Status: Clean
Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) | MalScore |
|---|---|---|---|---|---|---|---|
| FILE | dll | 2025-12-09 07:53:34 | 2025-12-09 07:53:57 | 23 seconds | Show Options | Show Analysis Log | 1.0 |
vnc_port=5900
2025-12-06 18:05:29,589 [root] INFO: Date set to: 20251208T23:53:33, timeout set to: 180 2025-12-06 18:05:29,589 [root] DEBUG: Starting analyzer from: C:\tmpodgh_435 2025-12-06 18:05:29,589 [root] DEBUG: Storing results at: C:\obthVYLcwy 2025-12-06 18:05:29,605 [root] DEBUG: Pipe server name: \\.\PIPE\qUjtiY 2025-12-06 18:05:29,605 [root] DEBUG: Python path: C:\Python38 2025-12-06 18:05:29,605 [root] INFO: analysis running as a normal user 2025-12-06 18:05:29,605 [root] INFO: analysis package specified: "dll" 2025-12-06 18:05:29,605 [root] DEBUG: importing analysis package module: "modules.packages.dll"... 2025-12-06 18:05:29,605 [root] DEBUG: imported analysis package "dll" 2025-12-06 18:05:29,605 [root] DEBUG: initializing analysis package "dll"... 2025-12-06 18:05:29,605 [lib.common.common] INFO: wrapping 2025-12-06 18:05:29,605 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-06 18:05:29,605 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\wgxman.dll 2025-12-06 18:05:29,605 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option 2025-12-06 18:05:29,605 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option 2025-12-06 18:05:29,605 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option 2025-12-06 18:05:29,605 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option 2025-12-06 18:05:29,620 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-12-06 18:05:29,620 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain" 2025-12-06 18:05:29,620 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-12-06 18:05:29,636 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script" 2025-12-06 18:05:29,636 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks" 2025-12-06 18:05:29,636 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx" 2025-12-06 18:05:29,636 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-12-06 18:05:29,636 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script" 2025-12-06 18:05:29,636 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-12-06 18:05:29,652 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2025-12-06 18:05:29,652 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2025-12-06 18:05:29,667 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-12-06 18:05:29,667 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon" 2025-12-06 18:05:29,667 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-12-06 18:05:29,667 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage" 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Browser" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Browser' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Curtain" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Curtain' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Curtain does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"... 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Disguise' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-12-06 18:05:29,667 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.disguise: [WinError 5] Access is denied 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data 2025-12-06 18:05:29,667 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"... 2025-12-06 18:05:29,667 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Evtx" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Evtx' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Evtx does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"... 2025-12-06 18:05:29,667 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Human" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Human' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Human does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Pre_script" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Pre_script' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Pre_script does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"... 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-12-06 18:05:29,667 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-12-06 18:05:29,667 [root] DEBUG: Initialized auxiliary module "Sysmon" 2025-12-06 18:05:29,667 [root] DEBUG: attempting to configure 'Sysmon' from data 2025-12-06 18:05:29,667 [root] DEBUG: module Sysmon does not support data configuration, ignoring 2025-12-06 18:05:29,667 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"... 2025-12-06 18:05:29,745 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 2025-12-06 18:05:29,777 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe 2025-12-06 18:05:29,792 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques. 2025-12-06 18:05:29,792 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-12-06 18:05:29,792 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-12-06 18:05:29,792 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-12-06 18:05:29,792 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-12-06 18:05:29,792 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 672 2025-12-06 18:05:29,792 [lib.api.process] WARNING: failed to open process 672 2025-12-06 18:05:29,792 [lib.api.process] WARNING: failed to open process 672 2025-12-06 18:05:29,792 [lib.api.process] WARNING: failed to open process 672 2025-12-06 18:05:29,792 [lib.api.process] DEBUG: Failed getting image name for pid 672 2025-12-06 18:05:29,792 [lib.api.process] WARNING: failed to open process 672 2025-12-06 18:05:29,792 [lib.api.process] DEBUG: Failed getting image name for pid 672 2025-12-06 18:05:29,792 [lib.api.process] DEBUG: Failed getting exit code for <Process 672 ???