Edit tour

Windows Analysis Report
macrox!.exe

Overview

General Information

Sample name:	macrox!.exe
Analysis ID:	1541136
MD5:	764187e5f44212696bd5f8ff204c2b48
SHA1:	df944305847ad3109088817d9531593593a544f5
SHA256:	d1b28fdfdf1c3b23f39dd770e04783a9403e8b7916695ea526cad311e0934aa6
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Machine Learning detection for dropped file

Sets file extension default program settings to executables

Creates Visual Basic Runtime Dlls

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Modifies existing windows services

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Process Tree

System is w10x64

macrox!.exe (PID: 7260 cmdline: "C:\Users\user\Desktop\macrox!.exe" MD5: 764187E5F44212696BD5F8FF204C2B48)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\MacroX\sys\mcxexe.dll

Joe Sandbox ML: detected

Source: macrox!.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: E:\VC-Projekte\x86.binz\dskeybrd.pdb source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, mcxkeyboardhook.dll.0.dr
Source:	Binary string: msscript.pdb source: macrox!.exe, 00000000.00000002.2926137934.0000000000409000.00000004.00000001.01000000.00000003.sdmp, macrox!.exe, 00000000.00000002.2926507817.0000000002808000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr
Source:	Binary string: E:\VC-Projekte\x86.binz\dskeybrd.pdb MZ source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr
Source:	Binary string: E:\VC-Projekte\x86.binz\dsmouse.pdbXp source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr
Source:	Binary string: E:\VC-Projekte\x86.binz\dsmouse.pdb source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, mcxmousehook.dll.0.dr

Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	String found in binary or memory: http://bug.macrox.dezu
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	String found in binary or memory: http://squeakmac.tripod.comU
Source: nsa434D.tmp.0.dr, MacroX.url.0.dr	String found in binary or memory: http://www.MacroX.de
Source: macrox!.exe, 00000000.00000002.2926255771.0000000000796000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.MacroX.de)
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	String found in binary or memory: http://www.macrox.de
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	String found in binary or memory: http://www.macrox.deEditClicked
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	String found in binary or memory: http://www.millsoft.de9O
Source: MACROX.EXE.0.dr	String found in binary or memory: http://www.softwareedition.de/macrox
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	String found in binary or memory: http://www.softwareedition.de/macrox/Align2p
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, macrox!.exe, 00000000.00000002.2926507817.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, CMAX20.OCX.0.dr	String found in binary or memory: http://www.winmain.com
Source: macrox!.exe, 00000000.00000002.2926507817.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, CMAX20.OCX.0.dr	String found in binary or memory: http://www.winmain.com)6
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, CMAX20.OCX.0.dr	String found in binary or memory: http://www.winmain.comSDBValForceRemoveNoRemoveDeleteCLSIDTYPELIBSDBValForceRemoveNoRemoveDeleteCLSI

Source: C:\Users\user\Desktop\macrox!.exe

File created: C:\Windows\SysWOW64\Mswinsck.ocx

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\mcxkeyboardhook.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\mcxmousehook.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\MSCOMCTL.OCX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\SSUBTMR6.DLL	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\Mswinsck.ocx	Jump to behavior

Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHookMenu.ocx, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemacroxrecord.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemacroxsettings.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemc vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcx3.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxexe.exe vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxKernel.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxLanguage.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxnetbar.ocx, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxRun.exe vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxtabx.ocx, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevbalIml6.ocx, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxinternet.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000025CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxregistry.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000025CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRedirect.DLL vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMacroX.exe vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.0000000002808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsscript.dllZ vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000026F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSSubTmr6.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.000000000269B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSCOMCTL.OCX2 vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000023B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMAX20.OCX0 vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcxruntag.dll, vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedskeybrd.dll vs macrox!.exe
Source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedsmouse.dllR vs macrox!.exe

Source: macrox!.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: macrox!.exe, 00000000.00000002.2926507817.0000000002400000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, vbalIml6.ocx.0.dr	Binary or memory string: F*\AC:\SteveMac\VB6\Controls\ImgList6\vbalIml6.vbp
Source: macrox!.exe, 00000000.00000002.2926507817.000000000269B000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, SSUBTMR6.DLL.0.dr	Binary or memory string: .*\AC:\Program Files\Microsoft Visual Studio\3RD PARTY\vbAccel\SSubTmr\SubTimer6.vbp

Source: classification engine

Classification label: sus36.winEXE@1/62@0/0

Source: C:\Users\user\Desktop\macrox!.exe

File created: C:\Program Files (x86)\MacroX

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\macrox!.exe

File created: C:\Users\user\AppData\Local\Temp\nsa434C.tmp

Jump to behavior

Source: macrox!.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\macrox!.exe

File read: C:\Users\user\AppData\Local\Temp\nsv437D.tmp\ioSpecial.ini

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

File read: C:\Users\user\Desktop\macrox!.exe

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: ssubtmr6.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: MacroX.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\MACROX.EXE
Source: MacroX.lnk0.0.dr	LNK file: ..\..\..\Program Files (x86)\MacroX\MACROX.EXE
Source: ClickButton.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\ClickButton.mcx
Source: RunTag.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\runtag.mcx
Source: InstanzTest.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\instanztest.mcx
Source: Registry.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\Registry.mcx
Source: WatchMouse.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\WatchMouse.mcx
Source: WatchMouse2.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\WatchMouse2.mcx
Source: Mouse.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\Mouse.mcx
Source: TimeOut.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\TimeOut.mcx
Source: Loop-Text.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\sample\Loop-Text.mcx
Source: MacroX im Internet.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\MacroX.url
Source: Deinstallieren.lnk.0.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\MacroX\uninst.exe

Source: C:\Users\user\Desktop\macrox!.exe

File written: C:\Users\user\AppData\Local\Temp\nsv437D.tmp\ioSpecial.ini

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe	Automated click: Installieren
Source: C:\Users\user\Desktop\macrox!.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\macrox!.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Mouse MouseHoverTime

Jump to behavior

Source: macrox!.exe

Static file information: File size 2322122 > 1048576

Source:	Binary string: E:\VC-Projekte\x86.binz\dskeybrd.pdb source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, mcxkeyboardhook.dll.0.dr
Source:	Binary string: msscript.pdb source: macrox!.exe, 00000000.00000002.2926137934.0000000000409000.00000004.00000001.01000000.00000003.sdmp, macrox!.exe, 00000000.00000002.2926507817.0000000002808000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr
Source:	Binary string: E:\VC-Projekte\x86.binz\dskeybrd.pdb MZ source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr
Source:	Binary string: E:\VC-Projekte\x86.binz\dsmouse.pdbXp source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr
Source:	Binary string: E:\VC-Projekte\x86.binz\dsmouse.pdb source: macrox!.exe, 00000000.00000002.2926507817.00000000025E4000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, mcxmousehook.dll.0.dr

Source: mcxkeyboardhook.dll.0.dr	Static PE information: section name: Shared
Source: mcxmousehook.dll.0.dr	Static PE information: section name: Shared
Source: CMAX20.OCX.0.dr	Static PE information: section name: Shared

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\HookMenu.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\vbalIml6.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\SSUBTMR6.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\macroxrecord.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\MSCOMCTL.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\mcxRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\mcxmousehook.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Local\Temp\nsv437D.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\mcxLanguage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\mcxKernel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\mcxtabx.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\CMAX20.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\mcxnetbar.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\mcxkeyboardhook.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\MACROX.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\plugins\registry\mcxregistry.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\plugins\internet\mcxinternet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\macroxsettings.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\mcxexe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\Mswinsck.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\plugins\runtag\red.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\plugins\runtag\mcxruntag.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Program Files (x86)\MacroX\sys\MCX3.DLL	Jump to dropped file

Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\SSUBTMR6.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\mcxkeyboardhook.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\MSCOMCTL.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\Mswinsck.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Windows\SysWOW64\mcxmousehook.dll	Jump to dropped file

Boot Survival

Sets file extension default program settings to executables

Source: C:\Users\user\Desktop\macrox!.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MacroX Script\Shell\open\command C:\Program Files (x86)\MacroX\sys\mcxrun.exe %1

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\VBRuntime

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\MacroX.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\ClickButton.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\RunTag.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\InstanzTest.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\Registry.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\WatchMouse.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\WatchMouse2.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\Mouse.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\TimeOut.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\Loop-Text.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\MacroX im Internet.lnk	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Deinstallieren.lnk	Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe

Window / User API: foregroundWindowGot 579

Jump to behavior

Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\CMAX20.OCX	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\HookMenu.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\mcxnetbar.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mcxkeyboardhook.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\vbalIml6.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\MACROX.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\macroxrecord.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\plugins\registry\mcxregistry.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\plugins\internet\mcxinternet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\macroxsettings.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\mcxexe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\mcxRun.exe	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mcxmousehook.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\mcxLanguage.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsv437D.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\plugins\runtag\red.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\plugins\runtag\mcxruntag.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\uninst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\MCX3.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\mcxKernel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\macrox!.exe	Dropped PE file which has not been started: C:\Program Files (x86)\MacroX\sys\mcxtabx.ocx	Jump to dropped file

Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: macrox!.exe, 00000000.00000002.2926255771.000000000077C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: macrox!.exe, 00000000.00000003.1762167687.000000000079F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\macrox!.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Windows Service	122 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
macrox!.exe	10%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\MacroX\sys\mcxexe.dll	100%	Joe Sandbox ML
C:\Program Files (x86)\MacroX\MACROX.EXE	0%	ReversingLabs
C:\Program Files (x86)\MacroX\plugins\internet\mcxinternet.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\plugins\registry\mcxregistry.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\plugins\runtag\mcxruntag.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\plugins\runtag\red.dll	3%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\CMAX20.OCX	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\HookMenu.ocx	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\MCX3.DLL	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\macroxrecord.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\macroxsettings.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\mcxKernel.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\mcxLanguage.dll	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\mcxRun.exe	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\mcxexe.dll	8%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\mcxnetbar.ocx	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\mcxtabx.ocx	0%	ReversingLabs
C:\Program Files (x86)\MacroX\sys\vbalIml6.ocx	0%	ReversingLabs
C:\Program Files (x86)\MacroX\uninst.exe	7%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv437D.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Windows\SysWOW64\MSCOMCTL.OCX	0%	ReversingLabs
C:\Windows\SysWOW64\Mswinsck.ocx	0%	ReversingLabs
C:\Windows\SysWOW64\SSUBTMR6.DLL	0%	ReversingLabs
C:\Windows\SysWOW64\mcxkeyboardhook.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mcxmousehook.dll	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://www.softwareedition.de/macrox	MACROX.EXE.0.dr	false	unknown
http://www.macrox.deEditClicked	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	false	unknown
http://www.softwareedition.de/macrox/Align2p	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	false	unknown
http://www.macrox.de	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	false	unknown
http://www.winmain.com	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, macrox!.exe, 00000000.00000002.2926507817.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, CMAX20.OCX.0.dr	false	unknown
http://bug.macrox.dezu	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	false	unknown
http://www.MacroX.de	nsa434D.tmp.0.dr, MacroX.url.0.dr	false	unknown
http://www.millsoft.de9O	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	false	unknown
http://squeakmac.tripod.comU	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, MACROX.EXE.0.dr	false	unknown
http://www.winmain.comSDBValForceRemoveNoRemoveDeleteCLSIDTYPELIBSDBValForceRemoveNoRemoveDeleteCLSI	macrox!.exe, 00000000.00000002.2926507817.000000000222F000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, CMAX20.OCX.0.dr	false	unknown
http://www.MacroX.de)	macrox!.exe, 00000000.00000002.2926255771.0000000000796000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.winmain.com)6	macrox!.exe, 00000000.00000002.2926507817.00000000023B5000.00000004.00000020.00020000.00000000.sdmp, nsa434D.tmp.0.dr, CMAX20.OCX.0.dr	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541136
Start date and time:	2024-10-24 13:55:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	macrox!.exe
Detection:	SUS
Classification:	sus36.winEXE@1/62@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: macrox!.exe

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	76
Entropy (8bit):	4.016259994593526
Encrypted:	false
SSDEEP:	3:iJcKGhfKHiRF5duvKVSlrf:iS5hl5dydb
MD5:	8B8B6264F10734028366830C34374DD7
SHA1:	136CE5117D871DEB2E5E63294C5CEA87E7A6BD09
SHA-256:	8F98F38C53C9C22DBE3E5FBC6848E1A42C1A7343A1552565B4649E76EC3A1FA1
SHA-512:	5B45B5AC4CDDBBD77B90D3A93FBEADF83B0A4D7AF430E0D3611DAA3271B983D581757E306BFAFCC141C53CCACE78616B46EA10E747E6E3CB2E38D47E26C8C3A2
Malicious:	false
Reputation:	low
Preview:	Put here your tags you want to autocolor in MacroX, each line for every tag.

