Loading ...

Play interactive tourEdit tour

Analysis Report sample2.bin

Overview

General Information

Sample Name:sample2.bin (renamed file extension from bin to exe)
Analysis ID:339443
MD5:b0f2d519ccae5bf1435264e0979770ce
SHA1:212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
SHA256:a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • sample2.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\sample2.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)
    • sample2.exe (PID: 5652 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)
      • netsh.exe (PID: 2208 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nwama.exe (PID: 6508 cmdline: 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)
    • nwama.exe (PID: 7068 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)
      • netsh.exe (PID: 5780 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nwama.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)
    • nwama.exe (PID: 6592 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)
      • netsh.exe (PID: 5480 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.sample2.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              18.2.nwama.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.nwama.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Capture Wi-Fi passwordShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\sample2.exe, ParentProcessId: 5652, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 2208

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: sample2.exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeAvira: detection malicious, Label: TR/Kryptik.bkfmg
                  Found malware configurationShow sources
                  Source: sample2.exe.5652.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMetadefender: Detection: 25%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeReversingLabs: Detection: 80%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: sample2.exeMetadefender: Detection: 25%Perma Link
                  Source: sample2.exeReversingLabs: Detection: 80%
                  Source: 1.2.sample2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 18.2.nwama.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.2.nwama.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_05FF13C2 CryptUnprotectData,1_2_05FF13C2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_05FF1387 CryptUnprotectData,1_2_05FF1387
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_05C11066 CryptUnprotectData,11_2_05C11066
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_05C1102B CryptUnprotectData,11_2_05C1102B
                  Source: sample2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: sample2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
                  Source: Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://eu0j0ejPMgs9.com
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587
                  Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587
                  Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                  Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp, nwama.exe, 00000012.00000002.992391711.0000000002DDC000.00000004.00000001.sdmpString found in binary or memory: http://eu0j0ejPMgs9.com
                  Source: sample2.exe, 00000001.00000003.724871830.00000000013B4000.00000004.00000001.sdmpString found in binary or memory: http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classes
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: sample2.exe, 00000000.00000003.645220057.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comep
                  Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                  Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
                  Source: sample2.exe, 00000000.00000003.645020096.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: sample2.exe, 00000000.00000003.647869153.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: sample2.exe, 00000000.00000003.648321789.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmltF1
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: sample2.exe, 00000000.00000003.648093017.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers;
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: sample2.exe, 00000000.00000003.649192807.0000000005045000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: sample2.exe, 00000000.00000003.647892711.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                  Source: sample2.exe, 00000000.00000003.647942862.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFN
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                  Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivFw
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueS
                  Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuec
                  Source: sample2.exe, 00000000.00000003.642777953.000000000502B000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: sample2.exe, 00000000.00000003.642811892.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicx
                  Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cT
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn)
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
                  Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnc
                  Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.m.
                  Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comK
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krrad
                  Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krt
                  Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com.
                  Source: sample2.exe, 00000000.00000003.642940134.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comm
                  Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                  Source: sample2.exe, 00000000.00000003.643012662.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm.
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\sample2.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\sample2.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                  Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\Desktop\sample2.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  .NET source code contains very large stringsShow sources
                  Source: sample2.exe, ClassCore.csLong String: Length: 86015
                  Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: nwama.exe.1.dr, ClassCore.csLong String: Length: 86015
                  Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.csLong String: Length: 86015
                  Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.csLong String: Length: 86015
                  Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.csLong String: Length: 86015
                  Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D109DA NtQuerySystemInformation,0_2_06D109DA
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D1086A NtQueryInformationProcess,0_2_06D1086A
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D10848 NtQueryInformationProcess,0_2_06D10848
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D1099F NtQuerySystemInformation,0_2_06D1099F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B362 NtQuerySystemInformation,1_2_0163B362
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B331 NtQuerySystemInformation,1_2_0163B331
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A609DA NtQuerySystemInformation,10_2_06A609DA
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A6086A NtQueryInformationProcess,10_2_06A6086A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A6099F NtQuerySystemInformation,10_2_06A6099F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A60848 NtQueryInformationProcess,10_2_06A60848
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_005923790_2_00592379
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE2DC80_2_04DE2DC8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE45C00_2_04DE45C0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE25E80_2_04DE25E8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE09280_2_04DE0928
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE36D00_2_04DE36D0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEAE180_2_04DEAE18
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE9A170_2_04DE9A17
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE9C900_2_04DE9C90
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE44BB0_2_04DE44BB
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE9CA00_2_04DE9CA0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5C700_2_04DE5C70
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5C600_2_04DE5C60
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE64100_2_04DE6410
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE64000_2_04DE6400
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE68380_2_04DE6838
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE25550_2_04DE2555
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEA2F80_2_04DEA2F8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5EF80_2_04DE5EF8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEA2E70_2_04DEA2E7