> 2025-12-06 18:05:29,792 [lib.api.process] WARNING: failed to open process 672 2025-12-06 18:05:29,792 [lib.api.process] DEBUG: Failed getting image name for pid 672 2025-12-06 18:05:29,792 [lib.api.process] WARNING: failed to open process 672 2025-12-06 18:05:29,792 [lib.api.process] DEBUG: Failed getting image name for pid 672 2025-12-06 18:05:29,792 [lib.api.process] WARNING: the <Process 672 ???> is not alive, injection aborted 2025-12-06 18:05:29,792 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 2025-12-06 18:05:29,792 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2025-12-06 18:05:29,792 [root] DEBUG: Initialized auxiliary module "Usage" 2025-12-06 18:05:29,792 [root] DEBUG: attempting to configure 'Usage' from data 2025-12-06 18:05:29,792 [root] DEBUG: module Usage does not support data configuration, ignoring 2025-12-06 18:05:29,792 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"... 2025-12-06 18:05:29,792 [root] DEBUG: Started auxiliary module modules.auxiliary.usage 2025-12-06 18:05:29,792 [root] DEBUG: Initialized auxiliary module "During_script" 2025-12-06 18:05:29,792 [root] DEBUG: attempting to configure 'During_script' from data 2025-12-06 18:05:29,792 [root] DEBUG: module During_script does not support data configuration, ignoring 2025-12-06 18:05:29,792 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"... 2025-12-06 18:05:29,792 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script 2025-12-06 18:05:29,839 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 2025-12-06 18:05:29,839 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe 2025-12-06 18:05:29,886 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 2025-12-06 18:05:29,917 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe 2025-12-06 18:05:29,933 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable 2025-12-06 18:05:29,964 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 2025-12-06 18:05:29,980 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe 2025-12-06 18:05:29,995 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 2025-12-06 18:05:30,042 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 2025-12-06 18:05:30,042 [root] INFO: Restarting WMI Service 2025-12-06 18:05:30,074 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 2025-12-06 18:05:30,089 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f 2025-12-06 18:05:30,089 [root] DEBUG: package modules.packages.dll does not support configure, ignoring 2025-12-06 18:05:30,089 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages' 2025-12-06 18:05:30,089 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-06 18:05:30,089 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\wgxman.dll",#1" with pid 1936 2025-12-06 18:05:30,089 [lib.api.process] INFO: Monitor config for <Process 1936 rundll32.exe>: C:\tmpodgh_435\dll\1936.ini 2025-12-06 18:05:30,105 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpodgh_435\dll\uEkYutNh.dll, loader C:\tmpodgh_435\bin\excVWoS.exe 2025-12-06 18:05:30,105 [root] DEBUG: Loader: Injecting process 1936 (thread 1072) with C:\tmpodgh_435\dll\uEkYutNh.dll. 2025-12-06 18:05:30,105 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-12-06 18:05:30,105 [root] DEBUG: Successfully injected DLL C:\tmpodgh_435\dll\uEkYutNh.dll. 2025-12-06 18:05:30,105 [lib.api.process] INFO: Injected into 32-bit <Process 1936 rundll32.exe> 2025-12-06 18:05:30,121 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 2025-12-06 18:05:30,136 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f 2025-12-06 18:05:30,152 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 2025-12-06 18:05:30,167 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f 2025-12-06 18:05:30,183 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 2025-12-06 18:05:30,199 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 2025-12-06 18:05:30,230 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable 2025-12-06 18:05:30,261 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable 2025-12-06 18:05:30,292 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 2025-12-06 18:05:30,308 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable 2025-12-06 18:05:30,339 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 2025-12-06 18:05:30,371 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 2025-12-06 18:05:30,402 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 2025-12-06 18:05:30,417 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable 2025-12-06 18:05:30,449 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 2025-12-06 18:05:30,480 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 2025-12-06 18:05:30,511 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 2025-12-06 18:05:30,527 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable 2025-12-06 18:05:30,558 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 2025-12-06 18:05:30,589 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 2025-12-06 18:05:30,621 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 2025-12-06 18:05:30,636 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 2025-12-06 