C:\Program Files (x86)\MacroX\MACROX.EXE

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	757760
Entropy (8bit):	5.976441007312572
Encrypted:	false
SSDEEP:	6144:OoqT7JPSYxVveZffFgX0Z7U800m6Kzf/+ZtaxrI/v51+cu:9GZSYHv7a768KzfDIH+cu
MD5:	D6044463F77F5CF802012D23B6008DD2
SHA1:	E8CC5CB7D5641B7D4B0B9B7AFDABD7F0CB79EA74
SHA-256:	F6AB81F9B85D501BA7E6A19F968E6BF675612A7DF8713B4CAB314208D64DF0BC
SHA-512:	6CD2AF2714E55D15495A3E2F68132C920986C69A61984E57BEF338551EA62D2EAFFCA5DA08583B82A58F459C2DF56D5E1D8FEF097D550470FD4CBD71DFA46C4C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)zi.)zi.)zi.-Yd.(zi.Rich)zi.................PE..L.....rA.................P...................`....@..........................0...............................................N..(.......H................................................................... ... ....................................text....@.......P.................. ..`.data........`......................@....rsrc...H........0...`..............@..@..:@............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\MACROX.exe.MANIFEST

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	645
Entropy (8bit):	5.081389765088227
Encrypted:	false
SSDEEP:	12:TMHdtDT5nlX7gV0qrvnNXvLa9yJwE5nGNoj+bJ7K7gVmwBvn1A:2dtD9lrgyqr/NXvLa9yJwkGNoj+bZqgK
MD5:	B7C8B1A5B4B19DE559DFD55EC252CF08
SHA1:	CD0E539739E36213F81BF0FC0E38099B9C010ACD
SHA-256:	589CB99FB5D82C783F31CB6E110E3144F4C005B65EE2C027CFB3769DA0E8C3E1
SHA-512:	034B2DB5DA85A64D0FC08A3141638A8167812A3616170C6666B9FFC32ADB8CB03D3A935E2E6B46A34ACF7EE135415A63D7EA0029F4D4193A25C4D5D52D953B02
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?> ....<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> ....<assemblyIdentity ....version="1.0.0.0" ....processorArchitecture="X86" ....name="CompanyName.ProductName.YourApp" ....type="win32" ..../> ....<description>Your application description here.</description> ....<dependency> ....<dependentAssembly> ....<assemblyIdentity ....type="win32" ....name="Microsoft.Windows.Common-Controls" ....version="6.0.0.0" ....processorArchitecture="X86" ....publicKeyToken="6595b64144ccf1df" ....language="*" ..../> ....</dependentAssembly> ....</dependency> ....</assembly> ..

C:\Program Files (x86)\MacroX\MacroX.chm

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	325892
Entropy (8bit):	7.933540750094996
Encrypted:	false
SSDEEP:	6144:RfV/kqjgIjkshMTIzIilHlyeNLLzRqNzyb9q/wL4mTnNHFZBLro4Vh:pV/kqjOshmIhlH9NDbA/ubQoh
MD5:	D852DD69EFBCDDCCE399802F1CB322CF
SHA1:	D1BAB2A7F9E4F74F2E0665D8B2654D07070FA9A4
SHA-256:	FF56BAD700E7C21087AAC2EE1EA154A4861D8B65F3843D8D20E8F589D4A72368
SHA-512:	5FCD4AF82F5114167A85EB2C62C799E7043867724527E7C705B0FDC3E002B144680EDCAD93C3E591C47D3BF2992368F64A29A55E722E6710647136C693D89792
Malicious:	false
Reputation:	low
Preview:	ITSF....`.......]..........\|.{.......".....\|.{......."..`...............x.......T@.......@..............................ITSP....T...........................................j..].!......."..T...............PMGLA................/..../#BSSC...../#IDXHDR..F.../#ITBITS..../#STRINGS..c."./#SYSTEM..&."./#TOPICS...F.0./#URLSTR...Z.../#URLTBL...v.d./#WINDOWS..=.L./$FIftiMain..G..../$OBJINST.....B./$WWAssociativeLinks/..../$WWAssociativeLinks/Property....../$WWKeywordLinks/..../$WWKeywordLinks/BTree....L./$WWKeywordLinks/Data...U.j./$WWKeywordLinks/Map...?"./$WWKeywordLinks/Property...a ./Allgemein/..../Allgemein/Bestellen.htm...b.../Allgemein/Lizenzvertrag.htm...$.)"/Allgemein/Support_und_Updates.htm...M.8./default.css....H./eHelp.xml...U.../ehlpdhtm.js...c..(./Grundlagen/...#/Grundlagen/Benutzeroberfl.che.htm...g.Z./Grundlagen/Debug-Fenster.htm...".../Grundlagen/Editor.htm...6.O./Grundlagen/Erste_Schritte.htm...8.8./Grundlagen/Filetab.htm.....1./Grundlagen/Kennwort.htm...j.../Grundlagen

C:\Program Files (x86)\MacroX\MacroX.url

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.MacroX.de>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	46
Entropy (8bit):	4.528465488430548
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S44XKVn:HRYFVm/r44Xsn
MD5:	C4D20DA307C6C8923FC993D8674E0367
SHA1:	FCE3F4EC261580F244AD569ADAAC1925B7485AF5
SHA-256:	57E82DD06F49D05C4CBB8C59F0D9376564E4EBE262DB39E7D79727EC3D88B692
SHA-512:	0AC9D03CBA0A628A7BBF9800DCB1DF9F81EB432FE2E508F350DAC199554B091EC743E3B499D7F2640015188B34C29381D435FC137CBBE78C2FCC3E75AF5BF1E5
Malicious:	false
Reputation:	low
Preview:	[InternetShortcut]..URL=http://www.MacroX.de..

C:\Program Files (x86)\MacroX\fav\MCX3.MFV

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	379
Entropy (8bit):	4.474365000455228
Encrypted:	false
SSDEEP:	6:SFyQ5AjeqR8y0sF4FmQuRHAV2NvzRk4boVZSwQ9eSsFMDxgEFTJajSFII:2vAfR8tk4shAV2M4bGSofGNgsTvd
MD5:	E9E4A1D8046BA5D1E11124D416BE26DF
SHA1:	5D585D13A370008AC4BD507AFBAF0E1AD8E04EF4
SHA-256:	6A9F84B7ECB239ED4A3A864DF8BFA8E2170A6856E353D9CE68312D4C2743D9B4
SHA-512:	A6CD0D3AE5ECA41F278A15107CA94A2A5E695505A02548E0FA92BA053C100444AFD8ECD12501B2051952A8B05BE4AC658820827CB8EAE7B9891C068D178418D6
Malicious:	false
Reputation:	low
Preview:	Demo..# Diese Funktion f.gt "Code Snippets" oder..# so genannte Favoriten in MacroX Code rein...# So k.nnten immer wieder verwendete Funktionen..# direkt in das Makro eingef.gt werden...# Mehr .ber diese Funktion erfahren Sie in der Hilfe (Toolbox)....# ---------------------------------------....Message=Hallo Welt^MacroX^&OK^Icon2....# ---------------------------------------..

C:\Program Files (x86)\MacroX\fav\fav.ico

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 8 bits/pixel
Category:	dropped
Size (bytes):	1406
Entropy (8bit):	5.148387126051629
Encrypted:	false
SSDEEP:	24:E1hvEZvYUxFKtKxi2pwD87j2goAW58bRGHRzvgVzQLSh/vGatBe5M/yIrO6jMpua:+mryte+DP/abR4GzQCLPKIqI7/C
MD5:	FDB5B41DD45C4A938AC76954C3D3203C
SHA1:	76D3E4C550762B2E8864271AF2E832395C654C27
SHA-256:	E25FACC46BD5EBD147F7CC4B59383E92B0FE9DEE58035BB3751E159290D23F26
SHA-512:	3986453F12FC28ECB8821965F4767B2EA4C7DBE5A038B0F14382487907D8530E5FD93EB0EAD8391E0B5840C980619C6F5CFB3620BE1C573753CEF2D7C1F100C4
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... ...........@...........................X...9...........................................T...l...........2...C...J......J...U...u..."...................z...Q...V...!...e.......P...'...........................9...q...........W.../...l.......T...!...........!...e.......s...T..._.......t...........G.......S...M...........#...c.......T.......Q...........>...`...........?...........,...j...n...w...2.......R.......,.......[...?...O...(...=.......K...................i.......................................................................,,,.999.EEE.RRR.___.lll.xxx..........................................................>...]...\|.................$$..HH..ll............>...]..(\|..2...<...F...U..$m..H...l............>..?]..T\|..i...~..........$...H...l............>>..]]..\|\|.................$...H...l............>*..]?..\|T...i...~.......$...H...l............>...]...\|(...2...<...F...U.$.m.H...l............>...]...\|..................$.$.H.H.l.l..........>...]..(\|..2.

C:\Program Files (x86)\MacroX\lng\DEUTSCH.LNG

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	21366
Entropy (8bit):	4.904648703434231
Encrypted:	false
SSDEEP:	384:+3YHsa7xxSiN8C8BwFFDXMeq13N7CC6it7c/xcy:+3ox7xxSiNdceFDXMeq197CFit7c/qy
MD5:	E0BB7E3F0810D97F3A3DE076BA688600
SHA1:	F7B4F63A788704F810B592FBED10EDA089EC21AF
SHA-256:	643DEE9B3794E2A1AFDBDC090010A5E3D9D7D6B8C47D75F0EC22730D1E7C9913
SHA-512:	5B10D479ED8C21D3AC998E5485992451910F01286595BB1281D73594A9AD3232F93F41DA07CF91DFFACA6153FAD8B3BE7A18E02CE9E28393B4AB1D559230A851
Malicious:	false
Reputation:	low
Preview:	// MACROX - Language File - last update: 31.07.2003..btn_apply=&Anwenden..btn_back=&Zur.ck..btn_cancel=&Abbrechen..btn_click_and_talk=Pegel testen..btn_close=&Schliessen..btn_help=&Hilfe..btn_next=&Weiter..btn_ok=&OK..btn_purchase=Lizenz erwerben..btn_range_select=&Auswahl..btn_record=&Starten..btn_replace=&Ersetzen..btn_replace_all=&Alles ersetzen..btn_search=&Suchen..btn_test=&Test..cap_about=.ber.....cap_browse=Durchsuchen..cap_calc=Berechnen..cap_clickbutton=Button anklicken..cap_curcolor=Aktuelle Farbe unter Cursor..cap_dummywindow=Fenster..cap_ereg=Lizenzieren..cap_error=Fehler..cap_fav=Favoriten bearbeiten..cap_file_open=Datei .ffnen..cap_file_save=Datei speichern..cap_fileclose=Ge.ffnete Datei schlissen..cap_filecopy=Dateien Kopieren..cap_filedelete=Dateien in den Papierkorb verschieben..cap_filedeletex=Dateien l.schen..cap_fileexist=Existenz einer Datei ermitteln..cap_filemove=Dateien verschieben..cap_fileopenread=Datei .ffnen: Lesemodus..cap_fileopenwrite=Datei .ffnen: Schrei

C:\Program Files (x86)\MacroX\lng\ENGLISH.LNG

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	13302
Entropy (8bit):	4.959701913886552
Encrypted:	false
SSDEEP:	192:rTHfFE/UZNN66k0FmeOblrmY6eKldLBtasORdQA98kt7gfdlkSly3b:XHLu6k08blKlntQbelkSo3b
MD5:	31650DB0F12FA30792EE0ECDD923373B
SHA1:	DE50BC73D2B66681B19D500EEC1352C64F2357FB
SHA-256:	36F5046F2E3D9DBC74FDCBF222E14261E325017F1DF177D4C0EDA3F0F5FA3A24
SHA-512:	4827464DAA05C83DF84C8D85EBA9B9073F53EB6309C75015F7E673498F01C6C6BA083FF1F54CC2894E4E2C9B12802DF108FB20206A0B3943788D01C3315D8173
Malicious:	false
Reputation:	low
Preview:	// MACROX - Language File - last update: 31.07.2003..btn_apply=&Apply..btn_back=< &Back..btn_cancel=&Cancel..btn_close=&Close..btn_help=&Help..btn_next=&Next >..btn_ok=&OK..btn_purchase=Purchase..btn_range_select=&Select..btn_record=&Start..btn_replace=&Replace..btn_replace_all=&Replace all..btn_search=&Search..btn_test=&Test..cap_about=About.....cap_browse=Browse..cap_calc=Calculate..cap_clickbutton=Click button..cap_curcolor=Current color under mousecursor..cap_dummywindow=Window..cap_ereg=Purchase..cap_error=Error..cap_fav=Edit favorites..cap_file_open=Open..cap_file_save=Save..cap_fileclose=Close opened file..cap_filecopy=Copy files..cap_filedelete=Move files to recyclebin..cap_filedeletex=Delete files..cap_fileexist=Fileexists..cap_filemove=Move files..cap_fileopenread=Open file for reading..cap_fileopenwrite=Open file for writing..cap_fileread=Read line..cap_filerename=Rename files..cap_filewrite=Write file..cap_findwindow=Find window..cap_getfilecontent=Read filecontent..cap_got