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE1AE00_2_04DE1AE0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE52980_2_04DE5298
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE52880_2_04DE5288
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE66780_2_04DE6678
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE66690_2_04DE6669
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE62300_2_04DE6230
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE62200_2_04DE6220
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEDFD00_2_04DEDFD0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE33EF0_2_04DE33EF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DECF500_2_04DECF50
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_00593EF30_2_00593EF3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_00EE23791_2_00EE2379
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E1101_2_0592E110
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E9401_2_0592E940
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_059200061_2_05920006
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592F7701_2_0592F770
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E1001_2_0592E100
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E8C01_2_0592E8C0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E9301_2_0592E930
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592ED761_2_0592ED76
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592EDE31_2_0592EDE3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592F7601_2_0592F760
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592F0AA1_2_0592F0AA
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548AB01_2_06548AB0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065407171_2_06540717
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545F181_2_06545F18
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065483B81_2_065483B8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541C6F1_2_06541C6F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065450801_2_06545080
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065449481_2_06544948
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541E431_2_06541E43
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542E071_2_06542E07
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654863A1_2_0654863A
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654222D1_2_0654222D
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065422D51_2_065422D5
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542EFA1_2_06542EFA
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541EEB1_2_06541EEB
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541E971_2_06541E97
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065472801_2_06547280
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065422811_2_06542281
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065432811_2_06543281
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542EA31_2_06542EA3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548AAC1_2_06548AAC
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548AA91_2_06548AA9
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542B4F1_2_06542B4F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065473781_2_06547378
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654236E1_2_0654236E
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065427101_2_06542710
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545F101_2_06545F10
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654331D1_2_0654331D
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541FD81_2_06541FD8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065423C21_2_065423C2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542BFD1_2_06542BFD
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542FED1_2_06542FED
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542F961_2_06542F96
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541F841_2_06541F84
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542BA61_2_06542BA6
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542C541_2_06542C54
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065430441_2_06543044
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545C431_2_06545C43
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654E8481_2_0654E848
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065450701_2_06545070
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065424161_2_06542416
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065480171_2_06548017
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654202C1_2_0654202C
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065420D41_2_065420D4
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065464D81_2_065464D8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065430F21_2_065430F2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541CF31_2_06541CF3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065428EF1_2_065428EF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541C9F1_2_06541C9F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654309B1_2_0654309B
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065420801_2_06542080
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065424AF1_2_065424AF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065407171_2_06540717
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542CAB1_2_06542CAB
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542D591_2_06542D59
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541D471_2_06541D47
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065431491_2_06543149
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542D021_2_06542D02
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065451021_2_06545102
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654393A1_2_0654393A
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065421281_2_06542128
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065479F81_2_065479F8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065431E51_2_065431E5
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065479E71_2_065479E7
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541DEF1_2_06541DEF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541D9B1_2_06541D9B
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654258F1_2_0654258F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065421881_2_06542188
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542DB01_2_06542DB0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_00EE3EF31_2_00EE3EF3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_007C237910_2_007C2379
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501092810_2_05010928
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05012D8810_2_05012D88
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050145C010_2_050145C0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050125E810_2_050125E8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05019A1710_2_05019A17
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501AE1810_2_0501AE18
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050136D010_2_050136D0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501510810_2_05015108
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501255510_2_05012555
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501459110_2_05014591
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050125A110_2_050125A1
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05012DC810_2_05012DC8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501640010_2_05016400
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501641010_2_05016410
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501683910_2_05016839
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015C6010_2_05015C60
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015C7010_2_05015C70
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05019C9010_2_05019C90
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05019CA010_2_05019CA0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050144BB10_2_050144BB
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050154F210_2_050154F2
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501CF5010_2_0501CF50
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501DFD010_2_0501DFD0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501622010_2_05016220
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501623010_2_05016230
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501666A10_2_0501666A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501667810_2_05016678
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501529210_2_05015292
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501529810_2_05015298
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05011AE010_2_05011AE0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501A2E710_2_0501A2E7
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501A2F810_2_0501A2F8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015EF810_2_05015EF8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_007C3EF310_2_007C3EF3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_00AE237911_2_00AE2379