18:05:30,668 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 2025-12-06 18:05:30,699 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable 2025-12-06 18:05:30,714 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 2025-12-06 18:05:30,746 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 2025-12-06 18:05:30,777 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 2025-12-06 18:05:30,808 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 2025-12-06 18:05:30,824 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 2025-12-06 18:05:30,855 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 2025-12-06 18:05:30,886 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 2025-12-06 18:05:30,917 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 2025-12-06 18:05:30,933 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 2025-12-06 18:05:30,964 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 2025-12-06 18:05:30,995 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable 2025-12-06 18:05:31,011 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 2025-12-06 18:05:31,042 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 2025-12-06 18:05:31,073 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 2025-12-06 18:05:31,105 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 2025-12-06 18:05:31,120 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable 2025-12-06 18:05:31,151 [modules.auxiliary.evtx] DEBUG: Wiping Application 2025-12-06 18:05:31,183 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents 2025-12-06 18:05:31,198 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer 2025-12-06 18:05:31,230 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service 2025-12-06 18:05:31,261 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts 2025-12-06 18:05:31,277 [modules.auxiliary.evtx] DEBUG: Wiping Security 2025-12-06 18:05:31,308 [modules.auxiliary.evtx] DEBUG: Wiping Setup 2025-12-06 18:05:31,339 [modules.auxiliary.evtx] DEBUG: Wiping System 2025-12-06 18:05:31,355 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell 2025-12-06 18:05:31,386 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational 2025-12-06 18:05:32,120 [lib.api.process] INFO: Successfully resumed <Process 1936 rundll32.exe> 2025-12-06 18:05:32,152 [root] DEBUG: 1936: Python path set to 'C:\Python38'. 2025-12-06 18:05:32,152 [root] INFO: Disabling sleep skipping. 2025-12-06 18:05:32,152 [root] DEBUG: 1936: Dropped file limit defaulting to 100. 2025-12-06 18:05:32,167 [root] DEBUG: 1936: YaraInit: Compiled 41 rule files 2025-12-06 18:05:32,167 [root] DEBUG: 1936: YaraInit: Compiled rules saved to file C:\tmpodgh_435\data\yara\capemon.yac 2025-12-06 18:05:32,167 [root] DEBUG: 1936: YaraScan: Scanning 0x00750000, size 0x136e8 2025-12-06 18:05:32,167 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied. 2025-12-06 18:05:32,167 [root] DEBUG: 1936: Monitor initialised: 32-bit capemon loaded in process 1936 at 0x73a20000, thread 1072, image base 0x750000, stack from 0x474000-0x480000 2025-12-06 18:05:32,167 [root] DEBUG: 1936: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\wgxman.dll",#1 2025-12-06 18:05:32,167 [root] DEBUG: 1936: GetAddressByYara: ModuleBase 0x775E0000 FunctionName LdrpCallInitRoutine 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: LdrpCallInitRoutine export address 0x77652A30 obtained via GetFunctionAddress 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CreateProcessA export address 0x76F64110 differs from GetProcAddress -> 0x73CF22A0 (AcLayers.DLL::0x222a0) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CreateProcessW export address 0x76F488E0 differs from GetProcAddress -> 0x73CF24E0 (AcLayers.DLL::0x224e0) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - WinExec export address 0x76F8E1C0 differs from GetProcAddress -> 0x73CF27A0 (AcLayers.DLL::0x227a0) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CreateRemoteThreadEx export address 0x76FC866C differs from GetProcAddress -> 0x774C7630 (KERNELBASE.dll::0x137630) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CoCreateInstance export address 0x7595569D differs from GetProcAddress -> 0x75E595D0 (combase.dll::0xd95d0) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CoCreateInstanceEx export address 0x759556DC differs from GetProcAddress -> 0x75E3C540 (combase.dll::0xbc540) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CoGetClassObject export address 0x75955C6C differs from GetProcAddress -> 0x75E251A0 (combase.dll::0xa51a0) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - UpdateProcThreadAttribute export address 0x76FCFFD2 differs from GetProcAddress -> 0x774947B0 (KERNELBASE.dll::0x1047b0) 2025-12-06 18:05:32,183 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2025-12-06 18:05:32,183 [root] DEBUG: 1936: set_hooks: Unable to hook GetCommandLineA 2025-12-06 18:05:32,183 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2025-12-06 18:05:32,183 [root] DEBUG: 1936: set_hooks: Unable to hook GetCommandLineW 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CLSIDFromProgID export address 0x75954ED6 differs from GetProcAddress -> 0x75DF16A0 (combase.dll::0x716a0) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: hook_api: Warning - CLSIDFromProgIDEx export address 0x75954F13 differs from GetProcAddress -> 0x75DF0500 (combase.dll::0x70500) 2025-12-06 18:05:32,183 [root] DEBUG: 1936: Hooked 611 out of 613 functions 2025-12-06 18:05:32,183 [root] DEBUG: 1936: Syscall hook installed, syscall logging level 1 2025-12-06 18:05:32,183 [root] DEBUG: 1936: WoW64fix: Windows version 10.0 not supported. 