C:\Program Files (x86)\MacroX\plugins\internet\deutsch.lng

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	669
Entropy (8bit):	4.8821141452027685
Encrypted:	false
SSDEEP:	12:LWSDUKWhQ6z8r0vGl8mCPuoHhZQvM7YsDR6zsvSOXW1/ii:7YVQ6IbyrPuoBZf7V6D1Ki
MD5:	82F3FF92515FA6B031767C59F89D3FCF
SHA1:	75515F8EB176499535F0DD0552BE9E0751B51E36
SHA-256:	787D120F31715F3E6FC68C4278EE516CDF9CC646403E05F2E7C97365542918BD
SHA-512:	007DEFC54E9106A9BBCFF294D2DA73342914118445FB0FC3341B9F6D3E0205A2361DA4D5215640B2035862A4D72E73B6EDCED96386DDDD299B785F135441C090
Malicious:	false
Reputation:	low
Preview:	cap_ping=Ping..cap_gethostfromip=Hostname von IP..cap_getipfromhost=IP von Host..cap_wwwsendform=Formular abschicken..cap_wwwget=Datei herunterladen....lbl_url=URL..lbl_formdata=Daten..lbl_saveas=Ziel..lbl_host=Host..lbl_out_var=Variable..lbl_host_or_ip=Host oder IP..lbl_ip=IP..lbl_host=Host..lbl_isp=ISP..lbl_username=Benutzer..lbl_pass=Kennwort..lbl_server=Server......chk_showdialog=Dialog zeigen....f_internet_information=Informationen..f_wwwsendform=Formular abschicken..f_internet_www=WWW..f_wwwget=Datei herunterladen..f_rasdial=DF. Verbindung aufbauen..f_rashangup=DF. Verbindung beenden....txt_rasdial=Mit RasDial wird eine Internetverbindung (DF.) aufgebaut.

C:\Program Files (x86)\MacroX\plugins\internet\english.lng

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	511
Entropy (8bit):	4.773511783081911
Encrypted:	false
SSDEEP:	12:LUPDVH108PlDnNgTZoHbZ1/sDcMx8j56v1DA:QPxTPpGTZo7TjctE
MD5:	41CB6628D2D956EB9707644A1DFD2422
SHA1:	E6715C653AF4C1DC4E46179166AC68D91C728778
SHA-256:	EF74EB3C38079C628081BDFA016BA2667D2C464729C7F3B190A458EE30E02636
SHA-512:	C83658813C7DBC52F2957EC0D245AF6F8E5921ACD93BDBF9FF3F664517FA110B47816665327FE96B52D0A21AAF59D9E8ED8BD827820DF30789D0807B0D03BFFF
Malicious:	false
Reputation:	low
Preview:	cap_ping=Ping..cap_gethostfromip=Hostname from IP..cap_getipfromhost=IP from Host..cap_wwwsendform=Send Form..cap_wwwget=Downlaod....lbl_url=URL..lbl_formdata=Data..lbl_saveas=Target..lbl_host=Host..lbl_out_var=Var..lbl_host_or_ip=Host or IP..lbl_ip=IP..lbl_host=Host..lbl_isp=ISP..lbl_username=User..lbl_pass=Password..lbl_server=Server....chk_showdialog=Show dialog....f_internet_information=Information..f_wwwsendform=Send Form..f_internet_www=WWW..f_wwwget=Download..f_rasdial=Dial..f_rashangup=Disconnect..

C:\Program Files (x86)\MacroX\plugins\internet\help.chm

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	48194
Entropy (8bit):	7.342062974767306
Encrypted:	false
SSDEEP:	768:Ib+ApwocoiKGB4ZdJTmIyx5fxdNZmSgle51aFRiJAL4wV28AIzz4agRVdUark8J3:IbPuoEB0zyLhZnW61aDAAL4wVJ5zsRRX
MD5:	BCE5F7487B1D8FFC9A18EBAAC702DDDA
SHA1:	62243915A597868061B67243159220F0C84B94F7
SHA-256:	0C04B6E6A69EFC2671B78E9DB099F7E82F7AC5F3333BF50AE56B921E32F2CAD4
SHA-512:	44990876430910481599477E89038DA911400131072191288AB72FF7BCCE72DFF45469A4EB81FE6172EE50320D33784D283277D6B92C99881F36776F12AB6872
Malicious:	false
Preview:	ITSF....`.......2:.........\|.{.......".....\|.{......."..`...............x.......T.......................B...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#BSSC....../#IDXHDR......./#ITBITS..../#STRINGS...`w./#SYSTEM..f.*./#TOPICS......./#URLSTR.....G./#URLTBL...-l./#WINDOWS...e.L./$FIftiMain...{."./$OBJINST...9.B./$WWAssociativeLinks/..../$WWAssociativeLinks/Property...5../$WWKeywordLinks/..../$WWKeywordLinks/Property...1../default.css.....S./ehlpdhtm.js...N..9./GetHostFromIp.htm...v.}./GetIpFromHost.htm...E.1./help.brs....../help.hhk...../Ping.htm...B.../RasDial.htm...:.../RasHangUp.htm...&.../RoboHHRE.lng...s.[./TimeSync.htm....../Willkommen.htm...b.D./wwwGet.htm..L.../wwwSendForm.htm....6.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content.....f,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataS

C:\Program Files (x86)\MacroX\plugins\internet\mcxinternet.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	4.666434325670056
Encrypted:	false
SSDEEP:	1536:dzvAOzKHwBocw0oVTwDqy6UUhCFcsFRzw7iPw9IJDDyOwO:dzOwBYVTwqyZc8zVVDDyOwO
MD5:	7936E9423E2ECE28F536F89D9148D022
SHA1:	1884EDB366E83A1FC45C03B73CF3A2EDF2DB6C83
SHA-256:	BA854BA985B9AB4E6F50D5649792863CDC5978020FC7610F38E53743C4C7F9BC
SHA-512:	925CCD7E86A2D50FC3EC5A4651DBA72B7221C6E54A849AA0B27BBE77D25B1C2E1A4113BC54950D143AF7A0712638CDCD97B8B37C719B86E2963376D175EAD434
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L.....L?...........!................................................................................................`..........(.... ...O...................p..............................................X... ....................................text............................... ..`.data...T`..........................@....rsrc....O... ...P..................@..@.reloc.......p... ..................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\plugins\registry\deutsch.lng

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	426
Entropy (8bit):	4.32424613625057
Encrypted:	false
SSDEEP:	6:gnsWAXJOTlAltvXSOFX+O+jD6XTES+r7voxRWAXJOF1AltxCOPOO+jEjES+r7vWl:gsHw+tXk6jEzgxRHwFKlBPlNjEz3XM
MD5:	58F61418985B53F9C46C864C14421392
SHA1:	837314827000B69AABC8215003E41777CBAF9A71
SHA-256:	3283D541F009093750181E3E6A8F1BE42F453AC3E88363F500EC5ED3D769C3B8
SHA-512:	EA491F7E7D42A9956D25FEA5D9DD13E6F5495C76FD30020CD0FBBD3A41A98CDFF04CDEE1458951AB900F514A7A436E72D248424782DAFD69B71B5D74EA487A48
Malicious:	false
Preview:	f_registrycreatekey=Schl.ssel erstellen..f_registryremovekey=Schl.ssel entfernen..f_registrysetvalue=Wert setzen..f_registrygetvalue=Wert lesen..f_registryremovevalue=Zeichenfolge entfernen......cap_registrycreatekey=Schl.ssel erstellen..cap_registryremovekey=Schl.ssel entfernen..cap_registrysetvalue=Wert setzen..cap_registrygetvalue=Wert lesen..cap_registryremovevalue=Zeichenfolge entfernen....str_registry=Registrierung..

C:\Program Files (x86)\MacroX\plugins\registry\english.lng

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	4.279903229452371
Encrypted:	false
SSDEEP:	6:gnsSXHUYXSOLymX+OW9mXTdEvyyZRI3UeCOo7OPyKdEvyvXbD:gsSlBemW94dyrZRIx6KdymXP
MD5:	4CF1D4B2B4631DF2EE2E82359778517B
SHA1:	9EEF94558DDF861EF0EF1FF6EC0F1C73484157FB
SHA-256:	B08713E015DCCC1F23885E81D4AE0DDE39430FA5F6744BAD567421771F8C9441
SHA-512:	9B10616453FD5241A1D53690E255476FC602464A2914834AD16247459BAC18EA3928FFE29DD0E8D5D7B41001A74015551116AD8B7484331071B88B588B70ACBC
Malicious:	false
Preview:	f_registrycreatekey=Create key..f_registryremovekey=Remove key..f_registrysetvalue=Set value..f_registrygetvalue=Read value..f_registryremovevalue=Remove value......cap_registrycreatekey=Create key..cap_registryremovekey=Remove key..cap_registrysetvalue=Set vaule..cap_registrygetvalue=Get value..cap_registryremovevalue=Remove value....str_registry=Registry..

C:\Program Files (x86)\MacroX\plugins\registry\mcxregistry.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	5.283982607810594
Encrypted:	false
SSDEEP:	768:gg6b3vcA4MIV8IdDtOsLAP3vl1Mr156eyrhswesLXrWCUFNWCUk2i3/NseJ9oNWm:p6b3vcAuVhiP3vl1MB5OFioosr+I
MD5:	5BAE0B9181599400F011E157B6D50633
SHA1:	0E7276308A2048319A14E1D6E350EB03436B6703
SHA-256:	8C4FFB2619EAEF1FBF7D126CA724ADB65C61390999622CB15FBEE370C09E04AD
SHA-512:	86AAB4012BAF3EEED873E974CB1E175B5F4FFF3D34E56BAB42818ED5DF3889B24186AE6F3533A5C35F181BB29179F49D438E59AF5C30B75A6605255DD070392C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i..-..-..-.....,..b..$..)..,....,..Rich-..........PE..L.....=...........!..... ...p......\........0......................................0................................*.......!..(....`..`...................................................................X... ....................................text............ .................. ..`.data...T+...0.......0..............@....rsrc...`....`... ...@..............@..@.reloc........... ...`..............@..BrV~;............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\plugins\runtag\mcxruntag.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	3.7525704282013805
Encrypted:	false
SSDEEP:	384:+d2D3Ju96OTGrz2jFEBwdX77D4yRWdFEAA1k:u8u9XaCjFEB8X7nPhnk
MD5:	F6C3901F62EDDC99F8CF1E675847A6CB
SHA1:	43D8005B742801DBB6597D83CB2DE98FB83CC1B6
SHA-256:	DF402E944F6748968E09414F82672DEC8A0BCB8E1DE923B7B3B698D681051641
SHA-512:	59CB4B14155FB987A5C68E51107A7C3E3B86D3F07752078EDB24D2DF4AF22BF1DDB001AAF995FCCBA4089504047414F0B3C66AA34BFDDD971A18143A16B4C19D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f..........&......%.....$....Z'....Rich...................PE..L....&0=...........!.....@...@......X........P......................................I................................E.......?..(....`..........................4...........................................`... .......4............................text...&6.......@.................. ..`.data........P.......P..............@....rsrc........`... ...`..............@..@.reloc..*...........................@..BrV~;............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\plugins\runtag\red.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	5.1841144717627365
Encrypted:	false
SSDEEP:	768:RrFfJP6B46D8SUSieK9nmTaD9vvNKX6BT3quTYEogzDq2W3QA:RFxP666PU5mT+ZFKX6hNog/9A
MD5:	8E184D7021350A80C17C6E00FA1013B0
SHA1:	4F7B57CF1D18E7044F400E27C2D931C09D33A01C
SHA-256:	5E00E1DDB0914F57F0494438B4C3E29F0924826AC73D14F72561994E2F4D8F0E
SHA-512:	535A45E85342CFCA24CE43A9C23394C23ECE98EECB6EA0E2AF38D66A6B3654B3038B92D1A5617A281E37C6636AAD6E72A0C2737EFF2B2C4241B51A7A1A3A6066
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<....1...."..<..9..j...2..^...9..<..f.........=....?..Rich<..................PE..L......8...........!.....p...`......QD..............................................................................0...........d...............................T....................................................................................text....k.......p.................. ..`.rdata........... ..................@..@.data...............................@....rsrc............ ..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sample\ClickButton.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	458
Entropy (8bit):	6.016413951656457
Encrypted:	false
SSDEEP:	12:jlabcDNSJH+ZGWfNWaOhYMeZdHBFXdznDdFP:jobQN+eZGha0eZ5BFdzDdJ
MD5:	1E1C8E0373F074D3D102B55182ECF77E
SHA1:	64F7D2B50B54699872746C00E9BE3C72BCD03B91
SHA-256:	88F297660854D7524797475A251A25D8B682E23EACBF5D88EC52F26995DB97A2
SHA-512:	5B29ADBAF449D1AB680DBD395567F0C4B3C288330405BEDB82ED6468A772212A564E7460DBD2BD14BF799019AE5DD8A06D64B9C13E22DEB53D3D5AC6579167A7
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..4....-->#]W...w..r.Slvy...}.r.<.w.In{.ux..[m.{z.s.?l..g1}.r.<{..).v..w{.{.{r...{.._S{..{t.?l..g\^.n.;\|{.w.Irs~.3.u.X_}...<.s.Lsn..m...;\|{.gNg..-.{.ux.q.&..v.{.w.*.s..{....w.w.Fyy\|.w{z...x.w.+....}.8]..Z.u..{..3vxu.n{.ux.km.{z.s.}.7c.........IUx.\.?fl.f.}.6om.........}.'w..x.m.....km.{z.s.ucm.'w..x.m.....km.{z.s.y_k.'w..x.m.....km.{z.s.ndw.'w..x.m.....km.{z.s.{Y{.3vxu...9..t...'w..x.m.....km.{z.s.ndw.'w..x.m.....km.{z.s.y_k..