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A8AB811_2_062A8AB8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A071711_2_062A0717
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A83C011_2_062A83C0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1C6F11_2_062A1C6F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A508811_2_062A5088
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A495011_2_062A4950
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A222D11_2_062A222D
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A7A0011_2_062A7A00
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2E0711_2_062A2E07
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A864211_2_062A8642
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1E4311_2_062A1E43
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2EA311_2_062A2EA3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A8AB411_2_062A8AB4
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A728811_2_062A7288
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A228111_2_062A2281
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A328111_2_062A3281
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1E9711_2_062A1E97
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1EEB11_2_062A1EEB
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2EFA11_2_062A2EFA
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A22D511_2_062A22D5
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A331D11_2_062A331D
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A271011_2_062A2710
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A236E11_2_062A236E
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2B4F11_2_062A2B4F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2BA611_2_062A2BA6
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A738011_2_062A7380
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1F8411_2_062A1F84
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2F9611_2_062A2F96
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2FED11_2_062A2FED
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2BFD11_2_062A2BFD
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A23C211_2_062A23C2
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1FD811_2_062A1FD8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A202C11_2_062A202C
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A801F11_2_062A801F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A241611_2_062A2416
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A507811_2_062A5078
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A304411_2_062A3044
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062AE85011_2_062AE850
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2C5411_2_062A2C54
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2CAB11_2_062A2CAB
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A071711_2_062A0717
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A24AF11_2_062A24AF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A208011_2_062A2080
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A309B11_2_062A309B
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1C9F11_2_062A1C9F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A28EF11_2_062A28EF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A64E011_2_062A64E0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A30F211_2_062A30F2
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1CF311_2_062A1CF3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A20D411_2_062A20D4
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A212811_2_062A2128
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A393A11_2_062A393A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A493F11_2_062A493F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A510A11_2_062A510A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2D0211_2_062A2D02
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A314911_2_062A3149
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1D4711_2_062A1D47
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2D5911_2_062A2D59
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2DB011_2_062A2DB0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A218811_2_062A2188
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A258F11_2_062A258F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1D9B11_2_062A1D9B
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1DEF11_2_062A1DEF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A79EF11_2_062A79EF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A31E511_2_062A31E5
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_00AE3EF311_2_00AE3EF3
                  Source: sample2.exeBinary or memory string: OriginalFilename vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs sample2.exe
                  Source: sample2.exe, 00000000.00000000.641747188.0000000000592000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs sample2.exe
                  Source: sample2.exeBinary or memory string: OriginalFilename vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.987673444.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.987712878.0000000000EE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.997574179.0000000005770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.999762206.00000000066D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.999470130.0000000006600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs sample2.exe
                  Source: sample2.exeBinary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
                  Source: sample2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: sample2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: nwama.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 1.2.sample2.exe.400000.0.unpack, nhx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.sample2.exe.400000.0.unpack, nhx.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 18.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 18.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/10@3/2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D1051A AdjustTokenPrivileges,0_2_06D1051A
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D104E3 AdjustTokenPrivileges,0_2_06D104E3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B1E6 AdjustTokenPrivileges,1_2_0163B1E6
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B1AF AdjustTokenPrivileges,1_2_0163B1AF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A6051A AdjustTokenPrivileges,10_2_06A6051A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A604E3 AdjustTokenPrivileges,10_2_06A604E3
                  Source: C:\Users\user\Desktop\sample2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMutant created: \Sessions\1\BaseNamedObjects\KXEawVjqkPnOFR
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:900:120:WilError_01
                  Source: C:\Users\user\Desktop\sample2.exeFile created: C:\Users\user\AppData\Local\Temp\nwamaJump to behavior
                  Source: sample2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: sample2.exeMetadefender: Detection: 25%
                  Source: sample2.exeReversingLabs: Detection: 80%
                  Source: C:\Users\user\Desktop\sample2.exeFile read: C:\Users\user\Desktop\sample2.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\sample2.exe 'C:\Users\user\Desktop\sample2.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\sample2.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Users\user\Desktop\sample2.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\Desktop\sample2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: sample2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                  Source: sample2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
                  Source: Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: sample2.exe, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: nwama.exe.1.dr, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE8872 push cs; retf 0_2_04DE8873
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE8B24 push esp; retf 0_2_04DE8B25
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654B3E0 push es; retf 1_2_0654E60C
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06543E06 push es; ret 1_2_06543E08
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548575 pushfd ; ret 1_2_0654857E
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05018872 push cs; retf 10_2_05018873
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05018B24 push esp; retf 10_2_05018B25
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062AB3E8 push es; retf 11_2_062AE630
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A857B pushfd ; ret 11_2_062A8586
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.05584068406
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.05584068406
                  Source: C:\Users\user\Desktop\sample2.exeFile created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeJump to dropped file
                  Source: C:\Users\user\Desktop\sample2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwamaJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwamaJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes | delete