sample2.exe	Code function: 1_2_06548575 pushfd ; ret	1_2_0654857E
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05018872 push cs; retf	10_2_05018873
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 10_2_05018B24 push esp; retf	10_2_05018B25
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062AB3E8 push es; retf	11_2_062AE630
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Code function: 11_2_062A857B pushfd ; ret	11_2_062A8586

Source: initial sample	Static PE information: section name: .text entropy: 7.05584068406
Source: initial sample	Static PE information: section name: .text entropy: 7.05584068406

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\sample2.exe

File created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

Jump to dropped file

Source: C:\Users\user\Desktop\sample2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwama			Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwama			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes \| delete

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\sample2.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: sample2.exe, 00000000.00000002.659352287.0000000002CA1000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720364250.0000000002E91000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: sample2.exe, 00000000.00000002.659352287.0000000002CA1000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720364250.0000000002E91000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\sample2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Thread delayed: delay time: 922337203685477

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\sample2.exe TID: 7132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe TID: 6492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe TID: 6760	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe TID: 6760	Thread sleep time: -60500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6676	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6344	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6796	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6796	Thread sleep time: -48500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 960	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 1320	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 4088	Thread sleep time: -49000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\sample2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\sample2.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\sample2.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Last function: Thread delayed

Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: nwama.exe, 0000000B.00000002.989383094.0000000001282000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW2
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: nwama.exe, 0000000B.00000002.989659236.00000000012FD000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\sample2.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\sample2.exe

Code function: 1_2_06540717 KiUserExceptionDispatcher,LdrInitializeThunk,

1_2_06540717

Enables debug privileges

Source: C:\Users\user\Desktop\sample2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sample2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\sample2.exe	Memory written: C:\Users\user\Desktop\sample2.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Memory written: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Memory written: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe base: 400000 value starts with: 4D5A	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Users\user\Desktop\sample2.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\sample2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY
Source: Yara match	File source: 1.2.sample2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\sample2.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal WLAN passwords

Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\Desktop\sample2.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\sample2.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
Source: Yara match	File source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
Source: Yara match	File source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY
Source: Yara match	File source: 1.2.sample2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE

ID:	339443
Product:	CloudBasic
Start time:	03:36:51
Start date:	14.01.2021
Sample:	sample2.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b0f2d519ccae5bf1435264e0979770ce
SHA1:	212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
SHA256:	a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nwama.exe.log	ASCII text, with CRLF line terminators	C6F9162A813BFA011E86162EBFC31D27	0E0D4813EEA11780E84BB0DF4EC7E4ABD95E182D	103C0E7E2CC42883AB3C546D495E92986E093838B7B33CAA6FDEC29005FB68F4
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.log	ASCII text, with CRLF line terminators	C6F9162A813BFA011E86162EBFC31D27	0E0D4813EEA11780E84BB0DF4EC7E4ABD95E182D	103C0E7E2CC42883AB3C546D495E92986E093838B7B33CAA6FDEC29005FB68F4
C:\Users\user\AppData\Local\Temp\nwama\nwama.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B0F2D519CCAE5BF1435264E0979770CE	212DA7B3ED9C89D83941F6BB0DBA889FA24F8F6A	A4FDC26D6B70EAF0A62CCA36286412901F48881EAE616D38B96D8AE0CB0F29C7
C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\1b4bluf2.tug.zip	Zip archive data, at least v2.0 to extract	535BCBE2A74CFC076571E4D66FD063DA	4F9BD7425ED0B967D816538A89B916B61265694A	9AF280DBB1847681C487FA67A7D0A4FA5E672883D1E9C8BC310AFEAB79F3B6F8
C:\Users\user\AppData\Roaming\1b4bluf2.tug\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	A7FE10DA330AD03BF22DC9AC76BBB3E4	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
C:\Users\user\AppData\Roaming\j0jrvzzu.5ob.zip	Zip archive data, at least v2.0 to extract	8322041C86EA6665C4EE21EA7F53B761	2EEE1280B95080FFA5463A9D1DA9914D07DC135E	1234B9AC16387AEAD74BF68107E1814A73D9DB83D1A40D3E12A37285097CE84F
C:\Users\user\AppData\Roaming\j0jrvzzu.5ob\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	A7FE10DA330AD03BF22DC9AC76BBB3E4	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
C:\Users\user\AppData\Roaming\y2nzgw3x.tiq.zip	Zip archive data, at least v2.0 to extract	ECA5AA866F8DCF612B56EE50A2EFB2A4	12046CB3FB5A2E112603EB67C7D7413D6DBCE0CA	A23A81E9C35EF744F8D3F5FBCAB2DFFCDCB5231090BC0D4502A4776E33C55301
C:\Users\user\AppData\Roaming\y2nzgw3x.tiq\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	A7FE10DA330AD03BF22DC9AC76BBB3E4	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8

Analysis Report sample2.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs