Cuckoo Sandbox

File b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece

Summary
Download Resubmit sample

Size	369.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ff98d8445dc53442d2b53eb7a2c26a95`
SHA1	`7d5a88813eba18187107136e8c44a15fc904cd2b`
SHA256	`b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece`
SHA512	`c247942e0d152dbe9214b6b29013d6ee1f6b3ba93830fab80380bcc83ad61448f7dcaefe0baa89ea88570b84bdbbcdafce59b1ef00d8b4a0ca8b3b150a6b48c7`
CRC32	`17832DE6`
ssdeep	`None`
Yara	keylogger - Run a keylogger win_registry - Affect system registries win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6641927

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	June 28, 2025, 3:56 p.m.	June 28, 2025, 4:04 p.m.	519 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-06-22 14:05:52,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpmdfut4
2025-06-22 14:05:52,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\ngAXIoYDlJVfputgUrbQjm
2025-06-22 14:05:52,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\RQhZxcHglTqhGMMsqGPDbS
2025-06-22 14:05:52,280 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-22 14:05:52,280 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-22 14:05:52,750 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-22 14:05:52,953 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-06-22 14:05:52,953 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-22 14:05:52,953 [analyzer] DEBUG: Started auxiliary module Human
2025-06-22 14:05:52,953 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-22 14:05:52,953 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-22 14:05:53,046 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-22 14:05:53,046 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-22 14:05:53,046 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-22 14:05:53,046 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-22 14:05:53,233 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece.exe' with arguments '' and pid 2136
2025-06-22 14:05:53,405 [analyzer] DEBUG: Loaded monitor into process with pid 2136
2025-06-22 14:05:53,500 [analyzer] INFO: Injected into process with pid 2964 and name ''
2025-06-22 14:05:53,578 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2964.
2025-06-22 14:05:53,750 [analyzer] DEBUG: Loaded monitor into process with pid 2964
2025-06-22 14:05:53,780 [analyzer] INFO: Added new file to list with pid 2964 and path C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe
2025-06-22 14:05:54,233 [analyzer] INFO: Process with pid 2136 has terminated
2025-06-22 14:05:54,983 [analyzer] INFO: Added new file to list with pid 2964 and path C:\ProgramData\jv6xGfsXuxdZez\RCXBA3D.tmp
2025-06-22 14:05:55,125 [analyzer] INFO: Injected into process with pid 2376 and name u've9SRtwcMOBC71qj.exe'
2025-06-22 14:05:55,233 [analyzer] INFO: Process with pid 2964 has terminated
2025-06-22 14:05:55,280 [analyzer] DEBUG: Loaded monitor into process with pid 2376
2025-06-22 14:06:22,233 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-22 14:06:22,655 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-22 14:06:22,655 [lib.api.process] INFO: Successfully terminated process with pid 2376.
2025-06-22 14:06:22,671 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-28 15:56:20,351 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:21,401 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:22,451 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:23,588 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:24,637 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:25,675 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:26,707 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:27,739 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:28,762 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:29,795 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:30,832 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:31,878 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:32,920 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:33,962 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:35,005 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:36,043 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:37,078 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:38,111 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:39,151 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:40,194 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:41,244 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:42,275 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:43,319 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:44,479 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:45,516 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:46,562 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:47,603 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:48,660 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:49,717 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:50,764 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:51,889 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:52,949 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:54,169 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:55,230 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:56,312 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:57,399 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:58,621 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:56:59,697 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:00,851 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:01,980 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:03,243 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:04,275 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:05,313 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:06,357 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:07,531 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:08,577 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:09,611 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:10,662 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:11,709 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:12,749 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:13,802 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:14,918 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:16,094 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:17,146 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:18,183 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:19,230 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:20,274 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:21,323 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:22,379 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:23,422 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:24,463 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:25,507 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:26,536 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:27,593 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:28,632 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:29,690 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:30,818 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:31,856 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:32,883 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:33,933 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:34,980 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:36,033 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:37,074 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:38,128 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:39,175 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:40,212 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:41,249 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:42,298 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:43,347 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:44,383 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:45,428 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:46,476 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:47,559 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:48,642 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:49,704 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:50,760 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:51,821 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:52,881 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:53,948 [cuckoo.core.scheduler] DEBUG: Task #6607164: no machine available yet
2025-06-28 15:57:55,016 [cuckoo.core.scheduler] INFO: Task #6607164: acquired machine win7x644 (label=win7x644)
2025-06-28 15:57:55,018 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.204 for task #6607164
2025-06-28 15:57:55,269 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2663751 (interface=vboxnet0, host=192.168.168.204)
2025-06-28 15:57:55,745 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x644
2025-06-28 15:57:56,528 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x644 to vmcloak
2025-06-28 16:01:11,236 [cuckoo.core.guest] INFO: Starting analysis #6607164 on guest (id=win7x644, ip=192.168.168.204)
2025-06-28 16:01:12,246 [cuckoo.core.guest] DEBUG: win7x644: not ready yet
2025-06-28 16:01:17,272 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x644, ip=192.168.168.204)
2025-06-28 16:01:17,363 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x644, ip=192.168.168.204, monitor=latest, size=6660546)
2025-06-28 16:01:18,557 [cuckoo.core.resultserver] DEBUG: Task #6607164: live log analysis.log initialized.
2025-06-28 16:01:19,449 [cuckoo.core.resultserver] DEBUG: Task #6607164 is sending a BSON stream
2025-06-28 16:01:19,884 [cuckoo.core.resultserver] DEBUG: Task #6607164 is sending a BSON stream
2025-06-28 16:01:20,228 [cuckoo.core.resultserver] DEBUG: Task #6607164 is sending a BSON stream
2025-06-28 16:01:20,740 [cuckoo.core.resultserver] DEBUG: Task #6607164: File upload for 'shots/0001.jpg'
2025-06-28 16:01:20,753 [cuckoo.core.resultserver] DEBUG: Task #6607164 uploaded file length: 133493
2025-06-28 16:01:21,771 [cuckoo.core.resultserver] DEBUG: Task #6607164 is sending a BSON stream
2025-06-28 16:01:33,398 [cuckoo.core.guest] DEBUG: win7x644: analysis #6607164 still processing
2025-06-28 16:01:48,535 [cuckoo.core.guest] DEBUG: win7x644: analysis #6607164 still processing
2025-06-28 16:01:48,989 [cuckoo.core.resultserver] DEBUG: Task #6607164: File upload for 'curtain/1750593982.42.curtain.log'
2025-06-28 16:01:48,992 [cuckoo.core.resultserver] DEBUG: Task #6607164 uploaded file length: 36
2025-06-28 16:01:49,188 [cuckoo.core.resultserver] DEBUG: Task #6607164: File upload for 'sysmon/1750593982.62.sysmon.xml'
2025-06-28 16:01:49,217 [cuckoo.core.resultserver] DEBUG: Task #6607164 uploaded file length: 1970286
2025-06-28 16:01:49,225 [cuckoo.core.resultserver] DEBUG: Task #6607164: File upload for 'files/fa065aba84ce07da_ve9srtwcmobc71qj.exe'
2025-06-28 16:01:49,231 [cuckoo.core.resultserver] DEBUG: Task #6607164 uploaded file length: 378368
2025-06-28 16:01:49,412 [cuckoo.core.resultserver] DEBUG: Task #6607164 had connection reset for <Context for LOG>
2025-06-28 16:01:51,547 [cuckoo.core.guest] INFO: win7x644: analysis completed successfully
2025-06-28 16:01:51,559 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-28 16:01:51,581 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-28 16:01:52,367 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x644 to path /srv/cuckoo/cwd/storage/analyses/6607164/memory.dmp
2025-06-28 16:01:52,368 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x644
2025-06-28 16:04:59,130 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.204 for task #6607164
2025-06-28 16:04:59,737 [cuckoo.core.scheduler] DEBUG: Released database task #6607164
2025-06-28 16:04:59,756 [cuckoo.core.scheduler] INFO: Task #6607164: analysis procedure completed

Signatures

Yara rules detected for file (3 events)

description	Run a keylogger	rule	keylogger
description	Affect system registries	rule	win_registry
description	Affect private profile	rule	win_files_operation

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA June 22, 2025, 3:05 p.m.	computer_name: BJXYGUPHWS	1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

The executable uses a known packer (1 event)

packer

BobSoft Mini Delphi -> BoB / BobSoft

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 22, 2025, 3:05 p.m.	stacktrace: b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece+0xf165 @ 0x40f165 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x758933aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77cd9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77cd9f45 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1638224 registers.edi: 0 registers.eax: 0 registers.ebp: 1638252 registers.edx: 4250784 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 4251580	1	0	0
__exception__ June 22, 2025, 3:05 p.m.	stacktrace: ve9srtwcmobc71qj+0xf165 @ 0x40f165 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x758933aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77cd9f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77cd9f45 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 1638224 registers.edi: 0 registers.eax: 0 registers.ebp: 1638252 registers.edx: 4250784 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 4251580	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 22, 2025, 3:05 p.m.

stacktrace:

b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece+0xf165 @ 0x40f165
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x758933aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77cd9f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77cd9f45

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x0
registers.esp: 1638224
registers.edi: 0
registers.eax: 0
registers.ebp: 1638252
registers.edx: 4250784
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 4251580

__exception__

June 22, 2025, 3:05 p.m.

stacktrace:

ve9srtwcmobc71qj+0xf165 @ 0x40f165
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x758933aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77cd9f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77cd9f45

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe

Drops a binary and executes it (1 event)

file	C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00036400', u'virtual_address': u'0x00031000', u'entropy': 7.961231303501862, u'name': u'.rsrc', u'virtual_size': u'0x000363f4'}

entropy

7.9612313035

description

A section with a high entropy has been found

entropy

0.588873812754

description

Overall entropy of this PE file is high

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 32e00ebd5a3abf8d43e74476509828ca26861658
buffer	Buffer with sha1: 248337a19d204ec3187f83e83df2896aa80b2528

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 22, 2025, 3:05 p.m.	process_identifier: 2964 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a0	1	0	0
NtAllocateVirtualMemory June 22, 2025, 3:05 p.m.	process_identifier: 1452 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a0	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Baf85GPaYMrBHv9

reg_value

C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe

Manipulates memory of a non-child process indicative of process injection (3 events)

Process injection

Process 2376 manipulating memory of non-child process 1452

Time & API	Arguments	Status	Return	Repeated
NtUnmapViewOfSection June 22, 2025, 3:05 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1452 process_handle: 0x000000a0	1	0	0
NtAllocateVirtualMemory June 22, 2025, 3:05 p.m.	process_identifier: 1452 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a0	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Process injection

Process 2376 injected into non-child 1452

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 22, 2025, 3:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2964 process_handle: 0x000000a0	1	1	0
WriteProcessMemory June 22, 2025, 3:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1452 process_handle: 0x000000a0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Process injection	Process 2136 called NtSetContextThread to modify thread in remote process 2964
Process injection	Process 2376 called NtSetContextThread to modify thread in remote process 1452

Time & API	Arguments	Status	Return	Repeated
NtSetContextThread June 22, 2025, 3:05 p.m.	registers.eip: 2009792948 registers.esp: 1638384 registers.edi: 0 registers.eax: 4486612 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 2964	1	0	0
NtSetContextThread June 22, 2025, 3:05 p.m.	registers.eip: 2009792948 registers.esp: 1638384 registers.edi: 0 registers.eax: 4486612 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 1452	1	0	0

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (1 event)

Time & API	Arguments	Status	Return	Repeated
CryptHashData June 22, 2025, 3:05 p.m.	buffer: BJXYGUPHWS hash_handle: 0x008cfb38 flags: 0	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection

Process 2136 resumed a thread in remote process 2964

Time & API	Arguments	Status	Return	Repeated
NtResumeThread June 22, 2025, 3:05 p.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 2964	1	0	0

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW June 22, 2025, 3:05 p.m.	thread_identifier: 2056 thread_handle: 0x0000009c process_identifier: 2964 current_directory: filepath: C:\Users\Administrator\AppData\Local\Temp\b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece.exe track: 1 command_line: "C:\Users\Administrator\AppData\Local\Temp\b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece.exe" filepath_r: C:\Users\Administrator\AppData\Local\Temp\b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000a0	1	1
NtGetContextThread June 22, 2025, 3:05 p.m.	thread_handle: 0x0000009c	1	0
NtUnmapViewOfSection June 22, 2025, 3:05 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2964 process_handle: 0x000000a0	1	0
NtAllocateVirtualMemory June 22, 2025, 3:05 p.m.	process_identifier: 2964 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a0	1	0
WriteProcessMemory June 22, 2025, 3:05 p.m.	buffer: base_address: 0x00400000 process_identifier: 2964 process_handle: 0x000000a0	1	1
WriteProcessMemory June 22, 2025, 3:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2964 process_handle: 0x000000a0	1	1
NtSetContextThread June 22, 2025, 3:05 p.m.	registers.eip: 2009792948 registers.esp: 1638384 registers.edi: 0 registers.eax: 4486612 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 2964	1	0
NtResumeThread June 22, 2025, 3:05 p.m.	thread_handle: 0x0000009c suspend_count: 1 process_identifier: 2964	1	0
CreateProcessInternalW June 22, 2025, 3:05 p.m.	thread_identifier: 584 thread_handle: 0x000000d0 process_identifier: 2376 current_directory: filepath: C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe track: 1 command_line: filepath_r: C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000000cc	1	1
CreateProcessInternalW June 22, 2025, 3:05 p.m.	thread_identifier: 2764 thread_handle: 0x0000009c process_identifier: 1452 current_directory: filepath: C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe track: 1 command_line: "C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe" filepath_r: C:\ProgramData\jv6xGfsXuxdZez\ve9SRtwcMOBC71qj.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000a0	1	1
NtGetContextThread June 22, 2025, 3:05 p.m.	thread_handle: 0x0000009c	1	0
NtUnmapViewOfSection June 22, 2025, 3:05 p.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 1452 process_handle: 0x000000a0	1	0
NtAllocateVirtualMemory June 22, 2025, 3:05 p.m.	process_identifier: 1452 region_size: 385024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000a0	1	0
WriteProcessMemory June 22, 2025, 3:05 p.m.	buffer: base_address: 0x00400000 process_identifier: 1452 process_handle: 0x000000a0	1	1
WriteProcessMemory June 22, 2025, 3:05 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1452 process_handle: 0x000000a0	1	1
NtSetContextThread June 22, 2025, 3:05 p.m.	registers.eip: 2009792948 registers.esp: 1638384 registers.edi: 0 registers.eax: 4486612 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000009c process_identifier: 1452	1	0