C:\Program Files (x86)\MacroX\sample\Loop-Text.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	207
Entropy (8bit):	6.067151432211169
Encrypted:	false
SSDEEP:	6:jOYabcDrRS5OegyexSba2pllI8svTZd8y:jlabcDrRSfg1U5plXsvTZay
MD5:	75FA70032050CEEEC52741B6954F6A80
SHA1:	77CD4FAC45782989CA8C5DC2800A19A6CE7E4061
SHA-256:	DBD1E90049F5243E4E6FB0C2DC46E5251B7C408FD4F1907C4547BFD13A37B58B
SHA-512:	4A1ED6C30FAB583700B2A2233A738BEFF4630C2437C3BCD1E2A3CCCDF3420E7809C80DDE5661FD6E10D4BE92B8436476A590D4B233861AB6CCECD4AA5D73D597
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..4....-->#]W...w..r.Slvy...}.r.<.w.[a{u.}.?l..g....-.w..q.;\|{.w.Lom..k.Slu.}.8]..O.{.u.}.{..3vxu.n{.ux.hg.}w.s.z.s.[a{u.}.}.Np}....w..6om..fn}..\|...w.>}\|.Sl~q...{8.k..s..Ewz.s.N.c}.....

C:\Program Files (x86)\MacroX\sample\Mouse.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	1000
Entropy (8bit):	6.191767608808222
Encrypted:	false
SSDEEP:	24:jrQnJhMrREGRSX9ob8WUnBo2ggnDWwN8WnzvFc8tOcKtz+:4JyNLKErUnEgnDOWnzvFcCKtz+
MD5:	065B9851F1FBD0E1E65E1F528F070991
SHA1:	4545532067318D60E76B0ACF197C8D0FB9388E96
SHA-256:	BED7F963D98639C4D7DD94178E7BB29B5DF7C4A087536BA576A4C4969A98D621
SHA-512:	D7066627F46570246FB1289CD1F3BCB125B9161EDD7246CD2AEBB53CCE7A3F9B129FF79D4406E971FB5D982B9A3AC0DA421981CC68BBBEDBD73DF3512D0E2ED1
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..3....-->#]W...w..r.Slvy..M_.o~.q.<.w.[a{u.}.+...>}n.~s.7.z.g6.u.X_}...<.s.Sll..<o..{.<.w.^Y}.q.{.w...4mv..v.....e?.w{..s~.u.y.hhg.}w.s.z.s.[a{u.}.g~?.w{..s~.u.y.hH.z.u....}.8]..O.{.u.}.{..3vxu.n{.ux..?.w{..s~.u.y..}.8mr..}..n{.ux..?.w{..s~.u.y..=^y..n{.ux..?.w{..s~.u.y.y\|.\|..}.g.Sll..}n.~r...w.+...U_..xx.)....w.3.u.<.s._L.x.y{..q..w.z..?l...w....w.....FR.s..^z.......{}..6om..{]n.~..Zaw{..s.2.~{.+.z.w.....Ewz.s.=^z...M.......{..I^o.s.m...?.w{..s~.u.y..3vxu..z...FR.s..^z....z..z.x..=^z...M.......\|..}.6om..{]n.~..Zaw{..s.2.~{....{t.....Ewz.s.3vxu...}..FR.s..^z.......z.y..=^z...M.......{..FR.s..^z....}..{x...=^z...M.......\|..}.6om..{]n.~..Zaw{..s.2.~{.1.}w.....Ewz.s.Ewz.s.}.3vxu..y...FR.s..^z....}..z.~..=^z...M.......{..3vxu..\|}..FR.s..^z....~..v...=^z...M.......\|..3vxu..\|...}.=li.\|.o..n{.ux..?.w{..s~.u.y..}.Nh.m....Bg.}w.Mj..<.n.9.r.}.w...Fcn.Zaw{..s.).....3.u.<.s.Sll..>}n.~s..}.N.[.m....3vxu...9..t...}.6om..plvy..>}.w..q.Mj..5....w.<.w.[a{u.}.-.{\|....w...

C:\Program Files (x86)\MacroX\sample\Registry.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	598
Entropy (8bit):	6.210509684924705
Encrypted:	false
SSDEEP:	12:jlaHDwQYJ/myE8Bt7W2IatzIKIKb7btaWRPXlXu8Zx52Gp8e02v:jojkJ/fVX6batcKIKb7b8WRzZ/2GpnZ
MD5:	BB9E74680B9CFE4C0224D2B11935F7F4
SHA1:	51E9859E67F30247306A5A3ECE8931DB0330F255
SHA-256:	0C158900DC9CFFCC696CDB883FFF88E5D24CA7BDED6426A8968118683DB4F7EC
SHA-512:	1C061799249C2965C5A30E32D6E4370D5BC8697CE33E8FE3A6DE2EA8CA694FDF7521E964CE4542C07B7CF98D25FBF25E03266F04A019A8B7748CD8181135D5F2
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..4....-->#^\{..~{.r.Slvy..+..;\|{.w.Irs~.7{.<.s.Nm~~v..y.g)..;s...y..w.+...)....s.?l.y...r.w...}.8m~~v..y.Q..m..fl.P.k..}.lz.n...wzu...s.8m~~v..y.nq.uuw...1.\|..Gk..o~z.\|u.q.k..}.lz.n...wzu...s.}.=hr..z..frs~.9.r..\|.{.s~.5...x.w.Mj..?l..Q..+..<.w.9.r..\|.{.s~.w.Irs~.)....s.?l.y...r.w...P.l~q..z.W...}.8m~~v..y.bq.uuw..J..o~z.\|u..~~v..y.k..o~z.\|u.q.k..}.lz.n...wzu...s.=hr..z..xR.7v..{1.\|...Kmv.3.wz.sU.L...y.r.w.s.Irs~..{2..o~z.\|u..~~v..y.*.wz.sU..wz.sU._..x.w.Mj..?l..Q..+..<{..Irs~..)....s.?l..<.s.Nm~~v..y.&..;wz..s..w.P.l~q..z.W...}.8m~~v..y.mx~y..fl.P.k..}.lz.n...wzu...s..

C:\Program Files (x86)\MacroX\sample\TimeOut.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	804
Entropy (8bit):	6.419018210067882
Encrypted:	false
SSDEEP:	24:jtQkCaBCmlwkPEOO7WQZzHKRGornAnwJ8lJ5A:v3wzj7yRGcnAQ8lM
MD5:	516159DE8500A4681F95B09E94B46482
SHA1:	B2F9A30BA08FCAB9D4586D6FD97B51F99E01E8DB
SHA-256:	1481AC3ABB3748B449975BB53F0F2036F1AF728B165262CEF76F329450AB95BC
SHA-512:	F02D306493404637177C55AC1AC227D529B3C7BC5758F62F20DEA1DB6D3D7DC9161189F1D90381E033E532D7E07A2C0124E4865ACBB2BD12FD543242747E43C4
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..1....-->#]W...w..r.Slvy..-..o~.q.;\|{.w.Lk\|..Z..*...k.Mnzv...w.gLnw..6.qz..&.l..;\|{..Shy.o...7{..s..u..<{.r.s.Fu\|u.g5..{t.9.r.{\|}\|..w.;s...x.<{..Juo...v..{?.}\|.s.<.w.Irs~.o..}.6k\|..Z...x.?.}\|.s.h...=hr..z..y[.r..Shy.o...).w..?l....m.v.{.7{.=...k.Mnzv...w.9.r.{\|}\|..w..^Yu...).o~.w...P.l~q..z.e_.p..{.w..ft....6k\|..Z...s..}.Ns...?.}\|.s.h.s..:d.h.vk..jZ...x.gs..\|..=hr..z..jj..8..}w.<{..Shy.o...2..{t.7{..s..u..k.Mnzv...w.9.r.{\|}\|..w..X....w.Mj..<{..4.qz...Shy.o..7{..s..u..<.s._L.y.\|u.xTk\|..Z..9.r.{\|}\|..w.)....w.Mj..6.qz..<{.r..Shr..z..2..{t.4.r.w..Z..v.w.Mj..<.n.Slvy..2..{.3.u.?l..+...5...x.w.Mj..<.s..?l..~a_.p..{.w.tP.l~q..z.W.m.ft....7....N.f....}.:d.h.vk..jZ...x.N..s.v..\|..=hr..z..v[..xt..{.{..Mj..8..}w.<{..4.qz...Shy.o...7{..s..u..k.Mnzv...w.9.r.{\|}\|..w.P.l~q..z.W.m.ft....

C:\Program Files (x86)\MacroX\sample\WatchMouse.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	208
Entropy (8bit):	5.878664106593142
Encrypted:	false
SSDEEP:	6:jOYabcD15JTvYgLq7BKnETE8bCuoLIOxD:jlabcD15BF+lKog8kD
MD5:	95E7E0032E9B4EC9873D2CB1699067F9
SHA1:	756DE6F84DD46AF54A6F49722133912D86F5B5FA
SHA-256:	7F8E796D4BDDDC7DFEB031C7F607225E1F6E137697EDB967961EC1CF988E0C27
SHA-512:	F027E1BEEA65FB62383B8F891D3BA5B665A5B657EE93ED993B5A82BD0DB26CA6A2A9DDC577F48694AB9C8C00D2FAC4167AE079A873EA52DA45F556499263BEA0
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..4....-->#]W...w..r.Slvy.\|.).o~.q.?l..Wav..Sll..}n.~r...}.Nvw}.u.pl~q....~}.v.wZ~wz.s.I~wz.s...>k.}y.{Yu...>}n.~.w.Mj..<{..Sll..;\|{.).w.....q....{zz...{}..N.iw}.u...}.3vm.{.^z.......H}.u...

C:\Program Files (x86)\MacroX\sample\WatchMouse2.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	390
Entropy (8bit):	6.02181810782599
Encrypted:	false
SSDEEP:	12:jlabcD15B/v7DiCUjKu0+lKog8kLiCUjKQ0v7la:jobQHB7PhuD18hDla
MD5:	30F34A6755DF4B6AD213BD1C2AB75ACF
SHA1:	ADCDCACB67C0B2E01D70343E0D3E518BE809C8A3
SHA-256:	4BE62552AB140C5BC318F5C51AFED3FCECE7E93ACE05ED46AEAA9E89C197F1A8
SHA-512:	B7D19CE41E224CF0D8B8DF02EA9DF4FAAA44A0ACC212F97BE3B6B99079DF79FFC45F44D43A530C71E586CF4AB26402415381F8C6B9CA02B9765F07D4BF091CBC
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..4....-->#]W...w..r.Slvy.\|.).o~.q.?l..Wav..Sll..}n.~r...}.eDux.u.\|.u.z..he..{8~z..u.\|{.G..{8~z..u.\|z..}.Nvw}.u.pl~q....~}.v.wZ~wz.s.I~wz.s...>k.}y.{Yu...>}n.~.w.Mj..<{..Sll..;\|{.).w.....q....{zz...{}..N.iw}.u...}.3vm.{.^z.......H}.u.}.e7.p.u.\|.u.z..he..{8~z..u.\|{.G..{8~z..u.\|z..}.=hr..z..\|Ux..Pa\|.u.z...{Dux.u.\|.u.z..*.wz.sU.ip..Pa\|.u.z...{7.p.u.\|.u.z..G.l~q..z.W...

C:\Program Files (x86)\MacroX\sample\instanztest.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	319
Entropy (8bit):	5.268578461493899
Encrypted:	false
SSDEEP:	6:jOYauWG9EZbmJZHJmAiyrsmaGJ+bmvfPmQCeFQUGbmD:jlaM9ElIfiyI4siPZCeFzOE
MD5:	49C7F67F7B67E63A0D6BB5819225CA12
SHA1:	3F6E00CFB9F184F61F986C3DF1EE1034421D078B
SHA-256:	5EC835878FA59ABE0127119FD1496AE32F6FEAD60E42CA22EF07CEE0B3EE4472
SHA-512:	1E4114035D101FE653B6E582B34264B6CB7D2BF23089F4401AE02A49DEA0A3DDD598DC4A22F5B5A759F81DB91146B8E84DA13F9DF90493996EE845235CD58B19
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..4....-->Rm~~v..y.bq.uuw..T{{.u{{..l~q..z.}.lz.n...wzu...s.A...<{{.h.tj....8m~~v..y.Q..m..fl.pl~q..z.}.lz.n...wzu...s.8m~~v..y.nq.uuw...Su{{..l~q..z.}.lz.n...wzu...s.gv..............Wav.Slvy..s...........}.}.gv....................................8m~~v..y.mx~y..uuw..T{{..l~q..z.}.lz.n...wzu...s...

C:\Program Files (x86)\MacroX\sample\runtag.mcx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	84
Entropy (8bit):	5.494389780335657
Encrypted:	false
SSDEEP:	3:ICL9HukWfgbRCmsf/vtJTcu:jOwbRCnzTcu
MD5:	E2F06492F924B2B9F42EF50F7B6B256B
SHA1:	A00DC4B85C27145DAF03AEC43E41A5FA22CCE9F4
SHA-256:	E15F3237B29C8A801F90E048A473ED1DDA61374EED3959CBFCA4B3BD24A272A2
SHA-512:	951715D2DBFCEE311843995C6FCF22F04609E7CCB767C4071D8D6EE95231DBA38774DFF399848CA05DC193F302E73F6F86D7F0D894839FA985424CA9E0BF458F
Malicious:	false
Preview:	MCX3.ne{jwkllj~l..3....--><j]..Zv....&{w.O..}.N.]]....}.=hr..z...6..G.l~q..z.W.....

C:\Program Files (x86)\MacroX\sys\CMAX20.OCX

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	6.059121997133104
Encrypted:	false
SSDEEP:	12288:8zQGyv/e83X6GDsVCOA2p7GR0TyYs7yPtatv:8gTaFdQLylatv
MD5:	030C8F3D24D436D210EC4C3A8B9CC844
SHA1:	B80985F3D27B130A1561FEFA569E2489A4B8202C
SHA-256:	101BBB0FFFA86F85CBB91BBA848481E7B86F6794B94BEE82E5BE936079F74787
SHA-512:	3555CA8AE4EE7258BAB489AD6A3CBC9D97DFAC753A003E80728AB57EED81C77DDF4E3E89A3AF66645F0DF77EE10F020110066BD51F19E4011D353BBC8D1C3433
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|2H.8S&.8S&.8S&.O(./S&..L,.ZS&..L-.7S&.8S&..S&.nL5."S&.ZL5.)S&.8S'..R&..L0..S&.U .9S&..L".9S&.Rich8S&.................PE..L...h..<...........!.....p..........c...............................................................................p................`...X.......................9......................................................,............................text....i.......p.................. ..`.rdata...b.......p..................@..@.data...h_.......`..................@...Shared.......P.......P..............@....rsrc....X...`...`...`..............@..@.reloc...H.......P..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\HookMenu.ocx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	221184
Entropy (8bit):	5.805094959424265
Encrypted:	false
SSDEEP:	3072:n/GzeDi2oJ/BwSgHyOA6asBw3c2YSI9VPmbST6VdLv+KXQQDhJfep:nOrODHyP61Bw3YSI99mbSydLv+KXfh
MD5:	50A399E0876928CD4B24B10036978E83
SHA1:	2119166A7040DEC2D1F468068F5F60F4C56CEDA9
SHA-256:	B0B67EC07E73B41A80E5B23DF201B852AE514E85F6E5D7688AECEE90808D8F02
SHA-512:	472F0B76AD58E23A38A624F6D6E66E5689B063A0065F62EAED350C9C171E9DEDB179F43980143CCCFFDA73B6E8B825B8D4DDD26787838C72AFFEB1548B34317E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}q.....................>.......?......R<......Rich............PE..L...W..?...........!.................3.............".........................p......^...............................p...........(............................0..P;..........................................X... ....................................text............................... ..`.data...X...........................@....rsrc............ ..................@..@.reloc...?...0...@... ..............@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\MCX3.DLL

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	5.244061505452059
Encrypted:	false
SSDEEP:	3072:LmRrCzpVdkeydMHxD1DvIVAPBARVGQfps+mzZpRGmKeyFatZGyaGmpy2EvrI:Lr95ymDIcAjGQRcpbgFanG5HE
MD5:	1EFA163CE1EE10A40E435C04C0531134
SHA1:	D6FDE4CAEFA51796FCCF305F358FBA2BD7611A92
SHA-256:	039E74C4E02D98B5401E5EB88F48F29F4F696CF60021680D6334285EC00538AB
SHA-512:	42AC9CE90538EB19FA43779B9165F6E593454D9640A6F8354F2C78D0E9DF389848B3D69815E9C21E6D9D1A6A5DB4F8B05CC7CC9AC8D5778E47D2019BB6D5E190
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L......A...........!.................................................................C..............................@...........(........8.......................4..........................................X... .......p............................text............................... ..`.data....{..........................@....rsrc....8.......@..................@..@.reloc..h5.......@...@..............@..B2..=............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\macroxrecord.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	4.400480362954566
Encrypted:	false
SSDEEP:	768:x9FKe0cj8dJAY0QGT3ouYjsOV23hER10ZlVB3CC:bAZaY0HT3BOV23GOV
MD5:	27994EB0D74801DF36668A4992AA0BB1
SHA1:	3B62A38A784E4DAE7BF345E075F2D416EFEEEE1C
SHA-256:	E4302C6F4231402388C3F7F3865F646E20FE086358B24262D1BF6DB6F9F86B4F
SHA-512:	83E79E321F1247341259355682072BFC58CE769197285476E1B979A6D8B506E40634AD1ECFA1A1D9AB0494F7E815E06D33303AAE9AA2A94D12BC8D03F1BFF1E9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L...u.2?...........!.........@.......................................................Q..........................................(.......0...................................................................X... .......h............................text...y........................... ..`.data...T...........................@....rsrc...0...........................@..@.reloc..J...........................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\macroxsettings.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.601390583488003
Encrypted:	false
SSDEEP:	1536:PeQSfTKkIZJVrsOSSpn+q/h97EYx/5H5I4thz5MN6:PVSfTByVrsOLpn+q/dx/5ZI4thzeN6
MD5:	3049F5EE34911613B4075372AB482E6C
SHA1:	46F27320C9780733DF6294BB6BB2EE52E8C20AEA
SHA-256:	471EC1DE844529E9A620D38F2CCF95AA5B09A4CF111315200F9B9EF3C81D2DFF
SHA-512:	DBBCE2A5666D59C0259D8288A61456B2AE731F24383A1A10135F79963A62403F0F97D04435F464ED64BAFB243D364547D6C7F7887B2C6752643D86B47A3E2FBB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L.....?...........!.........P...............................................@..............................................D...(.... .......................0..............................................X... .......l............................text...+........................... ..`.data....+..........................@....rsrc........ ......................@..@.reloc..H....0......................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\mcxKernel.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	794624
Entropy (8bit):	5.053829162275759
Encrypted:	false
SSDEEP:	6144:r8Utsp4x7gbusMx8UfXMMFhg6KYSlkV7xPjrbEH6UY:QU6MhuixfIaU
MD5:	9E17BB69C7BB8A2A033B8901AC325CCF
SHA1:	FCC8126FE7999F7DF95F563F5B0CEDFAC42B3768
SHA-256:	28202BD1A265C3DEA44FC68D70FE1B15EFB9C40927DE961573CF87F20F1ADB12
SHA-512:	7A44A876D58AED9A4761090A1D7D4C27ABC8A9A7035EE2BE34F1BDE653ABB2A711B15956CF793DAA120427B04F5F6A97EF6B66663291F014A6AC10AA8AB7F926
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L...6!O?...........!.....p..........h................................................................................s.......q..(...............................@m..........................................X... ....................................text....d.......p.................. ..`.data....i..........................@....rsrc............ ..................@..@.reloc..6r..........................@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\mcxLanguage.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	2.7541848570327154
Encrypted:	false
SSDEEP:	192:xZYDisYa7EglLZURs6qVKvrbA9dWPwipT3pQK:xZXsFJNdVKcWPwipT3y
MD5:	6FF0FDE353868071E7BCAD29EFF88761
SHA1:	2044E0121405A3FBC69C7A1B71AA5FC256D31C89
SHA-256:	A766F53FFC3374E9BD57A1B13A9689411076E8BF0E74F597F65EB7254C935BC1
SHA-512:	64A69E578993240D61501DC4025CB6995ECB43EC8FCDEAFAE7423AA44DEA9F2AD4E9412F6A94580BA9609A561A9B8559B99498A1C19C4E0D8E2EFB0D21D5DE03
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L...._.?...........!..... ...0...............0...............................`......................................@'......T&..(....@.......................P..............................................X... .......@............................text............ .................. ..`.data........0......................@....rsrc........@.......0..............@..@.reloc.......P.......@..............@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\mcxRun.exe

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	2.099326247408744
Encrypted:	false
SSDEEP:	192:Ue4ZmrzROQiVtjSZcxOBttlflPTFX98rWQAV+:UJZNQiVtNOBTF+WQAV
MD5:	B806D328D8579EDD8FA5FB6C39115F9F
SHA1:	5B96B432803AB37C84CB9B0D26028E368014F86E
SHA-256:	97D31710917427DA90DCB1430C756C675823545F6843F488F7803A733F554068
SHA-512:	F257E1725743875FC90466F47A1A2283A89C994DEEB707BDA30F120340F10C0F8147270FFC92F41D70D88B4B21151D31170DB6F747CF08C6FCD04101E1B8ECF8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)zi.)zi.)zi.-Yd.(zi.Rich)zi.................PE..L......?.................P...@...............`....@.........................................................................dR..(....p...'.................................................................. ... .......l............................text....C.......P.................. ..`.data........`......................@....rsrc....'...p...0...`..............@..@'.};............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\mcxexe.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	16896
Entropy (8bit):	3.920632997583856
Encrypted:	false
SSDEEP:	96:7y1CKU7HfvmGtbbXxU1uXZC/EgEe7zhJVOmv0447kDYeZlaLVO6S+SPS0SDSCSxT:YCKEP5SmZSREe7zPdVTr8LVOHqWtXK+
MD5:	741C9384091A4A5731B8C372D84AEFDE
SHA1:	5E0866CD015ED92392A50B7ECB604A2C13792CE2
SHA-256:	8CAEAB4331E1D721477B53DC201605243C96829D6B5DD2BCBACB1AEFE19A722A
SHA-512:	3CB6E7332858DA6C4DF6790C9277458E978F06A4820A99710836051920DF42C7A4A74DAE5D397D128024A88F295132BF309A8E9AE809FFF528ED701DEBC53583
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m...)zi.)zi.)zi.-Yd.(zi.Rich)zi.................PE..L...`.3?................. ...0...... .............@......................................................................................(..........................................................................................................UPX0....................................UPX1..... ..........................@....rsrc....0.......*..................@..............................................................................................................................................................................................................................................................................................................................................................................................................................................................1.24.UPX!....

C:\Program Files (x86)\MacroX\sys\mcxnetbar.ocx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.950373824937962
Encrypted:	false
SSDEEP:	1536:m0XJTgz+rwS2jrC40X6IQ5dBmhzmghTKODdeX7OLrKV/t5:m0XJTuIw3C40X7Q5dBmhzmghTKODdeX7
MD5:	E3D447877709D5E275F0CCDFD01365B3
SHA1:	E78DA4925954972D390CCD9906B4F3BD50EC9E17
SHA-256:	385B3DF94E5E499DEC04EE54D698D8F45CE099B10DE71EF3447A5D6B09090C83
SHA-512:	8B97448955B83F52F8689EC6FB4E191F50696F43E05A3FFDC31D34ABA93BFC15FFBA727368B1AD9DF6FCAE9F7EA22ED5F784B68CFF718AA05C26D67717F18D3C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L....4.>...........!......................... ......................................$...............................0.......$...(....@...9......................t...........................................X... .......T............................text............................... ..`.data........ ......................@....rsrc....9...@...@... ..............@..@.reloc........... ...`..............@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\mcxtabx.ocx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	4.898615668997072
Encrypted:	false
SSDEEP:	768:b+NgHDRqGs2isZExP3H8ci9ySGghDSGlI/cBo0iN2JnsaWRznFaWRIdaNOwHawsM:egHuoc9gz00mwdaNOwDRb7OuElvZ
MD5:	29AABE28EB0E4FE85C084FDB4DC1788F
SHA1:	403973BEF86F0C5F7C598888ED8DAF340976AC7E
SHA-256:	D9095A4449A6B6602A4B15A98D3B6DBB5E0A0C6EF5B8AFD0DDC2D18DE5691813
SHA-512:	D52A93BCD8E0B5EBBEEF4B535F9CF2F6FE0C9619E8C70B854A5BC0972295502FA97C619AE2C506761F7EE87264CDEC925D3D083BE154EC9FFF967060F8EB5ACC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.q.'.q.'.q.#.\|.&.q..u.&.q.Rich'.q.........................PE..L...E..?...........!......................... .....M................................%...............................0.......$...(....@..@9...................... ...........................................X... .......T............................text............................... ..`.data........ ......................@....rsrc...@9...@...@... ..............@..@.reloc..n........ ...`..............@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\sys\vbalIml6.ocx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	5.00402451968922
Encrypted:	false
SSDEEP:	1536:RDIRGgf2MFF5yCUSGMlbV62JE3bJuGevOliOMFvk7l:5LWhGSGVlOOlX
MD5:	C2CE8DA8E394DDFE113DF3DB357F02A7
SHA1:	F066482EA6DEA3A56B84FCC9D72443C89A09ACE0
SHA-256:	4272D8256AF3F93DAB07C66CFEBC809210A851C7981237A94DBAD6117ED4EFBA
SHA-512:	0E87F47A23E7683618C9FA783143924EFCBF74F0CE5391E37CEFFE7EB0F1D20D0860CCCD46B882516DB3FE195109F47A300E8AAA1981BD4254C178788592F9A2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=...y.q.y.q.y.q..\|.x.q...u.x.q.Richy.q.........................PE..L....3.>...........!................P........ .....F...........................................................................(....P...,..................................................................X... ....................................text............................... ..`.data.... ... ......................@....rsrc....,...P...0... ..............@..@.reloc........... ...P..............@..B'.};............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\MacroX\uninst.exe

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	60115
Entropy (8bit):	6.5809763153398855
Encrypted:	false
SSDEEP:	1536:wh03grsyj5Rk0gtUABJNTPCr5gg+SsN7bekyMjn:agyjKBJNTPCr5b+vnzyw
MD5:	D16697A8878EC034CDECFD958131D869
SHA1:	474811915B061118F51D94E9661147FD27E64819
SHA-256:	5F850198AA580B6D2E042B0D072B72AD8F45084E963168740D067A57943CE890
SHA-512:	65C9AE17A5773653C01ED7476C4D4340805361BF7545D7A9BF5AE7D72B86AAEB27B440ABFE223E710F39531897D41C58153A9882243C5C9F8B001DB11900D894
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................Q...r....................6.....Rich..........PE..L.....%@.................^..........H@.......p....@..........................0..............................................0s...........p...........................................................................p...............................text....\.......^.................. ..`.rdata.......p.......b..............@..@.data................t..............@....ndata.......@...........................rsrc....p.......h...x..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsa434D.tmp

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	data
Category:	dropped
Size (bytes):	6662882
Entropy (8bit):	6.2721209853721795
Encrypted:	false
SSDEEP:	196608:nmoJTIbPjaKHAtl3hahqOrTajku2FzSvRYO:nmoynaKHAf3h+qMOjk3F2vP
MD5:	C3748196D35B4970BB78B24992E5A22B
SHA1:	506ED93F684ECA0F5102654D8135C3B95C8231BD
SHA-256:	2EBD441B248DE85FC3D611B2D569C220DF06A82F6E11252B1F7AA3EB33FCC3E3
SHA-512:	65273DAADA19785C0705A0FD3E706444BC7C7CEE046967177F3D03CD5DF6A64B78BA54A139D4539ED0C2E64767D53B3CF6E0B0D9FBBD492716B8DB22B37424CC
Malicious:	false
Preview:	.G......................\................C......pG..................................................................h...R...............................................................................................................................................................................9...............................................g.......:...?...@...............................................j.......A...F...G............................................................................................................... ...........k...j.......................................................0...............!...........0.......3.......!...........0.......B.......!...........0...P...=.......!...........0...P...X..._...!...........0...b...j...n...!...........0...b...X...q...!...........0...b...=.......!...........C...........................#.......u...y...............'...~.......................#.......u...................'...~.......................#.......u...................

C:\Users\user\AppData\Local\Temp\nsv437D.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.846735113525697
Encrypted:	false
SSDEEP:	192:6KdqJ4Bhf1mdCMI26t510swClJOeFIsm7F1QuPs:6KdE4zAddwR0swqOeFxu
MD5:	4C7D97D0786FF08B20D0E8315B5FC3CB
SHA1:	BB6F475E867B2BF55E4CD214BD4EF68E26D70F6C
SHA-256:	75E20F4C5EB00E9E5CB610273023E9D2C36392FA3B664C264B736C7CC2D1AC84
SHA-512:	F37093FD5CDDA74D8F7376C60A05B442F884E9D370347C7C39D84ECA88F23FBEA6221DA2E57197ACD78C817A74703C49FB28B89D41C3E34817CC9301B0B6485A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........cd"W..qW..qW..qW..qj..q..Wq\..q.!;qV..q...qV..q.".qV..qRichW..q........PE..L...K..@...........!.........6.......'.......0.......................................................................6..p....1..x....p...............................................................................0...............................text............................... ..`.rdata..@....0......................@..@.data....'...@.......$..............@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv437D.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	Generic INItialization configuration [Field 1]
Category:	dropped
Size (bytes):	701
Entropy (8bit):	5.248908260001124
Encrypted:	false
SSDEEP:	12:lOu8VTsAgQRvAYfEz4gNhMyFEGJ44gNDdWVNDkDSBfrQnzwA0GdJM:yTdRvAYf41g0EGy1ZtDsrQkA0z
MD5:	EB5325A3D71E651E6FBE24C6A568D36F
SHA1:	CED793CFB638DD95939B58615B1E8FD825FF90AC
SHA-256:	2267AF279A4B93BB7EF64CFBEA8A88736015C7C30C4475BA7F0FD1C2370E42FA
SHA-512:	B3A430F6A0AC87D2480B5CEA0BDF2EDC364D9E0AF67510A88765E599636C70BC53F769E70258B5CB4630FC2E7B20DFAF4ECBFBE386FF46638F2FDAC4350659FF
Malicious:	false
Preview:	[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsv437D.tmp\modern-wizard.bmp..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Willkommen beim Installations-\r\nAssistenten f.r MacroX..Bottom=38..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=Dieser Assistent wird Sie durch die Installation von MacroX begleiten.\r\n\r\nEs wird empfohlen vor der Installation alle anderen Programme zu schlie.en, damit bestimmte Systemdateien ohne Neustart ersetzt werden k.nnen.\r\n\r\nKlicken Sie auf Weiter, um fortzufahren...

C:\Users\user\AppData\Local\Temp\nsv437D.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:	24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\ClickButton.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Jul 19 19:29:44 2003, mtime=Thu Oct 24 10:56:20 2024, atime=Sat Jul 19 19:29:44 2003, length=458, window=hide
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	4.6118442658305625
Encrypted:	false
SSDEEP:	24:8m69IEfdOESmlR0HZnuA3ddul6PZns+sUU5LWyqyFm:8m6hfdO0lR05n13ddulgns6TyF
MD5:	FE8BF9CECB4B91FC5608E792FD6AE325
SHA1:	D8858C4DA215BE52C698AB8C7A5FA3AAF07E5B0B
SHA-256:	12CE017C2C14C69CB8F39304F8C18DE149B9CEC691DE11BC1DC31F34673FDEEF
SHA-512:	5521DCFA20D191FA7E9B9FF439D81F32C6F281DD0E71DA58C47DB7C401127ACE29101E4608E5C7166BD0B998F57DBA3671CD34D90F944D70880BD4A31A591E5F
Malicious:	false
Preview:	L..................F.... ....l.}4N...z..&...l.}4N...............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....l.2......... .CLICKB~1.MCX..P..........XY._..............................C.l.i.c.k.B.u.t.t.o.n...m.c.x.......c...............-.......b...........cb.......C:\Program Files (x86)\MacroX\sample\ClickButton.mcx..O.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.C.l.i.c.k.B.u.t.t.o.n...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\InstanzTest.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Mar 9 11:14:26 2003, mtime=Thu Oct 24 10:56:20 2024, atime=Sun Mar 9 11:14:26 2003, length=319, window=hide
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	4.590302566983727
Encrypted:	false
SSDEEP:	24:8m/9IEfdOESmlPoj03cU8GA3OLfhdulC+sUU5rqyFm:8m/hfdO0lk033893OzhdulC6jyF
MD5:	85DCC12054D32D5E82B6A4D9848CCDFB
SHA1:	42F0D75C6E9BB0F97107F9FB230D5FB28ACCBDFB
SHA-256:	1E244067795598E7BD7BE9B14A449734FB310577EB8869A42CEEFB9BF9BA005D
SHA-512:	932D1F1FEF412E06C415F1652E7F7FC07F16F0A792CDA61181EB8B81F4536678DAA316FAF81481C44B03F81425D418D5677FC706DEAE92E258BA9F3357302083
Malicious:	false
Preview:	L..................F.... ....}:m5....z..&...}:m5...?............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....l.2.?...i..a .INSTAN~1.MCX..P......i..aXY._..............................i.n.s.t.a.n.z.t.e.s.t...m.c.x.......c...............-.......b...........cb.......C:\Program Files (x86)\MacroX\sample\instanztest.mcx..O.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.i.n.s.t.a.n.z.t.e.s.t...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\Loop-Text.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 19 07:35:00 2002, mtime=Thu Oct 24 10:56:20 2024, atime=Sat Oct 19 07:35:00 2002, length=207, window=hide
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	4.569530407477305
Encrypted:	false
SSDEEP:	24:8mOr9IEfdOESmlkt/xQApFGMdulN+sUU5DqyFm:8mOrhfdO0lk1xpFGMdulN6TyF
MD5:	3E148501A13EF4BD796FE52EEC933008
SHA1:	C9F0CA699DE76B05B4C01DDEE3EAC4D9C13FB49D
SHA-256:	6B2DDB8F07067CECC59D935B08F3D487084B60038DBA82EA578D898C83A5BA17
SHA-512:	64248C3E6E674514B6884165483B1DBA758921A80D46372DED215380B54375F0A760559C9258D6B1590F27E207E7C65E56B9FCBE2A99D36F32E4147A201192D9
Malicious:	false
Preview:	L..................F.... .....oiJw...z..&....oiJw...............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....h.2.....S-`D .LOOP-T~1.MCX..L......S-`DXY._..............................L.o.o.p.-.T.e.x.t...m.c.x.......a...............-.......`...........cb.......C:\Program Files (x86)\MacroX\sample\Loop-Text.mcx..M.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.L.o.o.p.-.T.e.x.t...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\Mouse.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 19 08:30:44 2002, mtime=Thu Oct 24 10:56:20 2024, atime=Sat Oct 19 08:30:44 2002, length=1000, window=hide
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	4.577742175621678
Encrypted:	false
SSDEEP:	24:8m49IEfdOESml1umvaA1kduljpy+sUU5vSyqyFm:8m4hfdO0l1umvJ1kduljpy6qSvyF
MD5:	8FCA0895AED59AF7D8AA0609BA2E446A
SHA1:	BC4886E42C843866E90671D9A42F8091C8D40739
SHA-256:	2B53598FB23D9DF205E5B83120F6A4518032B74889A39B3287B83151F1AD6674
SHA-512:	39881BE695BDB0EDC2CDDA7E63AEDB75E66C3B9EE4512D82985980DD8E698B28A45F93EE1147792F7AAB7C87E1607DE918603C1B420A096F9F97383508C113E4
Malicious:	false
Preview:	L..................F.... ....z.2Rw......&...z.2Rw...............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....\.2.....S-.K .Mouse.mcx.D......S-.KXY._..............................M.o.u.s.e...m.c.x.......]...............-.......\...........cb.......C:\Program Files (x86)\MacroX\sample\Mouse.mcx..I.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.M.o.u.s.e...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q.........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\Registry.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 20 17:34:34 2002, mtime=Thu Oct 24 10:56:20 2024, atime=Sun Oct 20 17:34:34 2002, length=598, window=hide
Category:	dropped
Size (bytes):	1191
Entropy (8bit):	4.591592356137045
Encrypted:	false
SSDEEP:	24:8mPD9IEfdOESml9D1AoHdulBS+sUU5HqyFm:8mrhfdO0l8oHdulE6vyF
MD5:	6615123A18646569FBEC975B9DF7C5A9
SHA1:	B002F8485C1D69CD00FB2880189CA99A61AA9DB0
SHA-256:	AB23ED94AAD78715CD131D5A7FF7465AB2D392BDC0129C7DA97E7667E2B6A22D
SHA-512:	793D7CDA73AC221EB104B8165D0153A526FD00C03C6F48F4D25E2B95C8FFE67EF0240CFF24D21066526590B5EABDC673797EC76C5BA0F41AAE72C49E8CD7461C
Malicious:	false
Preview:	L..................F.... ......Vgx......&.....Vgx..V............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....f.2.V...T-Q. .Registry.mcx..J......T-Q.XY._..............................R.e.g.i.s.t.r.y...m.c.x.......`...............-......._...........cb.......C:\Program Files (x86)\MacroX\sample\Registry.mcx..L.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.R.e.g.i.s.t.r.y...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\RunTag.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Mar 13 15:15:58 2003, mtime=Thu Oct 24 10:56:20 2024, atime=Thu Mar 13 15:15:58 2003, length=84, window=hide
Category:	dropped
Size (bytes):	1179
Entropy (8bit):	4.586152709841578
Encrypted:	false
SSDEEP:	24:8mk/xyF9IEfdOESmlEygmA6pdulSv+sUU5Y0LqyFm:8mk/xYhfdO0lEygd6pdulSv6XyF
MD5:	272A6DFEA439D180DBB329E21C41C111
SHA1:	3002C419A34049F5F81BB15E66CE53A71F6BFD9D
SHA-256:	7623B05FAECE24DBAC3B433B62A4DE43D144C267E8ED5CDBD87367E83A8DA06D
SHA-512:	E8EAD512C5291BC402FDF04CD34F61FC78BC8F0F13FFF4E090994AEC2C16E54F2BF975B2458AACE3193022602CDD117A6FE530B5C7FB005C2B097EE4177C3677
Malicious:	false
Preview:	L..................F.... ....3..{...-?..&...3..{...T............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....`.2.T...m... .runtag.mcx..F......m...XY._..............................r.u.n.t.a.g...m.c.x.......^...............-.......]...........cb.......C:\Program Files (x86)\MacroX\sample\runtag.mcx..J.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.r.u.n.t.a.g...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\TimeOut.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 19 08:01:12 2002, mtime=Thu Oct 24 10:56:20 2024, atime=Sat Oct 19 08:01:12 2002, length=804, window=hide
Category:	dropped
Size (bytes):	1184
Entropy (8bit):	4.600820690239457
Encrypted:	false
SSDEEP:	24:8mUp/9IEfdOESmlpiATedulq+sUU5HqyFm:8mM/hfdO0lpBTedulq6fyF
MD5:	1333C5748AF14BB8B5734EC460DA0800
SHA1:	4F1B74024CA30B2C0EACA14F9B4D00577D4B6E64
SHA-256:	AA7D033FD860B42809FC8F0B5621F0CF7481C71B14BB3F90B20DEF93B07763C0
SHA-512:	50643EAD071CFF791A6BB47FB142CF7CA33137AFA78B9572E0953EF05A0E1FAF842B9A966055238FC6AEE8F58C09C2CEF5A0C8A3398A7B3F36CDB99C70F066E1
Malicious:	false
Preview:	L..................F.... .....k.Nw..-?..&....k.Nw..$............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....b.2.$...S-&H .TimeOut.mcx.H......S-&HXY._..............................T.i.m.e.O.u.t...m.c.x......._...............-.......^...........cb.......C:\Program Files (x86)\MacroX\sample\TimeOut.mcx..K.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.T.i.m.e.O.u.t...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\WatchMouse.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 19 18:04:46 2002, mtime=Thu Oct 24 10:56:20 2024, atime=Sat Oct 19 18:04:46 2002, length=208, window=hide
Category:	dropped
Size (bytes):	1201
Entropy (8bit):	4.5859513438945365
Encrypted:	false
SSDEEP:	24:8m629IEfdOESml4OxPAu8dulMy+sUU5zqyFm:8m62hfdO0l4OxYu8dulMy6DyF
MD5:	018292A1669CC56C0C7E3F09CD757881
SHA1:	25E40E485194B9DCF6065D0ECA869BE33FD706C7
SHA-256:	03C7CF1683B4073D7BD625AFF94F822E73D541837C2733BEF793167931160B91
SHA-512:	C2254055600B3E952905A5BA03F6AF0CB8530C581B69D0BAD681EB49E3157B8DEE1F9F9F76E40DA21E8D6852B76C6C4FCB725F546C4C48BD28F29E568B9892A8
Malicious:	false
Preview:	L..................F.... ......c.w..-?..&.....c.w...............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....j.2.....S-.. .WATCHM~1.MCX..N......S-..XY._..............................W.a.t.c.h.M.o.u.s.e...m.c.x.......b...............-.......a...........cb.......C:\Program Files (x86)\MacroX\sample\WatchMouse.mcx..N.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.W.a.t.c.h.M.o.u.s.e...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Beispiele\WatchMouse2.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 19 18:08:44 2002, mtime=Thu Oct 24 10:56:20 2024, atime=Sat Oct 19 18:08:44 2002, length=390, window=hide
Category:	dropped
Size (bytes):	1206
Entropy (8bit):	4.594712271746829
Encrypted:	false
SSDEEP:	24:8ms1R9IEfdOESml8RRQA3VdulMRm+sUU5gMLqyFm:8mERhfdO0l8RR3VdulMQ6VMOyF
MD5:	7562720C02909119485BDAE98FB60716
SHA1:	F83271A4A240792E1F6C06EFE78C215584B6BB03
SHA-256:	0D6F60C64D38EF2AE0ED6456337313FFEC28D7D31A7533836960BAD2D444EA0A
SHA-512:	3C5ED9323C440277BAF4A9BF9AE5C9D20318DE03E7326D5E90F53050D9D66DD016AD98693B2272888C95422011FFC9FC746217A119C77A738791138B7CC23D99
Malicious:	false
Preview:	L..................F.... .......w..-?..&......w...............................P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....T.1.....XY._..sample..>......XY._XY._....L.........................s.a.m.p.l.e.....l.2.....S-.. .WATCHM~2.MCX..P......S-..XY._..............................W.a.t.c.h.M.o.u.s.e.2...m.c.x.......c...............-.......b...........cb.......C:\Program Files (x86)\MacroX\sample\WatchMouse2.mcx..O.....\.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.s.a.m.p.l.e.\.W.a.t.c.h.M.o.u.s.e.2...m.c.x...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\Deinstallieren.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	798
Entropy (8bit):	3.3768143124959793
Encrypted:	false
SSDEEP:	12:8wl0fa/ledp8W5dK42bdpY8v9+r4Q/CNUvH4t2YZ/elFlSJm:8TdOmI4yd3l+DOUFqy
MD5:	35172650BD911793DD5F157A496382FB
SHA1:	65CFA7A4852387BE9D01FEF8659CC06A104E5DAD
SHA-256:	F44AEE5E209AC0A79A5F28714A0FA413C1A07B23088AF56BB5C1EB9D90C9B8A8
SHA-512:	6D775F4DA8624D5C0F7CDEEE3614D0B9EF53E96F2ADB66C5DC3593F45B85E9B0A6EB71A1C371F50139EC790D2B2BB2F30CA68494B1C211F4B8FACAB2D490C333
Malicious:	false
Preview:	L..................F........................................................]....P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...".T.1...........MacroX..>............................................M.a.c.r.o.X.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......@.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.u.n.i.n.s.t...e.x.e...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.....................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\MacroX im Internet.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 24 10:56:29 2024, mtime=Thu Oct 24 10:56:29 2024, atime=Thu Oct 24 10:56:29 2024, length=46, window=hide
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	4.596679662986798
Encrypted:	false
SSDEEP:	24:8mXFf9IEfdOEcHBfAL6HYd8s+sUU52xoqyFm:8mxhfdO3BoLkYdX63xxyF
MD5:	D824BC1D92C968DC068813AF9490CDED
SHA1:	B79BC563F2CD6460EBA9B0067F852CB436BC15E7
SHA-256:	5AAA39602DE9BCDCC8C91FD058591A31F06D2B0E28FDD4EEC8D5A69A1CE4C4DA
SHA-512:	5665153EE8FBEA4CD1708157E674AFA79D3CB85CE4DBC1C2F9869FF2FEC78089A813C317E5719EA59BBA75367DF922AE0E76E01F7E8C1AF9F18859A3023CCA50
Malicious:	false
Preview:	L..................F.... ........&.......&.......&..........................{....P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....`.2.....XY._ .MacroX.url..F......XY._XY._....u:......................;.M.a.c.r.o.X...u.r.l.......W...............-.......V...........cb.......C:\Program Files (x86)\MacroX\MacroX.url..@.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.M.a.c.r.o.X...u.r.l...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MacroX\MacroX.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 17 05:24:34 2004, mtime=Thu Oct 24 10:56:20 2024, atime=Sun Oct 17 05:24:34 2004, length=757760, window=hide
Category:	dropped
Size (bytes):	1068
Entropy (8bit):	4.605334422542451
Encrypted:	false
SSDEEP:	24:8mIk9IEfdOEEAMmQMaCAL6ZdcaS+sUU5rqyFm:8mnhfdODKOhLUdRS6TyF
MD5:	FD966B84EE506287E97DC0E5262A3C52
SHA1:	EAB9C7B35BF793CDA53AFD60C1B4F354A0115A97
SHA-256:	2731E32379815B421D35733FE76589F7E89B34EAB08398356BDDE7328D4D79D6
SHA-512:	6D823A79C5AFC32D9AB45EF7421CAD453BBA43FAC3AE7FED160587CA44F21EB708858DBCF3F5142C7386398A3EF6820B1F7983AC084BAACC295B4E0624D744CB
Malicious:	false
Preview:	L..................F.... ....}......r....&...}..............................{....P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....`.2.....Q1.3 .MACROX.EXE..F......Q1.3XY._....E.........................M.A.C.R.O.X...E.X.E.......W...............-.......V...........cb.......C:\Program Files (x86)\MacroX\MACROX.EXE..@.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.M.A.C.R.O.X...E.X.E...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2......

C:\Users\user\Desktop\MacroX.lnk

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Oct 17 05:24:34 2004, mtime=Thu Oct 24 10:56:22 2024, atime=Sun Oct 17 05:24:34 2004, length=757760, window=hide
Category:	dropped
Size (bytes):	1032
Entropy (8bit):	4.645271883365711
Encrypted:	false
SSDEEP:	24:8mIm9IEfdOEEAMmQMaCAL6XdcaS+sUU5rqyFm:8mBhfdODKOhLKdRS6TyF
MD5:	7247D3A02DD1E25B154E7D05397450C5
SHA1:	1CFBBC9C9C2307A7EA79FC182021C6B846A491B7
SHA-256:	483719E0FD0FBF1167A56FCE0C8729DD0E1A9C7EC1674FFCF11E474ECF226952
SHA-512:	05405D74264E4CE5AC51F5CAB8CF39E67C75DCFF33EFA8F1E591E98AAA7A053E2EA8627BBD8000BDF24CC55ACB531C70FE0D7F3F34A717BBF138BB1E986F12F9
Malicious:	false
Preview:	L..................F.... ....}......N5...&...}..............................{....P.O. .:i.....+00.../C:\.....................1.....XY._..PROGRA~2.........O.IXY._....................V......X..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....T.1.....XY._..MacroX..>......XY._XY._..........................C...M.a.c.r.o.X.....`.2.....Q1.3 .MACROX.EXE..F......Q1.3XY._....E.........................M.A.C.R.O.X...E.X.E.......W...............-.......V...........cb.......C:\Program Files (x86)\MacroX\MACROX.EXE........\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.a.c.r.o.X.\.M.A.C.R.O.X...E.X.E...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.........*................@Z\|...K.J.........`.......X.......849224...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....

C:\Windows\SysWOW64\MSCOMCTL.OCX

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1077336
Entropy (8bit):	6.342891907210625
Encrypted:	false
SSDEEP:	24576:mnt4M/pL1wAEIqSBanK6CC33VTj+1R8xRFLqqmbD1kWIAqPA:mPL15EIqS1e6q3FmKbt4
MD5:	F7BBB7D79ADB9E3ADC13F3B3C33D3D4D
SHA1:	CACB4B31D22419E6A9DDBFFCF61AE42DA0D5FB8A
SHA-256:	18A83D7A420A17FCB6F56EB3BA5362C975D32E5DED7553C6FD407F07BDB7B006
SHA-512:	4870DDBDF283D7F7F64D3F4BF556600A78804F6A94FC2CA7EB778E85D70B6D2D017AA35CBDDF773B6A1B6D9A2813CD67FE54EDE7859050A254A3E3C05616AE0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r..<.....@.....#.........j.......9.......p....X'.........................P.......o...............................E...............P...Z...........V..X............................................................................................text...H........................... ..`.data....s..........................@....rsrc....\...P...`...P..............@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Mswinsck.ocx

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	109248
Entropy (8bit):	6.369010932511164
Encrypted:	false
SSDEEP:	3072:YXMqLvIP75rTTK/h4KtBfqXKPRPRU6/OYqF3+8/xHvd:YDETTq7xPRU3P9
MD5:	3D8FD62D17A44221E07D5C535950449B
SHA1:	6C9D2ECDD7C2D1B9660D342E2B95A82229486D27
SHA-256:	EBA048E3A9CB11671D0E3C5A0B243B304D421762361FE24FD5EA08CB66704B09
SHA-512:	501E22A0F99E18F6405356184506BC5849ADC2C1DF3BDEE71F2B4514AB0E3E36673B4AECBD615D24EBB4BE5A28570B2A6F80BD52331EDB658F7A5F5A9D686D10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B.9...........#................D........ .....".................................................................i......@........0...f......................p...@................................................................................text...^........................... ..`.data...P.... ......................@....rsrc...0g...0...h..................@....reloc..p...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\SSUBTMR6.DLL

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	4.104048161876926
Encrypted:	false
SSDEEP:	768:Xr65PC/JXxK5yO2Zw5WdSYEFrAdOnBiyFm:GPC/Jhip2Zw5wSYCEMUR
MD5:	1556C5B52A751C31B4CA6FE757704131
SHA1:	A04263B37B69A5A53EACCC6D30DDA61B2808224A
SHA-256:	48BB226B418DAE999D66731599996E042C5592D845EA11548A15CCD3A00FB5AB
SHA-512:	EA306E09834BD08EDF8A5930C096EAFF4AB6C6A8799F3910AB8EA88A0A25FDE45DE36887C13D468046E9BB2E1439E7BD34C970E3EF9F71D8E4EEB95B5FD60074
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................j.......................Rich...................PE..L....m.6...........!.....P...@......,........`....................................... ..............................pQ.......L..(....p.......................... ...........................................`... ....................................text....B.......P.................. ..`.data........`.......`..............@....rsrc........p... ...p..............@..@.reloc..............................@..B...5............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mcxkeyboardhook.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8245
Entropy (8bit):	4.1661456805261565
Encrypted:	false
SSDEEP:	96:QKXNNAw/gnX1H97l8UPdU9AKdgFH557/nq+Rb8sAWwy:lKXnXzo9AIgFH51/q68owy
MD5:	1078CF6A37D8B417B0AFCA2413CF1772
SHA1:	0F3E0954A543AE448F7C37776A41B6EDAE32B2EC
SHA-256:	D9FF649A26732A402197F6F1C364EDA641421895783DDE7E527E4E1F0D13FA84
SHA-512:	B9B90A2B32792742A47075FF9EC535991149B685928F29A05492431C3AFCBC6E1F19A79D6216BC5C0EB45115C280E6969441E81A2B73B5ED26B6182DF0A87D59
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J..+...+...+...4...+...4...+...+...+...4...+.......+..b-...+..Z....+..Rich.+..........................PE..L......<...........!......................... ...............................p......................................."....... ..P....P..X....................`..l...p ............................................... ..l............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@...Shared..X....@......................@....rsrc...X....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\mcxmousehook.dll

Download File

Process:	C:\Users\user\Desktop\macrox!.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.9308349135742433
Encrypted:	false
SSDEEP:	96:yfH8vzG7Uzigdxgzl+QhW7B7BqvO3AJlESUX:MHyzG9cxgzl+wW7uD8v
MD5:	03301D0B912A9B88BE5166336340B722
SHA1:	F55E59FF93FA5567975D1BEE3815EFF9D241AD8B
SHA-256:	44A8F2E5A93A11B0AA0F99003FF3E337FC92FFC16B3BB9DB14603831E1E37E49
SHA-512:	3E9682B9081063783A26498427A0BE0C998FD191F283591C951ED203354B23CA2A5523230E3D9E476A0BE4A444C61437F9A018290EC6BEB4A5DBADEEC3FF95E1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..................................,......./.......Rich....................PE..L.....;...........!......................... ...............................p......................................."....... ..P....P.......................`..`...P ..T............................................ ..L............................text............................... ..`.rdata../.... ......................@..@.data...d....0......................@...Shared.......@......................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.99528755612003
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	macrox!.exe
File size:	2'322'122 bytes
MD5:	764187e5f44212696bd5f8ff204c2b48
SHA1:	df944305847ad3109088817d9531593593a544f5
SHA256:	d1b28fdfdf1c3b23f39dd770e04783a9403e8b7916695ea526cad311e0934aa6
SHA512:	29eea7e1c2221985997dd89007d026b96d27d75e4f0e90422ea21efdfe5ca40afef1069a992380abe796911ded74bb32adbbb2be948693d9170b6e02ddc1e34c
SSDEEP:	49152:vCXj79orePr+IbfW7FmMIQDEiXyEAs7085g5KDD:KXP9oyPKgKAO8ELA8S5Q
TLSH:	C2B5332426815DEEC5B621F1F12FBB7643667030AC17F9B3CB684C6E473A3D2DA5A940
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................Q...r.......................6.......Rich............PE..L.....%@.................^..........H@.....

File Icon


Icon Hash:	176d4dc1c84d291e

Static PE Info

General

Entrypoint:	0x404048
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x40251FC4 [Sat Feb 7 17:26:28 2004 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9632e80596371cfa7f563f680f3c4498

Entrypoint Preview

Instruction
sub esp, 0Ch
push ebx
push ebp
push esi
push edi
mov dword ptr [esp+10h], 004091E8h
xor ebx, ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [0040702Ch]
push ebx
call dword ptr [00407290h]
mov esi, 0042A400h
mov edi, 00000400h
push esi
push edi
mov dword ptr [00423FA8h], eax
call dword ptr [004070D8h]
call 00007FC23CE7E052h
mov ebp, dword ptr [004070A4h]
test eax, eax
jne 00007FC23CE7E0E3h
push 000003FBh
push esi
call dword ptr [004070D4h]
push 004092A4h
push esi
call ebp
call 00007FC23CE7E02Fh
test eax, eax
je 00007FC23CE7E21Dh
mov esi, 00423720h
push esi
call dword ptr [00407080h]
push 00409298h
push esi
call 00007FC23CE80979h
push edi
call dword ptr [004070D0h]
mov esi, 00429000h
push eax
push esi
call dword ptr [004070CCh]
push 00000000h
call dword ptr [004070C4h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423F20h], eax
jne 00007FC23CE7E0CCh
mov byte ptr [esp+14h], 00000022h
mov esi, 00429001h
push dword ptr [esp+14h]
push esi
call 00007FC23CE80467h
push eax
call dword ptr [0040718Ch]
mov edi, eax

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7330	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x7000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5cbc	0x5e00	0401c8cde53d0a8d78a0f9658cf67ea5	False	0.6541306515957447	data	6.417443119944896	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11a2	0x1200	1696f653bda6983fdb156fdfff13a52b	False	0.4388020833333333	data	5.25093259936862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1afac	0x400	7aec0de04458d310cc81bb79981e2e52	False	0.6279296875	data	5.098347270600269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x8000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2c000	0x7000	0x6800	890666e0b451108b5c753e1b033631d2	False	0.6609450120192307	data	6.141000207756746	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2c340	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_ICON	0x2c468	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6755780346820809
RT_ICON	0x2c9d0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.31451612903225806
RT_ICON	0x2ccb8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7982851985559567
RT_ICON	0x2d560	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6937633262260128
RT_ICON	0x2e408	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8218085106382979
RT_ICON	0x2e870	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7368667917448405
RT_ICON	0x2f918	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.7086099585062241
RT_DIALOG	0x31ec0	0x120	data	English	United States	0.5104166666666666
RT_DIALOG	0x31fe0	0x202	data	English	United States	0.4066147859922179
RT_DIALOG	0x321e8	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x322e0	0xa0	data	English	United States	0.6
RT_DIALOG	0x32380	0xee	data	English	United States	0.6218487394957983
RT_GROUP_ICON	0x32470	0x76	data	English	United States	0.652542372881356
RT_MANIFEST	0x324e8	0x214	XML 1.0 document, ASCII text, with very long lines (532), with no line terminators	English	United States	0.575187969924812

Imports

DLL	Import
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
KERNEL32.dll	SetErrorMode, GetExitCodeProcess, WaitForSingleObject, ExpandEnvironmentStringsA, GetEnvironmentVariableA, lstrcmpiA, FindNextFileA, DeleteFileA, FindFirstFileA, SetFileTime, GetFileAttributesA, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, lstrcatA, SetCurrentDirectoryA, CreateDirectoryA, SetFileAttributesA, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetModuleHandleA, ExitProcess, lstrcpynA, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, GetUserDefaultLangID, GetDiskFreeSpaceA, GetVersion, GlobalUnlock, GlobalLock, GlobalAlloc, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, SetEndOfFile, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, lstrcpyA, lstrlenA, GetSystemDirectoryA, EnterCriticalSection, Sleep, LeaveCriticalSection, InitializeCriticalSection, CloseHandle, GlobalFree, LoadLibraryA, GetProcAddress, CreateThread, FreeLibrary, MultiByteToWideChar, GetCurrentProcess, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, SetFilePointer, FindClose, MulDiv, CopyFileA
USER32.dll	CharNextA, DialogBoxParamA, GetClassInfoA, CreateWindowExA, SystemParametersInfoA, RegisterClassA, EndDialog, ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, LoadCursorA, SetCursor, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, PeekMessageA, DispatchMessageA, ExitWindowsEx, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, PostQuitMessage
GDI32.dll	GetDeviceCaps, CreateFontIndirectA, DeleteObject, CreateBrushIndirect, CreateFontA, SetBkMode, SetTextColor, SetBkColor, SelectObject
ADVAPI32.dll	RegEnumValueA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegDeleteKeyA, RegOpenKeyExA, RegDeleteValueA, RegCreateKeyA, RegCloseKey
SHELL32.dll	ShellExecuteA, SHBrowseForFolderA, SHGetPathFromIDListA, SHGetMalloc, SHGetSpecialFolderLocation, SHFileOperationA
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:56:13
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\macrox!.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\macrox!.exe"
Imagebase:	0x400000
File size:	2'322'122 bytes
MD5 hash:	764187E5F44212696BD5F8FF204C2B48
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report macrox!.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\MacroX\COLTAGS.TXT

C:\Program Files (x86)\MacroX\MACROX.EXE

C:\Program Files (x86)\MacroX\MACROX.exe.MANIFEST

C:\Program Files (x86)\MacroX\MacroX.chm

C:\Program Files (x86)\MacroX\MacroX.url

C:\Program Files (x86)\MacroX\fav\MCX3.MFV

C:\Program Files (x86)\MacroX\fav\fav.ico

C:\Program Files (x86)\MacroX\lng\DEUTSCH.LNG

C:\Program Files (x86)\MacroX\lng\ENGLISH.LNG

C:\Program Files (x86)\MacroX\plugins\internet\deutsch.lng

C:\Program Files (x86)\MacroX\plugins\internet\english.lng

C:\Program Files (x86)\MacroX\plugins\internet\help.chm

C:\Program Files (x86)\MacroX\plugins\internet\mcxinternet.dll

C:\Program Files (x86)\MacroX\plugins\registry\deutsch.lng

C:\Program Files (x86)\MacroX\plugins\registry\english.lng

C:\Program Files (x86)\MacroX\plugins\registry\mcxregistry.dll

C:\Program Files (x86)\MacroX\plugins\runtag\mcxruntag.dll

C:\Program Files (x86)\MacroX\plugins\runtag\red.dll

C:\Program Files (x86)\MacroX\sample\ClickButton.mcx

C:\Program Files (x86)\MacroX\sample\Loop-Text.mcx

C:\Program Files (x86)\MacroX\sample\Mouse.mcx

C:\Program Files (x86)\MacroX\sample\Registry.mcx

C:\Program Files (x86)\MacroX\sample\TimeOut.mcx

C:\Program Files (x86)\MacroX\sample\WatchMouse.mcx

C:\Program Files (x86)\MacroX\sample\WatchMouse2.mcx

Windows Analysis Report
macrox!.exe