2025-12-06 18:05:32,198 [root] INFO: Loaded monitor into process with pid 1936 2025-12-06 18:05:32,198 [root] DEBUG: 1936: caller_dispatch: Added region at 0x00750000 to tracked regions list (ntdll::memcpy returns to 0x00755F1A, thread 1072). 2025-12-06 18:05:32,198 [root] DEBUG: 1936: YaraScan: Scanning 0x00750000, size 0x136e8 2025-12-06 18:05:32,198 [root] DEBUG: 1936: ProcessImageBase: Main module image at 0x00750000 unmodified (entropy change 0.000000e+00) 2025-12-06 18:05:32,198 [root] DEBUG: 1936: InstrumentationCallback: Added region at 0x76F30000 to tracked regions list (thread 1072). 2025-12-06 18:05:32,198 [root] DEBUG: 1936: DLL loaded at 0x75440000: C:\Windows\SYSTEM32\iphlpapi (0x33000 bytes). 2025-12-06 18:05:32,198 [root] DEBUG: 1936: Target DLL loaded at 0x06FE0000: C:\Users\user\AppData\Local\Temp\wgxman (0x1a000 bytes). 2025-12-06 18:05:32,198 [root] DEBUG: 1936: YaraScan: Scanning 0x06FE0000, size 0x18d8c 2025-12-06 18:05:32,198 [root] DEBUG: 1936: caller_dispatch: Added region at 0x06FE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x06FED58D, thread 1072). 2025-12-06 18:05:32,198 [root] DEBUG: 1936: caller_dispatch: Scanning calling region at 0x06FE0000... 2025-12-06 18:05:32,198 [root] DEBUG: 1936: DLL loaded at 0x750B0000: C:\Windows\system32\uxtheme (0x74000 bytes). 2025-12-06 18:05:32,214 [root] DEBUG: 1936: DLL loaded at 0x76E50000: C:\Windows\System32\MSCTF (0xd4000 bytes). 2025-12-06 18:05:32,214 [root] DEBUG: 1936: InstrumentationCallback: Added region at 0x77390000 to tracked regions list (thread 1072). 2025-12-06 18:05:32,214 [root] DEBUG: 1936: Target DLL unloading from 0x06FE0000: Skipping dump as code is identical on disk. 2025-12-06 18:05:32,214 [root] INFO: Process with pid 1936 has terminated 2025-12-06 18:05:38,214 [root] INFO: Process list is empty, terminating analysis 2025-12-06 18:05:39,230 [root] INFO: Created shutdown mutex 2025-12-06 18:05:40,245 [root] INFO: Shutting down package 2025-12-06 18:05:40,245 [root] INFO: Stopping auxiliary modules 2025-12-06 18:05:40,245 [root] INFO: Stopping auxiliary module: Browser 2025-12-06 18:05:40,245 [root] INFO: Stopping auxiliary module: Curtain 2025-12-06 18:05:40,245 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [Errno 13] Permission denied: 'C:\\curtain.log' 2025-12-06 18:05:40,245 [modules.auxiliary.curtain] ERROR: Curtain log file not found! 2025-12-06 18:05:40,245 [root] INFO: Stopping auxiliary module: End_noisy_tasks 2025-12-06 18:05:40,245 [root] INFO: Stopping auxiliary module: Evtx 2025-12-06 18:05:40,245 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump 2025-12-06 18:05:40,245 [root] WARNING: Cannot terminate auxiliary module Evtx: [Errno 13] Permission denied: 'C:/windows/Sysnative/winevt/Logs\\Application.evtx' 2025-12-06 18:05:40,245 [root] INFO: Stopping auxiliary module: Human 2025-12-06 18:05:43,808 [root] INFO: Stopping auxiliary module: Pre_script 2025-12-06 18:05:43,808 [root] INFO: Stopping auxiliary module: Screenshots 2025-12-06 18:05:44,824 [root] INFO: Stopping auxiliary module: Usage 2025-12-06 18:05:45,917 [root] INFO: Stopping auxiliary module: During_script 2025-12-06 18:05:45,917 [root] INFO: Finishing auxiliary modules 2025-12-06 18:05:45,917 [root] INFO: Shutting down pipe server and dumping dropped files 2025-12-06 18:05:45,917 [root] WARNING: Folder at path "C:\obthVYLcwy\debugger" does not exist, skipping 2025-12-06 18:05:45,917 [root] WARNING: Folder at path "C:\obthVYLcwy\tlsdump" does not exist, skipping 2025-12-06 18:05:45,917 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win10-64bit-tiny-1 | win10-64bit-tiny-1 | KVM | 2025-12-09 07:53:34 | 2025-12-09 07:53:57 |
File Details
| File Name |
wgxman.dll
|
|---|---|
| File Type | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| File Size | 91016 bytes |
| MD5 | b4f12a7be68d71f9645b789ccdc20561 |
| SHA1 | ef3e558ecb313a74eeafca3f99b7d4e038e11516 |
| SHA256 | 1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 3900e01baf3ba26d92b2c665c1ead668d7f0c7d75d385acfb4617a662decd14a358564be94d11e5b5414d26f9311ebae |
| CRC32 | 037CFE4C |
| TLSH | T1D3938D52F7C1C0B2D8538A3D5176C7324B7ABA402B79C4E737981DCD9E227E1A63A316 |
| Ssdeep | 1536:RxOHyRtyd+624O2sSd/894mPOfzc4ILUHe936593VQtZe4d86NIJmoA:RxdR4d+v4Dz1IXV65V2tHdjem |
| PE | File Strings BinGraph Vba2Graph |
HH_^[
GetModuleFileNameA
WgxLocalFilterSetIpRange
Extend WG Protocol Driver
Failed to bind adapter!
^SSSSS
March
WGXMAN.DLL
t+WWVPV
2%3M3
(0&0$
WWWWW
- unexpected multithread lock error
WaitForMultipleObjects
DeleteService
LCMapStringW
GetACP
Media Remove!
1"1:1x1
9E Yt
OriginalFilename
GetCurrentThreadId
%VeriSign Class 3 Code Signing 2004 CA
WgxGetLocalTrafficMode
Failed to resolve DhcpAcquireParamters!
WgxSetOid
ADVAPI32.dll
_^[]3
787X7
3-3J3
- not enough space for environment
R6027
5"555
CONOUT$
040904E4
OpenMutexW
D$$P3
dF<-uE
j"^SSSSS
DhcpAcquireParametersByBroadcast
LoadLibraryW
HeapFree
ReadFile
0A@@Ju
October
2#2(2-22272=2C2K2P2U2Z2_2e2k2p2
u59=`P
t^9(uZ
R6008
MessageBoxA
WgxLocalFilterSetPortRange
:U;o;x;
ReleaseSemaphore
https://www.verisign.com/rpa0
8%818F8L8`8g8
ABCDEFGHIJKLMNOPQRSTUVWXYZ
_zj1.
ExitProcess
AAGGf;
HeapCreate
WgxSetPromiscuousMode
:);t;{;
dhcpcsvc.dll
VeriSign Trust Network1;09
g_fDhcpAcquireParametersByBroadcast is NULL!
WgxTestOnly
System32\Drivers\WGX.SYS
R6019
Runtime Error!