File has been identified by 14 AntiVirus engine on IRMA as malicious (14 events)

G Data Antivirus (Windows)	Virus: Trojan.GenericKD.48705378 (Engine A)
Avast Core Security (Linux)	Win32:Delf-SES [Trj]
C4S ClamAV (Linux)	Win.Malware.Delf-9890071-0
Trend Micro SProtect (Linux)	TROJ_NEOJIT.SMX
Trellix (Linux)	GenDownloader.ne trojan
WithSecure (Linux)	Trojan.TR/Dropper.Gen8
eScan Antivirus (Linux)	Trojan.GenericKD.48705378(DB)
ESET Security (Windows)	Win32/Delf.OEN trojan
Sophos Anti-Virus (Linux)	Mal/Generic-S
DrWeb Antivirus (Linux)	Trojan.DownLoader5.60700
ClamAV (Linux)	Win.Malware.Delf-9890071-0
Bitdefender Antivirus (Linux)	Trojan.GenericKD.48705378
Kaspersky Standard (Windows)	HEUR:Trojan.Win32.Agent.gen
Emsisoft Commandline Scanner (Windows)	Trojan.GenericKD.48705378 (B)

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	VirTool.DelfInject
Skyhigh	BehavesLike.Win32.GenDownloader.fh
Cylance	Unsafe
VIPRE	Trojan.GenericKD.48705378
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Trojan.GenericKD.48705378
K7GW	Trojan ( 00592b501 )
K7AntiVirus	Trojan ( 00592b501 )
Arcabit	Trojan.Generic.D2E72F62
Baidu	Win32.Trojan.Delf.k
VirIT	Win32.DelfGen.DGZ
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	Win32/Delf.OEN
APEX	Malicious
Avast	Win32:Delf-SES [Trj]
ClamAV	Win.Malware.Delf-9890071-0
Kaspersky	HEUR:Trojan.Win32.Agent.gen
NANO-Antivirus	Trojan.Win32.Buzus.rggjy
SUPERAntiSpyware	Trojan.Agent/Gen-Delf
MicroWorld-eScan	Trojan.GenericKD.48705378
Rising	Malware.XPACK!1.6555 (CLASSIC)
Emsisoft	Trojan.GenericKD.48705378 (B)
F-Secure	Trojan.TR/Dropper.Gen8
DrWeb	Trojan.DownLoader5.60700
Zillya	Trojan.Buzus.Win32.98958
TrendMicro	TROJ_NEOJIT.SMX
McAfeeD	ti!B5DA11D0AA91
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDropper.Injector.ufb
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Dropper.Gen8
Antiy-AVL	Trojan/Win32.Buzus
Kingsoft	malware.kb.a.1000
Gridinsoft	Ransom.Win32.Zbot.oa!s1
Xcitium	TrojWare.Win32.Buzus.krej@4t92vr
Microsoft	Trojan:Win32/Dorv.A!rfn
ZoneAlarm	Troj/DwnLdr-JYR
GData	Trojan.GenericKD.48705378
Varist	W32/Delf.DF.gen!Eldorado
AhnLab-V3	Dropper/Win32.Injector.R22749
VBA32	BScope.Trojan-Dropper.Injector
TACHYON	Trojan/W32.DP-Agent.378368.K

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File b5da11d0aa9140b04361cd3cafb227860eb1aa8e68957a226755a613f2ba8ece

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample