Edit tour

Windows Analysis Report
WggZw957eT.exe

Overview

General Information

Sample name:	WggZw957eT.exe renamed because original name is a hash value
Original sample name:	dac0dcb27faee13abe4f3a6ca8b8d157.exe
Analysis ID:	1434735
MD5:	dac0dcb27faee13abe4f3a6ca8b8d157
SHA1:	7a1681cec1309115e3ec2116664b0eae3cb81ef4
SHA256:	56f9b99e3802e1d339c450401d3e42374c4fd3cbcbdb35df136fe1e013aed9c9
Tags:	32Amadeyexetrojan
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected UAC Bypass using CMSTP

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Uses netsh to modify the Windows network and firewall settings

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

WggZw957eT.exe (PID: 1196 cmdline: "C:\Users\user\Desktop\WggZw957eT.exe" MD5: DAC0DCB27FAEE13ABE4F3A6CA8B8D157)

netsh.exe (PID: 5488 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 1916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4260 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

WerFault.exe (PID: 2328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)

XoWatcher.exe (PID: 4412 cmdline: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe MD5: DAC0DCB27FAEE13ABE4F3A6CA8B8D157)

netsh.exe (PID: 2332 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 4268 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

XoWatcher.exe (PID: 7064 cmdline: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe MD5: DAC0DCB27FAEE13ABE4F3A6CA8B8D157)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "bestfitnessgymintheworld.com/8BvxwQdec3/index.php", "Version": "4.19"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WggZw957eT.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\dqatklnkhkik	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000B.00000002.1817979458.0000000000171000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000002.1805311134.0000000002E81000.00000020.00000001.01000000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000000.1415289609.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000006.00000002.1807110229.0000000005770000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1710839057.0000000006250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1456718573.0000000004B41000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: WggZw957eT.exe PID: 1196	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: netsh.exe PID: 5488	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: netsh.exe PID: 2332	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 4260	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: explorer.exe PID: 4268	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.netsh.exe.5ca8378.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.netsh.exe.5ca8378.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc8d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df19:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd18:$s1: CoGetObject 0x1dfa4:$s1: CoGetObject 0x1dc71:$s2: Elevation:Administrator!new: 0x1defd:$s2: Elevation:Administrator!new:
6.2.netsh.exe.522ff78.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.netsh.exe.522ff78.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d08d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d319:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d118:$s1: CoGetObject 0x1d3a4:$s1: CoGetObject 0x1d071:$s2: Elevation:Administrator!new: 0x1d2fd:$s2: Elevation:Administrator!new:
2.2.netsh.exe.5ca8f78.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.netsh.exe.5ca8f78.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d08d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d319:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d118:$s1: CoGetObject 0x1d3a4:$s1: CoGetObject 0x1d071:$s2: Elevation:Administrator!new: 0x1d2fd:$s2: Elevation:Administrator!new:
11.2.explorer.exe.4f46f78.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.explorer.exe.4f46f78.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d08d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d319:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d118:$s1: CoGetObject 0x1d3a4:$s1: CoGetObject 0x1d071:$s2: Elevation:Administrator!new: 0x1d2fd:$s2: Elevation:Administrator!new:
2.2.netsh.exe.5c64a8a.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.netsh.exe.5c64a8a.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6157b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61807:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61606:$s1: CoGetObject 0x61892:$s1: CoGetObject 0x6155f:$s2: Elevation:Administrator!new: 0x617eb:$s2: Elevation:Administrator!new:
2.2.netsh.exe.62500c8.7.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d08d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d319:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d118:$s1: CoGetObject 0x1d3a4:$s1: CoGetObject 0x1d071:$s2: Elevation:Administrator!new: 0x1d2fd:$s2: Elevation:Administrator!new:
2.2.netsh.exe.62500c8.7.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.netsh.exe.57700c8.7.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
12.2.explorer.exe.4fe5378.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.explorer.exe.4fe5378.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc8d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df19:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd18:$s1: CoGetObject 0x1dfa4:$s1: CoGetObject 0x1dc71:$s2: Elevation:Administrator!new: 0x1defd:$s2: Elevation:Administrator!new:
6.2.netsh.exe.57700c8.7.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.explorer.exe.4f46378.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.explorer.exe.4f46378.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc8d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df19:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd18:$s1: CoGetObject 0x1dfa4:$s1: CoGetObject 0x1dc71:$s2: Elevation:Administrator!new: 0x1defd:$s2: Elevation:Administrator!new:
12.2.explorer.exe.4fe5f78.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.explorer.exe.4fe5f78.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d08d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d319:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d118:$s1: CoGetObject 0x1d3a4:$s1: CoGetObject 0x1d071:$s2: Elevation:Administrator!new: 0x1d2fd:$s2: Elevation:Administrator!new:
11.2.explorer.exe.4f02a8a.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.netsh.exe.522f378.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.explorer.exe.4f02a8a.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6157b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61807:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61606:$s1: CoGetObject 0x61892:$s1: CoGetObject 0x6155f:$s2: Elevation:Administrator!new: 0x617eb:$s2: Elevation:Administrator!new:
6.2.netsh.exe.522f378.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc8d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df19:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd18:$s1: CoGetObject 0x1dfa4:$s1: CoGetObject 0x1dc71:$s2: Elevation:Administrator!new: 0x1defd:$s2: Elevation:Administrator!new:
0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dc8d:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1df19:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd18:$s1: CoGetObject 0x1dfa4:$s1: CoGetObject 0x1dc71:$s2: Elevation:Administrator!new: 0x1defd:$s2: Elevation:Administrator!new:
0.2.WggZw957eT.exe.5af8520.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.WggZw957eT.exe.5af8520.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6157b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61807:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61606:$s1: CoGetObject 0x61892:$s1: CoGetObject 0x6155f:$s2: Elevation:Administrator!new: 0x617eb:$s2: Elevation:Administrator!new:
12.2.explorer.exe.4fa1a8a.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
12.2.explorer.exe.4fa1a8a.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6157b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61807:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61606:$s1: CoGetObject 0x61892:$s1: CoGetObject 0x6155f:$s2: Elevation:Administrator!new: 0x617eb:$s2: Elevation:Administrator!new:
6.2.netsh.exe.51eba8a.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.netsh.exe.51eba8a.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x6157b:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61807:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61606:$s1: CoGetObject 0x61892:$s1: CoGetObject 0x6155f:$s2: Elevation:Administrator!new: 0x617eb:$s2: Elevation:Administrator!new:
0.0.WggZw957eT.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 30 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv	Avira: detection malicious, Label: HEUR/AGEN.1319380
Source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik	Avira: detection malicious, Label: HEUR/AGEN.1319380

Found malware configuration

Source: 6.2.netsh.exe.57700c8.7.raw.unpack

Malware Configuration Extractor: Amadey {"C2 url": "bestfitnessgymintheworld.com/8BvxwQdec3/index.php", "Version": "4.19"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: WggZw957eT.exe	ReversingLabs: Detection: 50%
Source: WggZw957eT.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: bestfitnessgymintheworld.com
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: /8BvxwQdec3/index.php
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: S-%lu-
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: 2043a89613
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Dctooux.exe
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Startup
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: rundll32
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Programs
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: %USERPROFILE%
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: http://
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: https://
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: /Plugins/
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: &unit=
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: shell32.dll
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: kernel32.dll
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: GetNativeSystemInfo
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: ProgramData\
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: AVAST Software
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Kaspersky Lab
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Panda Security
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Doctor Web
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: 360TotalSecurity
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Bitdefender
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Norton
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Sophos
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Comodo
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: WinDefender
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: 0123456789
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: ------
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: ?scr=1
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: ComputerName
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: -unicode-
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: VideoID
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: DefaultSettings.XResolution
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: DefaultSettings.YResolution
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: ProductName
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: CurrentBuild
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: rundll32.exe
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: "taskkill /f /im "
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: " && timeout 1 && del
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: && Exit"
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: " && ren
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: Powershell.exe
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: shutdown -s -t 0
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: random
Source: 6.2.netsh.exe.57700c8.7.raw.unpack	String decryptor: hC{p`-6

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2.netsh.exe.5ca8378.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.netsh.exe.522ff78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.netsh.exe.5ca8f78.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.4f46f78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.netsh.exe.5c64a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.4fe5378.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.4f46378.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.4fe5f78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.explorer.exe.4f02a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.netsh.exe.522f378.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.WggZw957eT.exe.5af8520.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.4fa1a8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.netsh.exe.51eba8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WggZw957eT.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: netsh.exe PID: 5488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: netsh.exe PID: 2332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4268, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\WggZw957eT.exe

Unpacked PE file: 0.2.WggZw957eT.exe.400000.0.unpack

Source: WggZw957eT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: wntdll.pdbUGP source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: bestfitnessgymintheworld.com/8BvxwQdec3/index.php

Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://ocsps.ssl.com0?
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: netsh.exe, 00000002.00000002.1709871097.00000000037C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: XoWatcher.exe.2.dr	String found in binary or memory: http://www.aignes.com
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://www.aignes.com/helpd/bugreport.htmU
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://www.aignes.comU
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://www.aignes.comopen
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C15000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.000000000519C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: WggZw957eT.exe, XoWatcher.exe.2.dr	String found in binary or memory: https://www.ssl.com/repository0

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.netsh.exe.5ca8378.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.netsh.exe.522ff78.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.netsh.exe.5ca8f78.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.explorer.exe.4f46f78.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.netsh.exe.5c64a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.4fe5378.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.explorer.exe.4f46378.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.4fe5f78.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.explorer.exe.4f02a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.netsh.exe.522f378.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.WggZw957eT.exe.5af8520.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.4fa1a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.netsh.exe.51eba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Source: C:\Windows\SysWOW64\netsh.exe

File created: C:\Windows\Tasks\SecurityComv4.job

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04ED20A2	11_2_04ED20A2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04ED1C92	11_2_04ED1C92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04EBC982	11_2_04EBC982
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04EE8923	11_2_04EE8923
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04EDF62A	11_2_04EDF62A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04ED5BB2	11_2_04ED5BB2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04EBF792	11_2_04EBF792
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04ED3B42	11_2_04ED3B42
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04ED79B2	11_2_04ED79B2

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488

Source: WggZw957eT.exe

Static PE information: invalid certificate

Source: WggZw957eT.exe, 00000000.00000002.1455401698.0000000002ACB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs WggZw957eT.exe
Source: WggZw957eT.exe, 00000000.00000002.1459562690.0000000005769000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WggZw957eT.exe
Source: WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs WggZw957eT.exe
Source: WggZw957eT.exe, 00000000.00000002.1462755083.000000000644D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WggZw957eT.exe

Source: WggZw957eT.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 2.2.netsh.exe.5ca8378.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.netsh.exe.522ff78.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.netsh.exe.5ca8f78.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.explorer.exe.4f46f78.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.netsh.exe.5c64a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.WggZw957eT.exe.5b3ca0e.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.4fe5378.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.explorer.exe.4f46378.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.4fe5f78.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.explorer.exe.4f02a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.netsh.exe.522f378.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.WggZw957eT.exe.5b3be0e.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.WggZw957eT.exe.5af8520.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.4fa1a8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.netsh.exe.51eba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/14@0/0

Source: C:\Windows\SysWOW64\netsh.exe

File created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64

Jump to behavior

Source: C:\Users\user\Desktop\WggZw957eT.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$4ac
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4260
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1916:120:WilError_03
Source: C:\Users\user\Desktop\WggZw957eT.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$4ac
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1b98
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$113c
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$113c
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Mutant created: \Sessions\1\BaseNamedObjects\amstart-portable-start-menuC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_03

Source: C:\Users\user\Desktop\WggZw957eT.exe

File created: C:\Users\user\AppData\Local\Temp\WggZw957eT.madExcept

Jump to behavior

Source: Yara match	File source: WggZw957eT.exe, type: SAMPLE
Source: Yara match	File source: 0.0.WggZw957eT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1415289609.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1456718573.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe, type: DROPPED

Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\WggZw957eT.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\WggZw957eT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WggZw957eT.exe	ReversingLabs: Detection: 50%
Source: WggZw957eT.exe	Virustotal: Detection: 59%

Source: explorer.exe	String found in binary or memory: wild-stop-dirs
Source: explorer.exe	String found in binary or memory: more-help
Source: WggZw957eT.exe	String found in binary or memory: 250-STARTTLS
Source: WggZw957eT.exe	String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: WggZw957eT.exe	String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: WggZw957eT.exe	String found in binary or memory: XAt least one installed file seems to be corrupted, please reinstall Portable-Start-Menu!
Source: WggZw957eT.exe	String found in binary or memory: amstart-portable-start-menu

Source: C:\Users\user\Desktop\WggZw957eT.exe

File read: C:\Users\user\Desktop\WggZw957eT.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WggZw957eT.exe "C:\Users\user\Desktop\WggZw957eT.exe"
Source: C:\Users\user\Desktop\WggZw957eT.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488
Source: C:\Users\user\Desktop\WggZw957eT.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Users\user\Desktop\WggZw957eT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WggZw957eT.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: WggZw957eT.exe

Static file information: File size 5892944 > 1048576

Source: WggZw957eT.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x35ae00
Source: WggZw957eT.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x22f200

Source: WggZw957eT.exe

Static PE information: More than 200 imports for user32.dll

Source:	Binary string: wntdll.pdbUGP source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: WggZw957eT.exe, 00000000.00000002.1462755083.0000000006320000.00000004.00000800.00020000.00000000.sdmp, WggZw957eT.exe, 00000000.00000002.1459562690.0000000005646000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710317534.00000000058BA000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710611158.0000000005D40000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806882908.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806602191.0000000004E36000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818670198.0000000004B52000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1819011508.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806409348.0000000005070000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1805919560.0000000004BF7000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\WggZw957eT.exe

Unpacked PE file: 0.2.WggZw957eT.exe.400000.0.unpack

Source: WggZw957eT.exe	Static PE information: section name: .didata
Source: XoWatcher.exe.2.dr	Static PE information: section name: .didata
Source: ahsqcnrtkaiwv.2.dr	Static PE information: section name: brua
Source: dqatklnkhkik.6.dr	Static PE information: section name: brua

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04EDACB2 push eax; ret

11_2_04EDACE0

Source: C:\Windows\SysWOW64\netsh.exe	File created: C:\Users\user\AppData\Local\Temp\dqatklnkhkik	Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe	File created: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe	File created: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv	Jump to dropped file

Source: C:\Windows\SysWOW64\netsh.exe	File created: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv			Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe	File created: C:\Users\user\AppData\Local\Temp\dqatklnkhkik			Jump to dropped file

Source: C:\Windows\SysWOW64\netsh.exe

File created: C:\Windows\Tasks\SecurityComv4.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\netsh.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\AHSQCNRTKAIWV
Source: C:\Windows\SysWOW64\netsh.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DQATKLNKHKIK

Source: C:\Users\user\Desktop\WggZw957eT.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\netsh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dqatklnkhkik			Jump to dropped file
Source: C:\Windows\SysWOW64\netsh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv			Jump to dropped file

Source: C:\Users\user\Desktop\WggZw957eT.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\Desktop\WggZw957eT.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809	Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: netsh.exe, 00000006.00000002.1805766913.000000000085A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: netsh.exe, 00000002.00000002.1709871097.000000000378A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\WggZw957eT.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 11_2_04EB5692 mov eax, dword ptr fs:[00000030h]

11_2_04EB5692

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\WggZw957eT.exe	NtProtectVirtualMemory: Direct from: 0x6CF8D096	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	NtProtectVirtualMemory: Direct from: 0x6CF930E5	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	NtSetInformationThread: Direct from: 0x6DCECF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	NtQuerySystemInformation: Direct from: 0x558855	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4260 base: 2BF0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4260 base: 2D4C2D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4260 base: 2D4D1E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4260 base: 8179C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4260 base: 2D4D008 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4260 base: 170000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4268 base: 2BF0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4268 base: 2D292D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4268 base: 2D2A1E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4268 base: 8179C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4268 base: 2D2A008 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: PID: 4268 base: 2E80000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\WggZw957eT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\netsh.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 8179C0	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D4D008	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 170000	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 8179C0	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D2A008	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2E80000	Jump to behavior

Source: C:\Users\user\Desktop\WggZw957eT.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: WggZw957eT.exe, XoWatcher.exe.2.dr

Binary or memory string: Shell_TrayWndSV

Source: C:\Users\user\Desktop\WggZw957eT.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9e2366f7 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\a391ff10 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\WggZw957eT.exe

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.netsh.exe.62500c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.netsh.exe.62500c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.netsh.exe.57700c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.netsh.exe.57700c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1817979458.0000000000171000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1805311134.0000000002E81000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1807110229.0000000005770000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1710839057.0000000006250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	312 Process Injection	21 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	11 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	312 Process Injection	NTDS	21 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WggZw957eT.exe	50%	ReversingLabs	Win32.Trojan.Amadey
WggZw957eT.exe	59%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv	100%	Avira	HEUR/AGEN.1319380
C:\Users\user\AppData\Local\Temp\dqatklnkhkik	100%	Avira	HEUR/AGEN.1319380
C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dqatklnkhkik	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	50%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe	59%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://ocsps.ssl.com0?	0%	URL Reputation	safe
http://ocsps.ssl.com0	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.aignes.comopen	0%	Avira URL Cloud	safe
http://www.aignes.comU	0%	Avira URL Cloud	safe
bestfitnessgymintheworld.com/8BvxwQdec3/index.php	0%	Avira URL Cloud	safe
bestfitnessgymintheworld.com/8BvxwQdec3/index.php	2%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
bestfitnessgymintheworld.com/8BvxwQdec3/index.php	true	2%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://www.vmware.com/0	WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://www.symauth.com/rpa00	WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ssl.com/repository0	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://ocsps.ssl.com0?	WggZw957eT.exe, XoWatcher.exe.2.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://www.info-zip.org/	WggZw957eT.exe, 00000000.00000002.1460790930.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C15000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.000000000519C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F52000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://www.aignes.com	XoWatcher.exe.2.dr	false		high
http://www.aignes.comU	WggZw957eT.exe, XoWatcher.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0/	WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://ocsps.ssl.com0	WggZw957eT.exe, XoWatcher.exe.2.dr	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.15.dr	false		high
http://www.aignes.comopen	WggZw957eT.exe, XoWatcher.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://schemas.micro	netsh.exe, 00000002.00000002.1709871097.00000000037C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/cps0(	WggZw957eT.exe, 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, netsh.exe, 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high
http://www.aignes.com/helpd/bugreport.htmU	WggZw957eT.exe, XoWatcher.exe.2.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1434735
Start date and time:	2024-05-01 17:20:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WggZw957eT.exe renamed because original name is a hash value
Original Sample Name:	dac0dcb27faee13abe4f3a6ca8b8d157.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/14@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.172
Excluded domains from analysis (whitelisted): onedsblobprdeus07.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ocsps.ssl.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target explorer.exe, PID 4260 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
17:21:18	API Interceptor	1x Sleep call for process: WggZw957eT.exe modified
17:21:24	Task Scheduler	Run new task: SecurityComv4 path: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
17:21:24	Task Scheduler	Run new task: XoWatcher path: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
17:21:27	API Interceptor	1x Sleep call for process: XoWatcher.exe modified
17:21:45	API Interceptor	2x Sleep call for process: netsh.exe modified
17:21:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WggZw957eT.exe_9ec955d78fe120ba231ab2a1329d2214fda0_b48c7581_bcd51baf-620c-4809-97ee-7e6859d938bb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.766148134202183
Encrypted:	false
SSDEEP:	96:gyF263cgIKWVQasN7ToI7Jf9QXIDcQvc6QcEVcw3cE/H+HbHgoC5AJcf3h88WSAm:733szVXT0BU/AjtczuiF1Z24IO8wn
MD5:	882F99960B45DEDB2200DDA83A01DFC9
SHA1:	E36E69AE9F9E7D84D0534CA4C35CB1186E59E063
SHA-256:	B362144C4180EBDD7D259E50C8DC213F43896D1BBF8CB5AA5AB7F5AE28A076C3
SHA-512:	46C9A346E4BE6992C30EAA9C9D0C16A72DFE342BF8CA579B2BE59EFAF86BD52C53083DD2B4700D3EB97A58F08DFB8D1F975DF47F61A650934285AA5463C3C8EB
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.0.5.0.5.0.5.5.0.2.7.4.7.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.0.5.0.5.0.7.5.6.5.2.5.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.d.5.1.b.a.f.-.6.2.0.c.-.4.8.0.9.-.9.7.e.e.-.7.e.6.8.5.9.d.9.3.8.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.2.e.3.b.6.0.5.-.6.5.a.e.-.4.6.4.b.-.b.4.e.3.-.f.d.f.d.6.0.b.b.2.a.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.g.g.Z.w.9.5.7.e.T...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.a.4.-.0.0.0.1.-.0.0.1.4.-.5.8.5.2.-.f.6.4.2.d.b.9.b.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.e.8.4.1.4.7.e.2.e.6.2.c.a.9.5.6.e.7.4.0.7.0.e.f.6.c.e.f.d.6.1.6.1.9.1.e.1.d.1.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95E5.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 1 15:21:45 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	40630
Entropy (8bit):	1.9760683969360584
Encrypted:	false
SSDEEP:	192:9C9V6dpCmOkJWbeS8KwZdGwCumISTh0blZEzIVlDR3eY:83Skx3beSGZ0uZpblZfZe
MD5:	2655AAFE84F6B7748D2484BD3BA983A5
SHA1:	F446EDFEF75109C35656EAC40496474D0E67D2DB
SHA-256:	A77EE48627DC9AA20422726BC7C7977B373A8BABEC67F89E9A81B683C1D7FA9B
SHA-512:	70456B03039DD06244737FE956E04B4E73A9F2B03AB30C01A3F61A189892B4A1223433060709140C2DA5C7B869F2521B7B9E7E5DD0B55BB430BB8EBA774960A8
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........^2f....................................$...6$..........T.......8...........T...........`...V...........p...........\...............................................................................eJ..............GenuineIntel............T............^2f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96E0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8308
Entropy (8bit):	3.697665362965642
Encrypted:	false
SSDEEP:	192:R6l7wVeJ606IQ/U6Yrd65gmfRwpr+89bXBsf9dm:R6lXJZ6IQ/U6YR65gmfRyX6f2
MD5:	B0CA57571B6507C793611F7DDC4B5CFD
SHA1:	73B402CA1661F88D6F230D3B216031CC4F429C30
SHA-256:	CCBB981EC381852BD8B159AE87B63648445ADEC8FCC044CCFFFF455C8A677026
SHA-512:	BDE53C543A1EA3171DE77CBA3F3EE0E0DF43CAF459CC7857DC55B8E48FE84873B2515569AF0E8B30BA6528F0C4CEF032C9445A2C086DD312B3DC4B25C9573BF9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C7E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4624
Entropy (8bit):	4.4873774026558575
Encrypted:	false
SSDEEP:	48:cvIwWl8zsNJg77aI9dKWpW8VYoYm8M4JyOcwF2R1+q8qiPt1QIfTxd:uIjfnI7fr7VYJy14vQIfTxd
MD5:	26332DA3091CBDA888EB500ED427C656
SHA1:	EB5A28CE0B19FA7BB70A19528056D3A9CFD660B9
SHA-256:	7EFAF17DCFE5D06ADBB4BD0899526CEF12E6B8BB23985884425B5AD0D2959611
SHA-512:	B181525D3748ECBF15F43ADEF69C63998CCC100DBEAF3050CA6E6F4EBA6F462BC3729547656644EA412BC38A7CC4C60F17BF86C2EBAD7A7E4D9AA8A9B9B24774
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="304224" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\9e2366f7

Download File

Process:	C:\Users\user\Desktop\WggZw957eT.exe
File Type:	PNG image data, 2560 x 1156, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1249235
Entropy (8bit):	7.993630189338612
Encrypted:	true
SSDEEP:	24576:Of6zM/abfvmcrQKtByhszgdsmGlGFTpsEz27LnCm9igI9Y6Bb8pMC:OSo/cLEyAyGFtjz23vkE6Bb8pMC
MD5:	755BAE117A86434AAA986817ABF99F51
SHA1:	2638BF47FDB2C6063DBDC67852A8528FFA8546FF
SHA-256:	9025BE77F191F169BCE0F58327D5A44887F684017C5CB81BE1BA58E0A18FF6C3
SHA-512:	2E229105891BB6360B9D440473E60F991B1B443EF843A2BCF6C4989CB244A839EB62D43818C736FABEC6B91038D2884ECB3D80AAB40E714FEEE5CCBE48AE8DCE
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............'(.... .IDATx..;.$..z...~...}...[....;.."`...\aH.....U..1...u5.$.tw....8..'".......7..c:.2.............+A........:.m........h.a.._7.....R.[.s..i..u......G..!..B...G8.3.h...0..G...G..........,......r).......x)rw)%.,K.....\JkM....g..<.....])..R.e.m.Bp..K1.....]..+....u..8.\|].d.....A..X...........=.^ `..d....;.nH..\|k..3..}......'Ts.....D....C..h.{......$.}w.np..h.n1..U9\F..<[...J..\..............~.w.a3.p...a.m..\.2..1.Y>c....R.3pL..X.gc.c.f..;..s.Mf..(..._..o#.;...RJ)\|......,..._p].....".........b.I..t.4u5\F.A.9.........~%......{............$h...N...@S...>..A...B..o..w..".a..8[7.A...q....\|$....H..Zh:..W.H..%..O..G..W..e...\|...b....B....N.......?.Zq..^...\'.....~.16......o..xI.%.....cx^`.\|..#3'..\|.%.I..%.%.M.`......./.d.O".RI\..$..$_)<$....b8H...s....;...Lk]m;G`... .......b.....B......Q...8....=..,.l....]B..,..(_J......RH.....o..a....X>..EA.d....T....Jr...v.cD....B........6.{8.x0.o..Bx.....>0.

C:\Users\user\AppData\Local\Temp\9fd507bc

Download File

Process:	C:\Users\user\Desktop\WggZw957eT.exe
File Type:	data
Category:	dropped
Size (bytes):	1159304
Entropy (8bit):	7.623328667046815
Encrypted:	false
SSDEEP:	24576:t9gkqJElh0mlUaSutVF3+ZS0zH++S0KHthAP35dkh9nBH3Pmfej53tnrXrvfvwvo:t9g00mlUaLF3+xNS0KHthAP35dkh9nBx
MD5:	78A948A0217C1EB1AB0EAA726A236DEC
SHA1:	731DBE07050D63E8A437E7F111E29F4602ED3D88
SHA-256:	A7B11EB183110C3C7B2D1305ACB9A3A623E71A229D5CB3DE9126F0B3C5EF52EE
SHA-512:	E2A7161508E6A7663B78AE4AB3F5DB44931CC962601DBD43B46DE3967C5A0E02838DB51AED2D7813B36321A428EB17F9B673C855E245CAADCB8DF975451658F2
Malicious:	false
Reputation:	low
Preview:	n@x.n@x.l@x.m@x.l@x..@x.mAx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@y.H.(.).,.H.5..2...&..:)...7..>4...`5..5$../...-..>4...5..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../1..4...)..(8x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../;..!..$.......m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.H.1.).*.1..../...4V.(.$..!.../..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x..rV.CuH._wx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.

C:\Users\user\AppData\Local\Temp\a391ff10

Download File

Process:	C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
File Type:	PNG image data, 2560 x 1156, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	1249235
Entropy (8bit):	7.993630189338612
Encrypted:	true
SSDEEP:	24576:Of6zM/abfvmcrQKtByhszgdsmGlGFTpsEz27LnCm9igI9Y6Bb8pMC:OSo/cLEyAyGFtjz23vkE6Bb8pMC
MD5:	755BAE117A86434AAA986817ABF99F51
SHA1:	2638BF47FDB2C6063DBDC67852A8528FFA8546FF
SHA-256:	9025BE77F191F169BCE0F58327D5A44887F684017C5CB81BE1BA58E0A18FF6C3
SHA-512:	2E229105891BB6360B9D440473E60F991B1B443EF843A2BCF6C4989CB244A839EB62D43818C736FABEC6B91038D2884ECB3D80AAB40E714FEEE5CCBE48AE8DCE
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............'(.... .IDATx..;.$..z...~...}...[....;.."`...\aH.....U..1...u5.$.tw....8..'".......7..c:.2.............+A........:.m........h.a.._7.....R.[.s..i..u......G..!..B...G8.3.h...0..G...G..........,......r).......x)rw)%.,K.....\JkM....g..<.....])..R.e.m.Bp..K1.....]..+....u..8.\|].d.....A..X...........=.^ `..d....;.nH..\|k..3..}......'Ts.....D....C..h.{......$.}w.np..h.n1..U9\F..<[...J..\..............~.w.a3.p...a.m..\.2..1.Y>c....R.3pL..X.gc.c.f..;..s.Mf..(..._..o#.;...RJ)\|......,..._p].....".........b.I..t.4u5\F.A.9.........~%......{............$h...N...@S...>..A...B..o..w..".a..8[7.A...q....\|$....H..Zh:..W.H..%..O..G..W..e...\|...b....B....N.......?.Zq..^...\'.....~.16......o..xI.%.....cx^`.\|..#3'..\|.%.I..%.%.M.`......./.d.O".RI\..$..$_)<$....b8H...s....;...Lk]m;G`... .......b.....B......Q...8....=..,.l....]B..,..(_J......RH.....o..a....X>..EA.d....T....Jr...v.cD....B........6.{8.x0.o..Bx.....>0.

C:\Users\user\AppData\Local\Temp\a5236b63

Download File

Process:	C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
File Type:	data
Category:	dropped
Size (bytes):	1159304
Entropy (8bit):	7.6233853468204025
Encrypted:	false
SSDEEP:	24576:r9gkqJElh0mlUaSutVF3+ZS0zH++S0KHthAP35dkh9nBH3Pmfej53tnrXrvfvwvo:r9g00mlUaLF3+xNS0KHthAP35dkh9nBx
MD5:	F0106164D91DF1368F1A53B65A605346
SHA1:	E38E18BFA10EB6D2A6D4CD0986984469FE24F158
SHA-256:	A425337FF434BD06ECD82BE67E70225A0328D8C7A9A2AE1B990D903B09B898A6
SHA-512:	EB8ABE4EF61CD9AA3CD838A501486BCDCC85DE824E3325E6E2604F7C5BC2D5E0EF6CA3FFC8BF5E26D71D2B5D04B9E65A22F53A6F6E6D51622D7D61748E42473D
Malicious:	false
Preview:	n@x.n@x.l@x.m@x.l@x..@x.mAx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@y.H.(.).,.H.5..2...&..:)...7..>4...`5..5$../...-..>4...5..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../1..4...)..(8x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x../;..!..$.......m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.H.1.).*.1..../...4V.(.$..!.../..m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x..rV.CuH._wx.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.m@x.

C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	431104
Entropy (8bit):	6.503865655674102
Encrypted:	false
SSDEEP:	12288:6pvhuwxAzkpbwoiqiNBN6uZeV8rUUr4x64J:qvhuwxIkR5iV+UrYjJ
MD5:	152CCF0EB9465F81AC69227AE6E75760
SHA1:	FF55CCA8FB8D169FC677526E5202B5F46EF0452A
SHA-256:	7911F48B06A12DE2AFD44800CE5A7600C20173D026217A397634F8F934A58117
SHA-512:	9C74A33B651D4F952451FAC0749B30FC301CF72DB1793CA9294015DE2109F22803B5DEC237DB667EF209EBD92373BC10D8F0558E27B2D0A66AB0A3EEFE13B21B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...~.._..........................................@.......................................@.................................\|........p...........................K..@...8...........................x...@............................................text...:........................... ..`.rdata..^...........................@..@.data....E... ...2..................@....rsrc........p.......:..............@..@.reloc...K.......L...<..............@..Bbrua................................@...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\dqatklnkhkik

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431104
Entropy (8bit):	6.503865655674102
Encrypted:	false
SSDEEP:	12288:6pvhuwxAzkpbwoiqiNBN6uZeV8rUUr4x64J:qvhuwxIkR5iV+UrYjJ
MD5:	152CCF0EB9465F81AC69227AE6E75760
SHA1:	FF55CCA8FB8D169FC677526E5202B5F46EF0452A
SHA-256:	7911F48B06A12DE2AFD44800CE5A7600C20173D026217A397634F8F934A58117
SHA-512:	9C74A33B651D4F952451FAC0749B30FC301CF72DB1793CA9294015DE2109F22803B5DEC237DB667EF209EBD92373BC10D8F0558E27B2D0A66AB0A3EEFE13B21B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\dqatklnkhkik, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...~.._..........................................@.......................................@.................................\|........p...........................K..@...8...........................x...@............................................text...:........................... ..`.rdata..^...........................@..@.data....E... ...2..................@....rsrc........p.......:..............@..@.reloc...K.......L...<..............@..Bbrua................................@...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5892944
Entropy (8bit):	6.730518069782429
Encrypted:	false
SSDEEP:	98304:/33qkhD+sqpQK/VD01f9Lrhn8uLm9YKuSo/c3B3cEumMv/1I:/nqxsVK/VD01f9Lrhn8unKlMT/
MD5:	DAC0DCB27FAEE13ABE4F3A6CA8B8D157
SHA1:	7A1681CEC1309115E3EC2116664B0EAE3CB81EF4
SHA-256:	56F9B99E3802E1D339C450401D3E42374C4FD3CBCBDB35DF136FE1E013AED9C9
SHA-512:	38ACB906F86BC9E27D39D957DDF2BFE5D6C09EEF69CEA3EC9ADD345C23833739039686677AFC2040B1225282563145C07A3AC911EA4F02FC68D5884D0EEC50C6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......e..................5...#.......5.......5...@...........................Z......Z....... ..@...................`7.v.....7..N....7..."...........Y.P.....................................7.....................h.7.$....P7......................text...x.5.......5................. ..`.itext...'....5..(....5............. ..`.data.........5.......5.............@....bss.....k....6..........................idata...N....7..P...z6.............@....didata......P7.......6.............@....edata..v....`7.......6.............@..@.tls.........p7..........................rdata........7.......6.............@..@.rsrc....."...7..."...6.............@..@..............D......JC.............@..@........................................................

C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\SecurityComv4.job

Download File

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	data
Category:	dropped
Size (bytes):	298
Entropy (8bit):	3.5452829651649216
Encrypted:	false
SSDEEP:	6:cfbJWjFl+8ffL1UEZglJPZIJE3wyjhtkHs+Zgty0lPOV/11:cfMjFl+mfBMJ27oyZgtVe
MD5:	75179B0091DB0D74B7DDA9C7AB211BF9
SHA1:	AE868E20709864523D57D4DF3B450FEB21CAC3B9
SHA-256:	929A3F5485EF8000E1538885ED475CC88FF95AC851F404DEA81D173D4498EFE0
SHA-512:	08669EEFEF77874EDD896B1C8A4986A84670FDC3DF1D2C8FAB00FFF5373FBECF2FE52AA0BC4E2DA00D1E36DD075A95286C65BAEBE39ECE9C8871D5B064451C44
Malicious:	false
Preview:	........R.VG.r...U.sF.......<... ................ ....................=.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.W.m.x._.L.a.u.n.c.h._.x.6.4.\.X.o.W.a.t.c.h.e.r...e.x.e.........H.U.B.E.R.T.-.P.C.\.h.u.b.e.r.t...................0.........>.....................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372863300263154
Encrypted:	false
SSDEEP:	6144:vFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguN4iL:9V1QyWWI/glMM6kF7aq
MD5:	64BB6335EEA78B10545EC5AF13A7295F
SHA1:	DAB8FD0F980D916E09FDB435F2E3962203B63A23
SHA-256:	B91059BF7A072276672930CA6BED1698799E2E1E8FDD9323809999A37027A4C0
SHA-512:	193642877DEE01E1CB20A79CCF6DAA81A4EA20DEA040687A99BD4BA6C52A5F270254072DBB2557C405CA30E892CA0B80AAA3FBA3D1C3E433179985BC931516FF
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.#.G..................................................................................................................................................................................................................................................................................................................................................s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.730518069782429
TrID:	Win32 Executable (generic) a (10002005/4) 97.91% Inno Setup installer (109748/4) 1.07% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Windows Screen Saver (13104/52) 0.13%
File name:	WggZw957eT.exe
File size:	5'892'944 bytes
MD5:	dac0dcb27faee13abe4f3a6ca8b8d157
SHA1:	7a1681cec1309115e3ec2116664b0eae3cb81ef4
SHA256:	56f9b99e3802e1d339c450401d3e42374c4fd3cbcbdb35df136fe1e013aed9c9
SHA512:	38acb906f86bc9e27d39d957ddf2bfe5d6c09eef69cea3ec9add345c23833739039686677afc2040b1225282563145c07a3ac911ea4f02fc68d5884d0eec50c6
SSDEEP:	98304:/33qkhD+sqpQK/VD01f9Lrhn8uLm9YKuSo/c3B3cEumMv/1I:/nqxsVK/VD01f9Lrhn8unKlMT/
TLSH:	B5568D12B245A93BD1162B328917C5B49C3AFE21E9264CC32BF03F1C7F35691792E667
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	e88c9eb296968669

Static PE Info

General

Entrypoint:	0x75e6f0
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x65C0E1EF [Mon Feb 5 13:26:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7ab36286de2e12e81944274c2aad6a7c

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=SSL.com Code Signing Intermediate CA RSA R1, O=SSL Corp, L=Houston, S=Texas, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	03/03/2023 17:43:13 01/03/2026 17:43:13
Subject Chain	CN=Aignesberger Software GmbH, O=Aignesberger Software GmbH, L=Attnang-Puchheim, C=AT
Version:	3
Thumbprint MD5:	DB076A4FAF5E95ADE2AA69B2646EBFF2
Thumbprint SHA-1:	10619A88B6DC62762C70D317D3AB0EE011727DBF
Thumbprint SHA-256:	0970B0D025C9574DDB78DC38E543D7C40E145D2C5B2481BE96C36BBC1E900FDC
Serial:	16A8EF9F82D7221837C9715BB46D3DBB

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 007527E0h
call 00007F107D1E0554h
mov ebx, dword ptr [00768CECh]
mov eax, dword ptr [00768C68h]
mov dword ptr [eax], 00000001h
mov eax, dword ptr [ebx]
call 00007F107D3CA168h
mov eax, dword ptr [ebx]
mov edx, 0075E780h
call 00007F107D3C9B0Ch
mov eax, dword ptr [ebx]
mov dl, 01h
call 00007F107D3CBD7Bh
mov ecx, dword ptr [00768B48h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0074DA94h]
call 00007F107D3CA158h
mov ecx, dword ptr [00768F0Ch]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0073CBACh]
call 00007F107D3CA145h
mov ecx, dword ptr [007687E8h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [00749AE4h]
call 00007F107D3CA132h
mov eax, dword ptr [ebx]
call 00007F107D3CA28Fh
pop ebx
call 00007F107D1DBC99h
mov al, 04h
add al, byte ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x376000	0x76	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x370000	0x4ecc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x379000	0x22f110	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x59cc00	0x1f50	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x378000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x370e68	0xc24	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x375000	0xa1a	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x35ac78	0x35ae00	009485a8b8b4366f21c129b992b4b2c8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x35c000	0x27a8	0x2800	1f3ae4e2d7545ff2d56557e0c7ade746	False	0.52587890625	data	6.216819012512035	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x35f000	0xa000	0xa000	7428203a4f1ba0207c319d60a4d7e5c6	False	0.4734619140625	data	5.527777298849636	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x369000	0x6bf8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x370000	0x4ecc	0x5000	500205d153d35e148cd45bea1c2b24bb	False	0.3005859375	data	5.179449007972189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x375000	0xa1a	0xc00	b4f49ddc02d7081b55f5b4d30774fc7d	False	0.3102213541666667	data	3.7219335698206435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x376000	0x76	0x200	97904a5d8cc236a335d1567b1ef70c31	False	0.201171875	data	1.411803466347487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x377000	0x6b0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x378000	0x18	0x200	f17838568a29864e0c615602d2d5e358	False	0.0546875	data	0.2147325177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x379000	0x22f110	0x22f200	3b537f4c06a36624dba2156a7a497e6b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
CJM	0x37cc30	0x130fd3	PNG image data, 2560 x 1156, 8-bit/color RGB, non-interlaced	English	United States	0.9937868118286133
MAD	0x4adc04	0x14	data			1.3
MAD	0x4adc18	0x30450	data			1.0003591081977827
RT_CURSOR	0x4de068	0x134	data	Spanish	Argentina	0.4935064935064935
RT_CURSOR	0x4de19c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x4de2d0	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x4de404	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x4de538	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x4de66c	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x4de7a0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0x4de8d4	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19385026737967914
RT_CURSOR	0x4debc0	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18716577540106952
RT_CURSOR	0x4deeac	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.2179144385026738
RT_CURSOR	0x4df198	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.21122994652406418
RT_CURSOR	0x4df484	0x134	AmigaOS bitmap font "(", fc_YSize 4294967064, 3584 elements, 2nd "\377\270w\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\370\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	German	Germany	0.32792207792207795
RT_CURSOR	0x4df5b8	0x134	Targa image data 64 x 65536 x 1 +32 "\001"			0.3538961038961039
RT_CURSOR	0x4df6ec	0x134	data			0.42207792207792205
RT_CURSOR	0x4df820	0x134	data	Spanish	Argentina	0.39285714285714285
RT_CURSOR	0x4df954	0x134	data	English	United States	0.42207792207792205
RT_CURSOR	0x4dfa88	0x134	data	English	United States	0.36688311688311687
RT_CURSOR	0x4dfbbc	0x134	data	English	United States	0.38961038961038963
RT_CURSOR	0x4dfcf0	0x134	data	English	United States	0.5032467532467533
RT_CURSOR	0x4dfe24	0x134	data	English	United States	0.512987012987013
RT_CURSOR	0x4dff58	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	German	Germany	0.5292207792207793
RT_CURSOR	0x4e008c	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18983957219251338
RT_CURSOR	0x4e0378	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19117647058823528
RT_CURSOR	0x4e0664	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19786096256684493
RT_CURSOR	0x4e0950	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.18983957219251338
RT_CURSOR	0x4e0c3c	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19518716577540107
RT_CURSOR	0x4e0f28	0x2ec	Targa image data 64 x 65536 x 1 +32 "\004"	German	Germany	0.19518716577540107
RT_CURSOR	0x4e1214	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_BITMAP	0x4e1348	0xe8	Device independent bitmap graphic, 8 x 8 x 24, image size 192	English	United States	0.4353448275862069
RT_BITMAP	0x4e1430	0xe8	Device independent bitmap graphic, 8 x 8 x 24, image size 192	English	United States	0.22413793103448276
RT_BITMAP	0x4e1518	0x6e8	Device independent bitmap graphic, 36 x 12 x 32, image size 1728	English	United States	0.10294117647058823
RT_BITMAP	0x4e1c00	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x4e1dd0	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	English	United States	0.46487603305785125
RT_BITMAP	0x4e1fb4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.43103448275862066
RT_BITMAP	0x4e2184	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39870689655172414
RT_BITMAP	0x4e2354	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.4245689655172414
RT_BITMAP	0x4e2524	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5021551724137931
RT_BITMAP	0x4e26f4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5064655172413793
RT_BITMAP	0x4e28c4	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x4e2a94	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.5344827586206896
RT_BITMAP	0x4e2c64	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	English	United States	0.39655172413793105
RT_BITMAP	0x4e2e34	0x5cc	Device independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m			0.4865229110512129
RT_BITMAP	0x4e3400	0x5cc	Device independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m			0.601078167115903
RT_BITMAP	0x4e39cc	0x5cc	Device independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 2834 x 2834 px/m			0.5579514824797843
RT_BITMAP	0x4e3f98	0x5cc	Device independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m			0.477088948787062
RT_BITMAP	0x4e4564	0x5cc	Device independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 3779 x 3779 px/m			0.5990566037735849
RT_BITMAP	0x4e4b30	0x5cc	Device independent bitmap graphic, 19 x 19 x 32, image size 1444, resolution 2834 x 2834 px/m			0.5559299191374663
RT_BITMAP	0x4e50fc	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5208333333333334
RT_BITMAP	0x4e51bc	0x50	Device independent bitmap graphic, 8 x 8 x 1, image size 32	English	United States	0.55
RT_BITMAP	0x4e520c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42857142857142855
RT_BITMAP	0x4e52ec	0x16c	Device independent bitmap graphic, 9 x 9 x 32, image size 324	English	United States	0.37637362637362637
RT_BITMAP	0x4e5458	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.4955357142857143
RT_BITMAP	0x4e5538	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.38392857142857145
RT_BITMAP	0x4e5618	0x16c	Device independent bitmap graphic, 9 x 9 x 32, image size 324	English	United States	0.3956043956043956
RT_BITMAP	0x4e5784	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4947916666666667
RT_BITMAP	0x4e5844	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.484375
RT_BITMAP	0x4e5904	0xd0	Device independent bitmap graphic, 8 x 7 x 24, image size 168	English	United States	0.22115384615384615
RT_BITMAP	0x4e59d4	0xd0	Device independent bitmap graphic, 8 x 7 x 24, image size 168	English	United States	0.23076923076923078
RT_BITMAP	0x4e5aa4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.42410714285714285
RT_BITMAP	0x4e5b84	0x1028	Device independent bitmap graphic, 32 x 32 x 32, image size 4096			0.41392649903288203
RT_BITMAP	0x4e6bac	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.2161654135338346
RT_BITMAP	0x4e6fd4	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.6635338345864662
RT_BITMAP	0x4e73fc	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5958646616541353
RT_BITMAP	0x4e7824	0x1028	Device independent bitmap graphic, 32 x 32 x 32, image size 4096			0.5548839458413927
RT_BITMAP	0x4e884c	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5582706766917294
RT_BITMAP	0x4e8c74	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.6015037593984962
RT_BITMAP	0x4e909c	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5469924812030075
RT_BITMAP	0x4e94c4	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.7180451127819549
RT_BITMAP	0x4e98ec	0x1028	Device independent bitmap graphic, 32 x 32 x 32, image size 4096			0.3034332688588008
RT_BITMAP	0x4ea914	0x428	Device independent bitmap graphic, 16 x 16 x 32, image size 1024			0.5272556390977443
RT_BITMAP	0x4ead3c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.5104166666666666
RT_BITMAP	0x4eadfc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.5
RT_BITMAP	0x4eaedc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	English	United States	0.4870689655172414
RT_BITMAP	0x4eafc4	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	English	United States	0.4895833333333333
RT_BITMAP	0x4eb084	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.35596026490066224
RT_BITMAP	0x4eb53c	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.3518211920529801
RT_BITMAP	0x4eb9f4	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.34271523178807944
RT_BITMAP	0x4ebeac	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2882 x 2882 px/m	English	United States	0.3609271523178808
RT_BITMAP	0x4ec364	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.36423841059602646
RT_BITMAP	0x4ec81c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.32741116751269034
RT_BITMAP	0x4ece44	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.33756345177664976
RT_BITMAP	0x4ed46c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30774111675126903
RT_BITMAP	0x4eda94	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.39403553299492383
RT_BITMAP	0x4ee0bc	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2882 x 2882 px/m	English	United States	0.4346446700507614
RT_BITMAP	0x4ee6e4	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.32741116751269034
RT_BITMAP	0x4eed0c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.3483502538071066
RT_BITMAP	0x4ef334	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30710659898477155
RT_BITMAP	0x4ef95c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.33121827411167515
RT_BITMAP	0x4eff84	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30710659898477155
RT_BITMAP	0x4f05ac	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2835 x 2835 px/m	English	United States	0.06838905775075987
RT_BITMAP	0x4f0ad0	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2835 x 2835 px/m	English	United States	0.06382978723404255
RT_BITMAP	0x4f0ff4	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2850 x 2850 px/m	English	United States	0.07066869300911854
RT_BITMAP	0x4f1518	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2850 x 2850 px/m	English	United States	0.05623100303951368
RT_BITMAP	0x4f1a3c	0x108	Device independent bitmap graphic, 10 x 20 x 4, image size 160, resolution 2850 x 2850 px/m	English	United States	0.3068181818181818
RT_BITMAP	0x4f1b44	0x108	Device independent bitmap graphic, 10 x 20 x 4, image size 160, resolution 2850 x 2850 px/m	English	United States	0.2878787878787879
RT_BITMAP	0x4f1c4c	0x108	Device independent bitmap graphic, 10 x 20 x 4, image size 160, resolution 2866 x 2866 px/m	English	United States	0.3068181818181818
RT_BITMAP	0x4f1d54	0x108	Device independent bitmap graphic, 10 x 20 x 4, image size 160, resolution 2851 x 2851 px/m, 16 important colors	English	United States	0.2727272727272727
RT_BITMAP	0x4f1e5c	0x5a8	Device independent bitmap graphic, 21 x 16 x 8, image size 384, resolution 2835 x 2835 px/m	English	United States	0.0738950276243094
RT_BITMAP	0x4f2404	0x5a8	Device independent bitmap graphic, 21 x 16 x 8, image size 384, resolution 2835 x 2835 px/m	English	United States	0.06560773480662983
RT_BITMAP	0x4f29ac	0x5a8	Device independent bitmap graphic, 21 x 16 x 8, image size 384, resolution 2850 x 2850 px/m	English	United States	0.07527624309392265
RT_BITMAP	0x4f2f54	0x5a8	Device independent bitmap graphic, 21 x 16 x 8, image size 384, resolution 2835 x 2835 px/m	English	United States	0.05386740331491713
RT_BITMAP	0x4f34fc	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2850 x 2850 px/m	English	United States	0.07750759878419453
RT_BITMAP	0x4f3a20	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2850 x 2850 px/m	English	United States	0.07066869300911854
RT_BITMAP	0x4f3f44	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2850 x 2850 px/m	English	United States	0.07674772036474165
RT_BITMAP	0x4f4468	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2866 x 2866 px/m	English	United States	0.06838905775075987
RT_BITMAP	0x4f498c	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2835 x 2835 px/m	English	United States	0.07003012048192771
RT_BITMAP	0x4f4ebc	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2835 x 2835 px/m	English	United States	0.06475903614457831
RT_BITMAP	0x4f53ec	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2850 x 2850 px/m	English	United States	0.07153614457831325
RT_BITMAP	0x4f591c	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2850 x 2850 px/m	English	United States	0.0572289156626506
RT_BITMAP	0x4f5e4c	0xe0	Device independent bitmap graphic, 20 x 10 x 4, image size 120, resolution 2835 x 2835 px/m	English	United States	0.35267857142857145
RT_BITMAP	0x4f5f2c	0xe0	Device independent bitmap graphic, 20 x 10 x 4, image size 120, resolution 2835 x 2835 px/m	English	United States	0.33482142857142855
RT_BITMAP	0x4f600c	0xe0	Device independent bitmap graphic, 20 x 10 x 4, image size 120, resolution 2850 x 2850 px/m	English	United States	0.35714285714285715
RT_BITMAP	0x4f60ec	0xe0	Device independent bitmap graphic, 20 x 10 x 4, image size 120, resolution 2851 x 2851 px/m, 16 important colors	English	United States	0.32142857142857145
RT_BITMAP	0x4f61cc	0x578	Device independent bitmap graphic, 16 x 21 x 8, image size 336, resolution 2882 x 2882 px/m	English	United States	0.07857142857142857
RT_BITMAP	0x4f6744	0x578	Device independent bitmap graphic, 16 x 21 x 8, image size 336, resolution 2866 x 2866 px/m	English	United States	0.06714285714285714
RT_BITMAP	0x4f6cbc	0x578	Device independent bitmap graphic, 16 x 21 x 8, image size 336, resolution 2882 x 2882 px/m	English	United States	0.07857142857142857
RT_BITMAP	0x4f7234	0x578	Device independent bitmap graphic, 16 x 21 x 8, image size 336, resolution 2850 x 2850 px/m	English	United States	0.055
RT_BITMAP	0x4f77ac	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2835 x 2835 px/m	English	United States	0.08057228915662651
RT_BITMAP	0x4f7cdc	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2835 x 2835 px/m	English	United States	0.07605421686746988
RT_BITMAP	0x4f820c	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2850 x 2850 px/m	English	United States	0.08207831325301204
RT_BITMAP	0x4f873c	0x530	Device independent bitmap graphic, 21 x 11 x 8, image size 264, resolution 2835 x 2835 px/m	English	United States	0.07228915662650602
RT_BITMAP	0x4f8c6c	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2835 x 2835 px/m	English	United States	0.07446808510638298
RT_BITMAP	0x4f9190	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2835 x 2835 px/m	English	United States	0.07066869300911854
RT_BITMAP	0x4f96b4	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2850 x 2850 px/m	English	United States	0.07598784194528875
RT_BITMAP	0x4f9bd8	0x524	Device independent bitmap graphic, 11 x 21 x 8, image size 252, resolution 2835 x 2835 px/m	English	United States	0.07066869300911854
RT_BITMAP	0x4fa0fc	0x54	Device independent bitmap graphic, 5 x 9 x 1, image size 36	English	United States	0.5714285714285714
RT_BITMAP	0x4fa150	0xdc	Device independent bitmap graphic, 19 x 3 x 24, image size 180	English	United States	0.2681818181818182
RT_BITMAP	0x4fa22c	0xdc	Device independent bitmap graphic, 19 x 3 x 24, image size 180	English	United States	0.2681818181818182
RT_BITMAP	0x4fa308	0xdc	Device independent bitmap graphic, 19 x 3 x 24, image size 180	English	United States	0.2681818181818182
RT_BITMAP	0x4fa3e4	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144			0.44039735099337746
RT_BITMAP	0x4fa89c	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144			0.429635761589404
RT_BITMAP	0x4fad54	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	English	United States	0.3794642857142857
RT_BITMAP	0x4fae34	0x1cc	Device independent bitmap graphic, 3 x 35 x 24, image size 420	English	United States	0.11956521739130435
RT_BITMAP	0x4fb000	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.22077922077922077
RT_BITMAP	0x4fb268	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.17857142857142858
RT_BITMAP	0x4fb4d0	0x268	Device independent bitmap graphic, 32 x 32 x 4, image size 512			0.1737012987012987
RT_BITMAP	0x4fb738	0x268	Device independent bitmap graphic, 64 x 16 x 4, image size 512			0.21266233766233766
RT_BITMAP	0x4fb9a0	0xd28	Device independent bitmap graphic, 144 x 16 x 8, image size 2304			0.23693586698337293
RT_BITMAP	0x4fc6c8	0x124	Device independent bitmap graphic, 9 x 9 x 24, image size 252, resolution 2834 x 2834 px/m			0.5924657534246576
RT_BITMAP	0x4fc7ec	0x124	Device independent bitmap graphic, 9 x 9 x 24, image size 252, resolution 2834 x 2834 px/m			0.5993150684931506
RT_ICON	0x4fc910	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.46604046242774566
RT_ICON	0x4fce78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3276173285198556
RT_ICON	0x4fd720	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.21321961620469082
RT_DIALOG	0x4fe5c8	0x52	data			0.7682926829268293
RT_DIALOG	0x4fe61c	0x52	data			0.7560975609756098
RT_STRING	0x4fe670	0x108	data			0.5075757575757576
RT_STRING	0x4fe778	0x3c4	data			0.40560165975103735
RT_STRING	0x4feb3c	0x1d8	data			0.3877118644067797
RT_STRING	0x4fed14	0x170	data			0.48097826086956524
RT_STRING	0x4fee84	0x118	data			0.5571428571428572
RT_STRING	0x4fef9c	0x100	data			0.5625
RT_STRING	0x4ff09c	0x3a0	data			0.35344827586206895
RT_STRING	0x4ff43c	0x458	data			0.31115107913669066
RT_STRING	0x4ff894	0x618	data			0.36538461538461536
RT_STRING	0x4ffeac	0x314	data			0.41116751269035534
RT_STRING	0x5001c0	0x364	data			0.4274193548387097
RT_STRING	0x500524	0x1dc	data			0.5357142857142857
RT_STRING	0x500700	0xcc	data			0.6666666666666666
RT_STRING	0x5007cc	0x114	data			0.6086956521739131
RT_STRING	0x5008e0	0x2c4	data			0.4689265536723164
RT_STRING	0x500ba4	0x400	data			0.3642578125
RT_STRING	0x500fa4	0x3e8	data			0.392
RT_STRING	0x50138c	0x340	data			0.33052884615384615
RT_STRING	0x5016cc	0x424	data			0.41509433962264153
RT_STRING	0x501af0	0x430	data			0.3666044776119403
RT_STRING	0x501f20	0x374	data			0.3733031674208145
RT_STRING	0x502294	0x408	data			0.374031007751938
RT_STRING	0x50269c	0x21c	data			0.4
RT_STRING	0x5028b8	0xbc	data			0.6542553191489362
RT_STRING	0x502974	0x100	data			0.62890625
RT_STRING	0x502a74	0x338	data			0.4223300970873786
RT_STRING	0x502dac	0x410	data			0.33942307692307694
RT_STRING	0x5031bc	0x310	data			0.37755102040816324
RT_STRING	0x5034cc	0x334	data			0.33414634146341465
RT_RCDATA	0x503800	0x10	data			1.5
RT_RCDATA	0x503810	0xebc	data			0.5540827147401909
RT_RCDATA	0x5046cc	0x2	data	English	United States	5.0
RT_RCDATA	0x5046d0	0x6d9	Delphi compiled form 'TAMProgress'			0.4592127780946948
RT_RCDATA	0x504dac	0x81c	Delphi compiled form 'TdlgApplication'			0.46001926782273606
RT_RCDATA	0x5055c8	0x249	Delphi compiled form 'TdlgFolder'			0.6188034188034188
RT_RCDATA	0x505814	0x2c72	Delphi compiled form 'TdlgSettings'			0.2491650553700123
RT_RCDATA	0x508488	0x1403	Delphi compiled form 'TdlgStatus'			0.15674409525668553
RT_RCDATA	0x50988c	0x725a3	Delphi compiled form 'TfrmMain'			0.048293398407726944
RT_RCDATA	0x57be30	0x10d3	Delphi compiled form 'TfrmQuickStart'			0.3522173206408173
RT_RCDATA	0x57cf04	0xb94	Delphi compiled form 'TMadExcept'			0.47941970310391363
RT_RCDATA	0x57da98	0x34b	Delphi compiled form 'TMEContactForm'			0.4389086595492289
RT_RCDATA	0x57dde4	0x227	Delphi compiled form 'TMEDetailsForm'			0.5444646098003629
RT_RCDATA	0x57e00c	0x3e6	Delphi compiled form 'TMEMyMailForm'			0.531062124248497
RT_RCDATA	0x57e3f4	0x286	Delphi compiled form 'TMEScrShotForm'			0.5371517027863777
RT_RCDATA	0x57e67c	0x27ebf	Delphi compiled form 'TMyTaskDialog'			0.06775970988080895
RT_RCDATA	0x5a653c	0x12df	Delphi compiled form 'TRzFrmCustomizeToolbar'			0.26971641482094805
RT_GROUP_CURSOR	0x5a781c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x5a7830	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x5a7844	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7858	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a786c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a7880	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a7894	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a78a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a78bc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a78d0	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a78e4	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a78f8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a790c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7920	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7934	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7948	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a795c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7970	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7984	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a7998	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x5a79ac	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x5a79c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a79d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x5a79e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a79fc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a7a10	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a7a24	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5a7a38	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x5a7a4c	0x30	data	English	United States	0.875
RT_VERSION	0x5a7a7c	0x2c8	data	English	United States	0.46629213483146065
RT_MANIFEST	0x5a7d44	0x3cc	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.45987654320987653

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	MessageBoxA, CharNextW, LoadStringW
kernel32.dll	Sleep, VirtualFree, VirtualAlloc, lstrlenW, VirtualQuery, QueryPerformanceCounter, GetTickCount, GetSystemInfo, GetVersion, CompareStringW, IsDBCSLeadByteEx, IsValidLocale, SetThreadLocale, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetLocaleInfoW, WideCharToMultiByte, MultiByteToWideChar, GetConsoleOutputCP, GetConsoleCP, GetACP, LoadLibraryExW, GetStartupInfoW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetCommandLineW, FreeLibrary, GetLastError, UnhandledExceptionFilter, RtlUnwind, RaiseException, ExitProcess, ExitThread, SwitchToThread, GetCurrentThreadId, CreateThread, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, FindFirstFileW, FindClose, WriteFile, SetFilePointer, SetEndOfFile, ReadFile, GetFileType, GetFileSize, CreateFileW, GetStdHandle, CloseHandle
kernel32.dll	GetProcAddress, RaiseException, LoadLibraryA, GetLastError, TlsSetValue, TlsGetValue, LocalFree, LocalAlloc, GetModuleHandleW, FreeLibrary
user32.dll	SetClassLongW, GetClassLongW, SetWindowLongW, GetWindowLongW, CreateWindowExA, CreateWindowExW, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterHotKey, UnregisterClassA, UnregisterClassW, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, ToAscii, SystemParametersInfoW, SubtractRect, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowRgn, SetWindowsHookExW, SetWindowTextA, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetCaretPos, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutA, SendMessageA, SendMessageW, ScrollWindow, ScrollDC, ScreenToClient, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterHotKey, RegisterClipboardFormatW, RegisterClassA, RegisterClassW, RedrawWindow, PtInRect, PostThreadMessageA, PostThreadMessageW, PostQuitMessage, PostMessageA, PostMessageW, PeekMessageA, PeekMessageW, OpenClipboard, OffsetRect, NotifyWinEvent, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxA, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LockWindowUpdate, LoadStringW, LoadKeyboardLayoutW, LoadImageA, LoadImageW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsClipboardFormatAvailable, IsChild, InvertRect, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetScrollBarInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageExtraInfo, GetMessageA, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDlgCtrlID, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardFormatNameW, GetClipboardData, GetClientRect, GetClassNameA, GetClassNameW, GetClassInfoExW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowA, FindWindowW, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EndMenu, EndDeferWindowPos, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExW, DrawTextA, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DrawCaption, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DeferWindowPos, DefWindowProcA, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CountClipboardFormats, CopyImage, CloseClipboard, ClipCursor, ClientToScreen, ChildWindowFromPointEx, CheckMenuItem, CharUpperBuffW, CharUpperW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcA, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, BeginDeferWindowPos, AttachThreadInput, CharUpperBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, TextOutA, TextOutW, StretchDIBits, StretchBlt, StartPage, StartDocA, StartDocW, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextJustification, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixelV, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SelectClipPath, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, PtInRegion, Polyline, Polygon, PolyBezierTo, PolyBezier, PlayEnhMetaFile, Pie, PatBlt, OffsetWindowOrgEx, OffsetRgn, OffsetClipRgn, MoveToEx, MaskBlt, LineTo, LPtoDP, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsW, GetTextFaceA, GetTextExtentPointW, GetTextExtentPoint32A, GetTextExtentPoint32W, GetTextColor, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionW, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetCurrentPositionEx, GetCurrentObject, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, EnumFontFamiliesExW, EndPath, EndPage, EndDoc, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePatternBrush, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateFontA, CreateFontW, CreateDIBitmap, CreateDIBSection, CreateDCW, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileW, CombineRgn, Chord, BitBlt, BeginPath, ArcTo, Arc, AngleArc
version.dll	VerQueryValueA, VerQueryValueW, GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, GetFileVersionInfoA, GetFileVersionInfoW
kernel32.dll	lstrlenW, lstrcmpiW, lstrcmpA, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TerminateThread, TerminateProcess, SystemTimeToFileTime, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetUnhandledExceptionFilter, SetThreadPriority, SetThreadLocale, SetProcessWorkingSetSize, SetNamedPipeHandleState, SetLastError, SetFilePointer, SetFileAttributesA, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, RemoveDirectoryA, RemoveDirectoryW, ReleaseMutex, ReadProcessMemory, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, QueryDosDeviceW, IsDebuggerPresent, OutputDebugStringW, OpenProcess, OpenFileMappingA, OpenFileMappingW, MulDiv, MoveFileExW, MapViewOfFile, LockResource, LocalSize, LocalFree, LocalAlloc, LoadResource, LoadLibraryExA, LoadLibraryA, LoadLibraryW, LeaveCriticalSection, IsValidLocale, IsBadReadPtr, InitializeCriticalSection, HeapFree, HeapDestroy, HeapCreate, HeapAlloc, GlobalUnlock, GlobalSize, GlobalMemoryStatus, GlobalLock, GlobalFree, GlobalFindAtomW, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomW, GetWindowsDirectoryA, GetWindowsDirectoryW, GetVolumeInformationW, GetVersionExA, GetVersionExW, GetVersion, GetTickCount, GetThreadPriority, GetThreadLocale, GetThreadContext, GetTempPathA, GetTempPathW, GetSystemTime, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetPriorityClass, GetModuleHandleA, GetModuleHandleW, GetModuleFileNameA, GetModuleFileNameW, GetLogicalDriveStringsW, GetLocaleInfoA, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileTime, GetFileSize, GetFileAttributesExW, GetFileAttributesA, GetFileAttributesW, GetExitCodeThread, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceA, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetCurrentDirectoryW, GetComputerNameA, GetComputerNameW, GetCommandLineA, GetCommandLineW, GetCPInfoExW, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageA, FormatMessageW, FlushInstructionCache, FindResourceA, FindResourceW, FindNextFileA, FindNextFileW, FindFirstFileA, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsA, ExpandEnvironmentStringsW, ExitThread, ExitProcess, EnumCalendarInfoW, EnterCriticalSection, DuplicateHandle, DeviceIoControl, DeleteFileA, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessA, CreateProcessW, CreatePipe, CreateMutexA, CreateMutexW, CreateFileMappingA, CreateFileMappingW, CreateFileA, CreateFileW, CreateEventA, CreateEventW, CreateDirectoryA, CreateDirectoryW, CopyFileA, CopyFileW, CompareStringA, CompareStringW, CloseHandle, Beep
advapi32.dll	SetSecurityDescriptorDacl, RegSetValueExA, RegSetValueExW, RegQueryValueExA, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExA, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueA, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExA, RegCreateKeyExW, RegCloseKey, OpenProcessToken, InitializeSecurityDescriptor, GetUserNameA, GetUserNameW, GetTokenInformation, FreeSid, AllocateAndInitializeSid
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CreateStreamOnHGlobal, ReleaseStgMedium, OleGetClipboard, OleSetClipboard, DoDragDrop, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CreateDataAdviseHolder, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoDisconnectObject, CoUninitialize, CoInitializeEx, CoInitialize, IsEqualGUID
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawIndirect, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	SHGetFileInfoW, ShellExecuteExA, ShellExecuteA, ShellExecuteW, Shell_NotifyIconW, SHAppBarMessage, ExtractIconW, DragQueryFileW
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderW
comdlg32.dll	PrintDlgW, GetSaveFileNameA, GetSaveFileNameW, GetOpenFileNameW
wsock32.dll	WSACleanup, WSAStartup, WSAGetLastError, gethostbyname, socket, setsockopt, sendto, send, select, recvfrom, recv, ioctlsocket, inet_addr, htons, connect, closesocket, bind
kernel32.dll	RtlUnwind
shell32.dll	SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetMalloc
user32.dll	EnumDisplayMonitors, GetMonitorInfoW, MonitorFromPoint, MonitorFromWindow
msvcrt.dll	memset, memcpy
winmm.dll	timeGetTime, sndPlaySoundW, PlaySoundW
oleacc.dll	LresultFromObject
GDI32.DLL	GetRandomRgn
ole32.dll	CoCreateInstance
user32.dll	PrivateExtractIconsW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	2	0x4c6324
madTraceProcess	1	0x49b8e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Spanish	Argentina
German	Germany

Target ID:	0
Start time:	17:21:15
Start date:	01/05/2024
Path:	C:\Users\user\Desktop\WggZw957eT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WggZw957eT.exe"
Imagebase:	0x400000
File size:	5'892'944 bytes
MD5 hash:	DAC0DCB27FAEE13ABE4F3A6CA8B8D157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1415289609.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1460790930.0000000005AF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.1456718573.0000000004B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:21:18
Start date:	01/05/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x15c0000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1710839057.0000000006250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1710460337.0000000005C5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:21:18
Start date:	01/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:21:24
Start date:	01/05/2024
Path:	C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Imagebase:	0x400000
File size:	5'892'944 bytes
MD5 hash:	DAC0DCB27FAEE13ABE4F3A6CA8B8D157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe, Author: Joe Security
Antivirus matches:	Detection: 50%, ReversingLabs Detection: 59%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:21:24
Start date:	01/05/2024
Path:	C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe
Imagebase:	0x400000
File size:	5'892'944 bytes
MD5 hash:	DAC0DCB27FAEE13ABE4F3A6CA8B8D157
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:21:27
Start date:	01/05/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\netsh.exe
Imagebase:	0x15c0000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.1806775372.00000000051E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.1807110229.0000000005770000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:21:27
Start date:	01/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:21:38
Start date:	01/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x730000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000002.1817979458.0000000000171000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1818871104.0000000004EFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:21:44
Start date:	01/05/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x730000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000C.00000002.1805311134.0000000002E81000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000C.00000002.1806222806.0000000004F9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:21:45
Start date:	01/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488
Imagebase:	0x1a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 04ED20A2 Relevance: 11.5, Strings: 8, Instructions: 1523COMMON

Download Yara Rule

Strings

4F, xrefs: 04ED32B4
4F, xrefs: 04ED219A
4F, xrefs: 04ED224F
4F, xrefs: 04ED2149
4F, xrefs: 04ED3324
4F, xrefs: 04ED327C
4F, xrefs: 04ED216A
4F, xrefs: 04ED2273

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID: 4F$ 4F$ 4F$ 4F$ 4F$ 4F$ 4F$ 4F
API String ID: 0-3703517576
Opcode ID: 0d87d9ce57303822d36bd737f92b79bd09f4438160395695a0c75a84f95793b6
Instruction ID: 47b37583a1d0cb997467b4aac6319fd696d52d868e4db8d2b1816835ac1f2043
Opcode Fuzzy Hash: 0d87d9ce57303822d36bd737f92b79bd09f4438160395695a0c75a84f95793b6
Instruction Fuzzy Hash: 9FB259B5B043016BE724EF24DC81A7A7691FB85308F14993EF946C7690EB79F803875A

Uniqueness

Uniqueness Score: -1.00%

Function 04ED3B42 Relevance: 7.5, Strings: 4, Instructions: 2513COMMON

Download Yara Rule

Strings

gfff, xrefs: 04ED4C76
4F, xrefs: 04ED5028
4F, xrefs: 04ED509E
4F, xrefs: 04ED4FEC

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID: 4F$ 4F$ 4F$gfff
API String ID: 0-2384452950
Opcode ID: d42a00bbdc4e9b207bcd9c2cb1da7f197f4ab29db88a16e9ff66627b73762fef
Instruction ID: d1d6f603d35e2a4610e009e9c2887b897fd4d2c0b1769a70bb3e8df5872d7d4c
Opcode Fuzzy Hash: d42a00bbdc4e9b207bcd9c2cb1da7f197f4ab29db88a16e9ff66627b73762fef
Instruction Fuzzy Hash: 130347B6B042016BE718EF28EC41A7A3795FB84314F14963EF919C72D0FB39E9068756

Uniqueness

Uniqueness Score: -1.00%

Function 04EBF792 Relevance: 2.1, Strings: 1, Instructions: 803COMMON

Download Yara Rule

Strings

K, xrefs: 04EBFCFA

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 2de6c9d164f3117b86a138c62c406f856e539d8ce89ebf48cb81af45d0cde882
Instruction ID: 569763907f226e1667c6adbc98b4c18727b277366de6f4b016485c8487fbafc5
Opcode Fuzzy Hash: 2de6c9d164f3117b86a138c62c406f856e539d8ce89ebf48cb81af45d0cde882
Instruction Fuzzy Hash: 00424775B082406FE714DF28EC81BAB7B91AB85318F04953DE889CB391E735F5068B99

Uniqueness

Uniqueness Score: -1.00%

Function 04EDF62A Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: ec893206b1f91e89f8c9be5c8087ba1c02cc8f2c80be806873f126dccb73d964
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 01B16975A0020ADFDB15CF04C5D0AA8BBA1FF48318F24C5AED85A5B796D731FA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 04EBC982 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4ae696130d774f626a9ea25bfd3738dea878a192abe5df4b387b2f9a66c5967
Instruction ID: e74860d0493c6564a084ac4432dec3c0a9f2777ad20b27659377cf0e2039d2aa
Opcode Fuzzy Hash: c4ae696130d774f626a9ea25bfd3738dea878a192abe5df4b387b2f9a66c5967
Instruction Fuzzy Hash: 73514C33E648364BE334CD55CC4066AA653EFCA215F5BC6B8C9987B75AD974BC0287C0

Uniqueness

Uniqueness Score: -1.00%

Function 04EE8923 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c3eeca162a3542835423607404bd722d24ab6ca9e875a0fc2cb9a8b5f5a7d0
Instruction ID: ed41b4b9d6e20f5bf8a579c3829e458e7c3cc3085c6ecbef657540f5a79def3f
Opcode Fuzzy Hash: c1c3eeca162a3542835423607404bd722d24ab6ca9e875a0fc2cb9a8b5f5a7d0
Instruction Fuzzy Hash: AD511771E00209DFDB14DFAAC8407EEBBF5FB08308F24A56AE515E7241D375AA45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04ED5BB2 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88076c0c33e180634602ca5b9fe7fb72fd0f446dc22a1babd929134cb5118fab
Instruction ID: 5b73b0b93be6bb9d2d1fffc599d309c426e8913995a96ba3c9dd44095a59bec5
Opcode Fuzzy Hash: 88076c0c33e180634602ca5b9fe7fb72fd0f446dc22a1babd929134cb5118fab
Instruction Fuzzy Hash: 27418E3160C6814FE72D8F759875677BFE29F8A30074ED6BDD1CBCB692CA64A0068248

Uniqueness

Uniqueness Score: -1.00%

Function 04ED1C92 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57439122785517a4b687d152a8043d6ecce9241d7005916f0d321680f55ad4e8
Instruction ID: 5281d5cc1ea321abc02eabf5fb6d62e9ddd27fd237db8f92a5e6f0988c7f1330
Opcode Fuzzy Hash: 57439122785517a4b687d152a8043d6ecce9241d7005916f0d321680f55ad4e8
Instruction Fuzzy Hash: 4031A1717086814FE71DCF79A865677BBE2DF8A30074EC9BDD48ACB693D660A0068244

Uniqueness

Uniqueness Score: -1.00%

Function 04EB5692 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Uniqueness

Uniqueness Score: -1.00%

Function 04EBDEA2 Relevance: 7.8, Strings: 6, Instructions: 275COMMON

Download Yara Rule

Strings

heC, xrefs: 04EBE118
4F, xrefs: 04EBE086
4F, xrefs: 04EBE0F6
4F, xrefs: 04EBE12C
4F, xrefs: 04EBE05C
4F, xrefs: 04EBE0CC

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID: 4F$ 4F$ 4F$ 4F$ 4F$heC
API String ID: 0-772418692
Opcode ID: ae06115edcb641a05dfcf5b4a5125944856298ee2cabefe28725e30fda5c8ddd
Instruction ID: 9f3a5e167f44b54360ff8391be5742b8fc787e4f9811616116e8b2cc06f52252
Opcode Fuzzy Hash: ae06115edcb641a05dfcf5b4a5125944856298ee2cabefe28725e30fda5c8ddd
Instruction Fuzzy Hash: 52812635B041044BC714CF389C91ABB77D2EB84364B695739F9A6C73D0EA69EE09C394

Uniqueness

Uniqueness Score: -1.00%

Function 04EC61D2 Relevance: 5.1, Strings: 4, Instructions: 112COMMON

Download Yara Rule

Strings

zC, xrefs: 04EC6250
$zC, xrefs: 04EC621D
XfC, xrefs: 04EC61F0
$zC, xrefs: 04EC61E4

Memory Dump Source

Source File: 0000000B.00000002.1818871104.0000000004EB3000.00000004.00000800.00020000.00000000.sdmp, Offset: 04EB3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4eb3000_explorer.jbxd

Similarity

API ID:
String ID: zC$$zC$$zC$XfC
API String ID: 0-782662132
Opcode ID: 0a1c2ec7d78d10629ae3a2b8d9250caed627eeb30eaf1ae287aa479f68fb7010
Instruction ID: fb13bde6758915ce12c8743c10105de670a7682bf02c35556a1f2bdebb403a07
Opcode Fuzzy Hash: 0a1c2ec7d78d10629ae3a2b8d9250caed627eeb30eaf1ae287aa479f68fb7010
Instruction Fuzzy Hash: 5D31C476B1480407872C853CA91192F7AC3EBD8331B69932FF977832E0DFE89D069248

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WggZw957eT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WggZw957eT.exe_9ec955d78fe120ba231ab2a1329d2214fda0_b48c7581_bcd51baf-620c-4809-97ee-7e6859d938bb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95E5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96E0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C7E.tmp.xml

C:\Users\user\AppData\Local\Temp\9e2366f7

C:\Users\user\AppData\Local\Temp\9fd507bc

C:\Users\user\AppData\Local\Temp\a391ff10

C:\Users\user\AppData\Local\Temp\a5236b63

C:\Users\user\AppData\Local\Temp\ahsqcnrtkaiwv

C:\Users\user\AppData\Local\Temp\dqatklnkhkik

C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe

C:\Users\user\AppData\Roaming\Wmx_Launch_x64\XoWatcher.exe:Zone.Identifier

C:\Windows\Tasks\SecurityComv4.job

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
WggZw957eT.exe