GetTickCount
IsWgxInstalled
StringFileInfo
\$ UV
VirtualFree
FlsAlloc
4.4N4
R6016
="=b=j=o=t=
R6024
031204000000Z
Symantec Research Labs1
WgxLocalFilterSetIpProtocol
Fh=`C
GetCurrentProcessId
WgxQueryOid
>=Yt/j
UnhandledExceptionFilter
mscoree.dll
t0WWWWW
#B/3w
<Z=p=
FreeLibrary
ChangeServiceConfigW
4+5J5
7,727;7N7r7
:$:@:R:`:q:{:
Failed to Bind adapter, error=%d
:(:A:F:P:s:}:
3V3[3
HeapAlloc
=6>A>\>c>h>l>p>
Y__^[
Monday
6!666F6X6
WriteConsoleW
iphlpapi.dll
3,454;4
Class3CA2048-1-430
Reset Ends!
RSDSd]
2007 Symantec Corporation. All rights reserved. Use of this product is subject to license terms.
WgxSetDirectMode
user32.dll
YYj0[
1#1(1-1C1Q1V1\1
California1
Santa Monica1
~,WPV
WgxInitialize
9 959j9
VVVVV
SING error
Symantec Network Access Control Protocal Driver Manager
HH:mm:ss
VarFileInfo
R6034
InitializeCriticalSectionAndSpinCount
LegalCopyright
('8PW
VeriSign, Inc.1705
3"3,333:3D3K3T3c3h3x3
.Class 3 Public Primary Certification Authority
DhcpAcquireParameters
Please contact the application's support team for more information.
JanFebMarAprMayJunJulAugSepOctNovDec
DhcpDeRegisterParamChange
GetProcessWindowStation
9d:l:q:v:
~\]+X
u WPS
;1;D;O;U;[;`;i;
9.:@:q:
tJVUP
tRSSSS
WgxCleanup
GetActiveWindow
.rsrc
Disassociation!
TlsAlloc
5,6J6h6
- not enough space for lowio initialization
0g0S1
Durbanville1
9]$SS
This application has requested the Runtime to terminate it in an unusual way.
Close Adapter in Receive Thread!
7P8V8
%s\drivers\%s
GetConsoleCP
0http://crl.verisign.com/ThawteTimestampingCA.crl0
9'94999F9\9a9q9v9}9
5*72777<7R7`7e7k7
=0;09
CopyFileW
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
LoadLibraryA
December
869|:
Thawte Certification1
PPPPPPPP
>C?n?s?
CloseServiceHandle
WgxQueryOidDot11
Y;=hI
5-6s6
3$3,343<3D3L3T3\3
GetStringTypeA
u&WVS
4*4/454
WgxRenewIpAddress
R6030
WgxGetBroadcastMode
PWPWh4
WGXMan.dll
R6026
5,5:5?5E5t5
5F6Q6~6
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
5Digital ID Class 3 - Microsoft Software Validation v21
HRHo8
Tuesday
R6033
0T0Z0`0
.mixcrt
SUVWP
DhcpReleaseParameters
697f7l7
;8<z<
SVWUj
Western Cape1
UQPXY]Y[
USER32.DLL
DeleteFileW
GetSystemDirectoryW
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetModuleHandleA
SetLastError
1O2k2
0,000L0P0p0
FileVersion
FlsSetValue
Symantec Network Access Control
4$434Z4
LeaveCriticalSection
YYuTVWh
MultiByteToWideChar
InitializeCriticalSection
A0M0W0
GetLastActivePopup
February
ControlService
700PP
WgxEnableCopySendPacket
GetStartupInfoA
This indicates a bug in your application.
GetConsoleOutputCP
= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=
u8SS3
GetUserObjectInformationA
8Z8`8
`h````
6^bMRQ4q
<&=;=@=E=\=j=o=u=
GetProcAddress
TLOSS error
1`2%3
Reset Starts!
HSymantec Network Access Control 11.
Wednesday
TlsGetValue
PSSSSh
Y_^][
KERNEL32.dll
WgxSetLocalFilter
IsValidCodePage
@@BBf;
WaitForSingleObject
]_^[Y
DOMAIN error
- not enough space for thread data
SunMonTueWedThuFriSat
GetLastError
ndis.sys
?Z?`?d?h?l?
abcdefghijklmnopqrstuvwxyz
070615000000Z
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
January
=#=/=E=P=U=`=e=p=u=
WgxLocalFilterSetEthernetProtocol
5Z7^7b7f7j7n7r7v7
GetConsoleMode
Failed to Get Physical Medium, error=%d
]t:F:
Thursday
T$$Rj
F9=hn
<'<-<5<@<
September
InterlockedIncrement
i0g0$
OpenSCManagerW
060911000000Z
Failed to resolve DhcpReleaseParameters!
5!5(53595>5
ProductVersion
SetHandleCount
9mh4@e
Thawte1
JcEG.k
"'$l8
Friday
Symantec Corporation0
3A4d4
.Class 3 Public Primary Certification Authority0
VeriSign, Inc.1
g_fDhcpReleaseParameters is NULL!
Sunday
LoadLibraryExW
GetCPInfo
Nothing in working Queue!
YYt SVW
VS_VERSION_INFO
v#Whx
t$$VSS
=,>4>G>N>e>
; ;(;0;<;`;h;v;
Association Complete!
;NAC.
YYt:V
- CRT not initialized
GetLocaleInfoA
282X2t2x2
Stop Thread Event Received!
Sleep
- Attempt to initialize the CRT more than once.
WgxSetGlobalFilter
u6SSj
WgxGetDirectMode
QueryPerformanceCounter
040716000000Z
Z0X03
D$4QRP
90705
ServicesActive
\\.\WGX
TlsFree
RSSj$
WgxSetMulticastMode
727C7
URPQQhH
T$ Rj
6$6:6O6U6^6e6
WgxGetAdapterNameA
4a4i4
;t$,v-
Saturday
InstallWgx
071124235959Z0
L$T;H
7"8*8/848L8Z8_8e8
@PVSS
"VeriSign Time Stamping Services CA
EncodePointer
G8j@h
WgxGetPromiscuousMode
y>]r}
- not enough space for stdio initialization
9] SS
EnterCriticalSection
="=A=H=d=
NdisFOidRequest
5"5'5-5
GetFileType
0WWWWW
GetStdHandle
TSA2048-1-530
R6028
%d.%d.%d.%d
WgxReceiveThread Stops!
CreateSemaphoreW
\Device\
WgxGetGlobalFilter
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Y]_^[
"http://crl.verisign.com/tss-ca.crl0
T$ RP
WgxSetLocalTrafficMode
R6018
GetCurrentProcess
DhcpRegisterParamChange
6+696H6
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
R6025
- pure virtual function call
%VeriSign Class 3 Code Signing 2004 CA0
!"#$%&'()*+,-
_^][YY
_^][Y
<&<,<8<><M<S<g<u<|<
StopWgxService
Release/Renew Semaphore Received!
070908054025Z0
D$ UP
WgxSetOidDot11
V0[0m0
8380:8:M:X:
Media Connect!
SUWh?
Failed to set events, error=%d
tD9(u@
VeriSign, Inc.1402
((((( H
4/5_5q5
SetFilePointer
*0(0&
CreateFileA
WgxRenewIpAddressByBroadcase
TlsSetValue
?(?H?h?
H
;!;(<:<E<J<P<U<Z<d<l<s<y<
dddd, MMMM dd, yyyy
PPPPP
GetStringTypeW
WGX.SYS
WWWWV
CloseHandle
kernel32.dll
WgxDetectAdapter returns WGX_FAILED!
Failed to call DeviceIoControl to read packet!
\\.\Ip
Program:
1,181C1n1
;i<t<
D$,9h
700WP
WriteConsoleA
0*0/050r0z0
;0;D;
OpenServiceW
> >%>C>J>S>[>a>v>
WriteFile
< tK<
StartWgxService
=m>A?R?s?
7/8H8O8W8\8`8d8
GetWgxServiceStatus
CorExitProcess
:;:m:t:x:|:
ShowWindow
TerminateProcess
7+7F7S7t7
SetStdHandle
=3=Q=X=\=`=d=h=l=p=t=
http://crl.verisign.com/pca3.crl0
VeriSign, Inc.1+0)
(null)
<<<Obsolete>>
2_3k3~3
1a1x1
- Attempt to use MSIL code from this assembly during native code initialization
tb9} u
8J9P9c9m9
8VVVVV
IsDebuggerPresent
QQSV3
1#2O2V2b2
WgxSetBroadcastMode
2)292_2u2
%s\%s
YYt4V
2!2i2
?7!Op1
QSUVW
@.data
WgxGetDot11AssociationStatus
An application has made an attempt to load the C runtime library incorrectly.
FlsFree
QueryServiceConfigW
WgxOpenAdapter
101P1p1
WgxSendPacket
"VeriSign Time Stamping Services CA0
+VeriSign Time Stamping Services Signer - G20
Failed to resolve DhcpDeRegisterParamChange
8[8`8k8p8
Rj8j
SNAC.LOG
8>9D9H9L9P9
https://www.verisign.com/rpa01
t?9\$
WgxOpenAdapterEx
- unable to open console device
j8j ^V
UUUUU
:0806
Symantec Corporation
GetCommandLineA
647<7H7P7d7o7t7
FlsGetValue
- floating point support not loaded
xppwpp
WgxGetDot11BSSID
HeapDestroy
LCMapStringA
DeleteCriticalSection
Failed to call WaitforMultipleObjects!
797L7
11.0.780.980
WgxGetMulticastMode
- unexpected heap error
`h`hhh
TSA1-20
3+313w3}3
WgxReceiveThread Starts!
wIVSP
<program name unknown>
r:\cm\\verisign\0
- not enough space for _onexit/atexit table
,0*0(
CompanyName
WgxGetAdapterNameW
CCGGf
GetProcessHeap
:6:e:k:
GetEnvironmentStrings
YYu-9D$
CreateFileW
WgxGetDot11SSID
Copyright
NdisFSendNetBufferLists
Media Disconnect!
D$ Pj
GetFileAttributesW
140715235959Z0
9#9/9>9D9V9f9r9
9(9L9X9\9`9d9h9p9t9@:D:H:L:P:T:X:\:`:d:p:x:
@.reloc
SetUnhandledExceptionFilter
0SSSSS
>:?@?F?u?
2N374V4`4
c:\bld_area\SESAgent70\snac_build\bin.ira\WGXMAN.pdb
Microsoft Visual C++ Runtime Library
WgxCloseAdapter
7!7p7
< =*=Z>
- not enough space for arguments
QSWVj
R6002
August
xpxxxx
GetOEMCP
UninstallWgx
R6017
<*<2<Q<X<q<
g_fDhcpAcquireParameters is NULL!
50565<5B5H5N5U5\5c5j5q5x5
VW|[;
2.373C3~3
uL9=XX
7A7d7
QueryServiceStatus
GGBBf;
StartServiceW
1$2B2J2O2T2l2z2
.text
:7:Y:~:
R6032
RtlUnwind
D$DVh
5,525A5G5T5{5
h(((( H
?!?3?P?b?t?
8%858;8B8O8V8\8d8j8v8{8
3P4}4
==d6|h
http://ocsp.verisign.com0
:-;5;H;O;`;z;
=;>u>
120614235959Z0\1
WideCharToMultiByte
ReleaseMutex
HeapSize
CreateServiceW
\drivers\nwifi.sys
HeapReAlloc
GetSystemTimeAsFileTime
WgxDestroyLocalFilter
4(5=5
ExitThread
GetVersionExA
DHCP parameter changes!
Translation
SetEvent
576c7k7p7u7
WGXMan
<,<=<C<T<
8M8|8
Thawte Timestamping CA0
u-9D$
MM/dd/yy
Failed to Set Filter, error=%d
R6009
6 6)626D6M6Y6b6i6s6y6
VirtualAlloc
- unable to initialize heap
PWPWh$
72888[8
ProductName
;0;<;`;
131203235959Z0S1
>C>y?
( 8PX
4%4+40474Q4\4b4k4q4x4~4
FlushFileBuffers
Global\Teefer2Installing
- not enough space for locale information
R6031
http://ocsp.verisign.com0?
CreateThread
FreeEnvironmentStringsW
GetAdaptersInfo
?w?~?
t#SSUP
DeviceIoControl
InternalName
<R<`<
CreateEventW
<Yv8V
FA;O8u
7K:V:l:
November
GetEnvironmentStringsW
April
WgxGetDot11AssociationParameters
?#?)?>?D?I?R?Z?`?r?z?
Symantec Corporation1>0<
5'6n6|6
KERNEL32.DLL
FreeEnvironmentStringsA
!This program cannot be run in DOS mode.
WgxReleaseIpAddress
Failed to resolve DhcpAcquireParametersByBroadcast!
849<9A9F9\9j9o9u9
InterlockedDecrement
runtime error
SSSSS
SUVWh
Failed to resolve DhcpRegisterParamChange
WgxCreateLocalFilter
`.rdata
DecodePointer
0>0K0U0c0l0v0
FileDescription
ResumeThread
2Terms of use at https://www.verisign.com/rpa (c)041.0,
OutputDebugStringW
9^:d:r:x:}:
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Exported DLL Name |
|---|---|---|---|---|---|---|---|---|
| 0x06fe0000 | 0x000054bc | 0x0001fb96 | 0x00022e3d | 4.0 | c:\bld_area\SESAgent70\snac_build\bin.ira\WGXMAN.pdb | 2007-09-08 13:33:15 | 3bb52be2e0e2298920dfffb9176df3e9 | WGXMAN.DLL |
Version Infos
| CompanyName | Symantec Corporation |
|---|---|
| FileDescription | Symantec Network Access Control Protocal Driver Manager |
| FileVersion | 11.0.780.980 |
| InternalName | WGXMan |
| LegalCopyright | Copyright รยฉ 2007 Symantec Corporation. All rights reserved. Use of this product is subject to license terms. |
| OriginalFilename | WGXMan.dll |
| ProductName | Symantec Network Access Control |
| ProductVersion | 11.0.780.980 |
| Translation | 0x0409 0x04e4 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0000e85a | 0x0000ea00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.59 |
| .rdata | 0x0000ee00 | 0x00010000 | 0x00003153 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.30 |
| .data | 0x00012000 | 0x00014000 | 0x00002fc4 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.17 |
| .rsrc | 0x00013200 | 0x00017000 | 0x00000470 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.65 |
| .reloc | 0x00013800 | 0x00018000 | 0x000014c4 | 0x00001600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.98 |
Overlay
| Offset | 0x00014e00 |
| Size | 0x00001588 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x00017060 | 0x0000040c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.47 | None |
Imports
| Name | Address |
|---|---|
| QueryServiceStatus | 0x6ff0000 |
| StartServiceW | 0x6ff0004 |
| OpenServiceW | 0x6ff0008 |
| OpenSCManagerW | 0x6ff000c |
| DeleteService | 0x6ff0010 |
| CloseServiceHandle | 0x6ff0014 |
| QueryServiceConfigW | 0x6ff0018 |
| CreateServiceW | 0x6ff001c |
| ControlService | 0x6ff0020 |
| ChangeServiceConfigW | 0x6ff0024 |
| Name | Address |
|---|---|
| GetAdaptersInfo | 0x6ff01a0 |
Exports
| Name | Address | Ordinal |
|---|---|---|
| GetWgxServiceStatus | 0x6fe1e10 | 1 |
| InstallWgx | 0x6fe1800 | 2 |
| IsWgxInstalled | 0x6fe1ab0 | 3 |
| StartWgxService | 0x6fe1c20 | 4 |
| StopWgxService | 0x6fe1d10 | 5 |
| UninstallWgx | 0x6fe19c0 | 6 |
| WgxCleanup | 0x6fe2450 | 7 |
| WgxCloseAdapter | 0x6fe2c10 | 8 |
| WgxCreateLocalFilter | 0x6fe1000 | 9 |
| WgxDestroyLocalFilter | 0x6fe1030 | 10 |
| WgxEnableCopySendPacket | 0x6fe4500 | 11 |
| WgxGetAdapterNameA | 0x6fe3f70 | 12 |
| WgxGetAdapterNameW | 0x6fe3ff0 | 13 |
| WgxGetBroadcastMode | 0x6fe3690 | 14 |
| WgxGetDirectMode | 0x6fe3650 | 15 |
| WgxGetDot11AssociationParameters | 0x6fe4070 | 16 |
| WgxGetDot11AssociationStatus | 0x6fe4110 | 17 |
| WgxGetDot11BSSID | 0x6fe41b0 | 18 |
| WgxGetDot11SSID | 0x6fe4240 | 19 |
| WgxGetGlobalFilter | 0x6fe34c0 | 20 |
| WgxGetLocalTrafficMode | 0x6fe3610 | 21 |
| WgxGetMulticastMode | 0x6fe36d0 | 22 |
| WgxGetPromiscuousMode | 0x6fe35d0 | 23 |
| WgxInitialize | 0x6fe21d0 | 24 |
| WgxLocalFilterSetEthernetProtocol | 0x6fe1050 | 25 |
| WgxLocalFilterSetIpProtocol | 0x6fe10b0 | 26 |
| WgxLocalFilterSetIpRange | 0x6fe1380 | 27 |
| WgxLocalFilterSetPortRange | 0x6fe1630 | 28 |
| WgxOpenAdapter | 0x6fe2550 | 29 |
| WgxOpenAdapterEx | 0x6fe2580 | 30 |
| WgxQueryOid | 0x6fe3910 | 31 |
| WgxQueryOidDot11 | 0x6fe3a40 | 32 |
| WgxReleaseIpAddress | 0x6fe3c50 | 33 |
| WgxRenewIpAddress | 0x6fe3c60 | 34 |
| WgxRenewIpAddressByBroadcase | 0x6fe3c70 | 35 |
| WgxSendPacket | 0x6fe3c80 | 36 |
| WgxSetBroadcastMode | 0x6fe36c0 | 37 |
| WgxSetDirectMode | 0x6fe3680 | 38 |
| WgxSetGlobalFilter | 0x6fe33e0 | 39 |
| WgxSetLocalFilter | 0x6fe1760 | 40 |
| WgxSetLocalTrafficMode | 0x6fe3640 | 41 |
| WgxSetMulticastMode | 0x6fe3700 | 42 |
| WgxSetOid | 0x6fe3710 | 43 |
| WgxSetOidDot11 | 0x6fe3820 | 44 |
| WgxSetPromiscuousMode | 0x6fe3600 | 45 |
| WgxTestOnly | 0x6fe3d20 | 46 |
| Command and Control |
|
|---|
Usage
Processing ( 0.41 seconds )
- 0.393 CAPE
- 0.007 Heatmap
- 0.003 AnalysisInfo
- 0.003 BehaviorAnalysis
Signatures ( 0.02 seconds )
- 0.003 ransomware_files
- 0.002 antianalysis_detectfile
- 0.002 antiav_detectreg
- 0.002 ransomware_extensions
- 0.001 antiav_detectfile
- 0.001 antivm_vbox_files
- 0.001 infostealer_bitcoin
- 0.001 infostealer_ftp
- 0.001 infostealer_im
- 0.001 poullight_files
- 0.001 territorial_disputes_sigs
- 0.001 ursnif_behavior
Reporting ( 0.04 seconds )
- 0.041 ReportHTML
- 0.001 MITRE_TTPS
Signatures
The PE file contains a PDB path
pdbpath: c:\bld_area\SESAgent70\snac_build\bin.ira\WGXMAN.pdb
Checks for presence of debugger via IsDebuggerPresent
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
anomaly: Actual checksum does not match that reported in PE header
Screenshots
Session Playback
No playback available.
Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Users\user\AppData\Local\Temp\wgxman.dll.manifest
C:\Users\user\AppData\Local\Temp\wgxman.dll
C:\Users\user\AppData\Local\Temp\wgxman.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\wgxman.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\wgxman.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\msctf.dll
C:\Users\user\AppData\Local\Temp\wgxman.dll
C:\Users\user\AppData\Local\Temp\wgxman.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\wgxman.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\wgxman.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\msctf.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
Local\SM0:1936:168:WilStaging_02
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.