Cuckoo Sandbox

File 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe

Summary
Download Resubmit sample

Size	2.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1c41e3fbe310b66b46388397ab268de2`
SHA1	`a257cb6f67f28c502bb7c72dbdf2a8de61fa6dd5`
SHA256	`476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72`
SHA512	`e3c305183d374448857b866c4e922228ae82db416923b5f7db0e9eec4308589e95bd1df3f43183473f164b3c8956a2b2940b19ee7ca7de5a29851123d3dadb9f`
CRC32	`2191FD86`
ssdeep	`None`
Yara	None matched

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6829456

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Aug. 11, 2025, 11:38 a.m.	Aug. 11, 2025, 11:40 a.m.	67 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-08-11 10:52:04,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpsftntc
2025-08-11 10:52:04,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\OaHWnjprAQufEFVcrcfwBFfMssOGBMH
2025-08-11 10:52:04,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\ulqtWCWqulssMgxXhZqXmLmVAqQkWI
2025-08-11 10:52:04,483 [analyzer] DEBUG: Started auxiliary module Curtain
2025-08-11 10:52:04,500 [analyzer] DEBUG: Started auxiliary module DbgView
2025-08-11 10:52:05,030 [analyzer] DEBUG: Started auxiliary module Disguise
2025-08-11 10:52:05,233 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-08-11 10:52:05,233 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-08-11 10:52:05,233 [analyzer] DEBUG: Started auxiliary module Human
2025-08-11 10:52:05,233 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-08-11 10:52:05,233 [analyzer] DEBUG: Started auxiliary module Reboot
2025-08-11 10:52:05,312 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-08-11 10:52:05,312 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-08-11 10:52:05,312 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-08-11 10:52:05,328 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-08-11 10:52:05,483 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe' with arguments '' and pid 2104
2025-08-11 10:52:05,625 [analyzer] DEBUG: Loaded monitor into process with pid 2104
2025-08-11 10:52:06,483 [analyzer] INFO: Added new file to list with pid 2104 and path C:\Windows\Tasks\skotes.job
2025-08-11 10:52:06,578 [analyzer] INFO: Injected into process with pid 1696 and name u'explorer.exe'
2025-08-11 10:52:06,780 [analyzer] DEBUG: Loaded monitor into process with pid 1696
2025-08-11 10:52:07,265 [analyzer] INFO: Added new file to list with pid 2104 and path C:\Users\Administrator\AppData\Local\Temp\abc3bc1985\skotes.exe
2025-08-11 10:52:07,483 [analyzer] INFO: Injected into process with pid 2832 and name u'skotes.exe'
2025-08-11 10:52:07,578 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2104.
2025-08-11 10:52:07,625 [analyzer] DEBUG: Loaded monitor into process with pid 2832
2025-08-11 10:52:08,483 [analyzer] INFO: Process with pid 2104 has terminated
2025-08-11 10:39:52,473 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-08-11 10:39:52,677 [lib.api.process] ERROR: Failed to dump memory of 64-bit process with pid 1696.
2025-08-11 10:39:52,770 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2832.
2025-08-11 10:39:53,006 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-08-11 10:39:53,006 [lib.api.process] INFO: Successfully terminated process with pid 1696.
2025-08-11 10:39:53,020 [lib.api.process] INFO: Successfully terminated process with pid 2832.
2025-08-11 10:39:53,084 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-08-11 11:38:59,865 [cuckoo.core.scheduler] INFO: Task #6829365: acquired machine win7x6421 (label=win7x6421)
2025-08-11 11:38:59,866 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.221 for task #6829365
2025-08-11 11:39:00,571 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1792116 (interface=vboxnet0, host=192.168.168.221)
2025-08-11 11:39:01,433 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6421
2025-08-11 11:39:02,612 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6421 to vmcloak
2025-08-11 11:39:13,862 [cuckoo.core.guest] INFO: Starting analysis #6829365 on guest (id=win7x6421, ip=192.168.168.221)
2025-08-11 11:39:15,020 [cuckoo.core.guest] DEBUG: win7x6421: not ready yet
2025-08-11 11:39:20,523 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6421, ip=192.168.168.221)
2025-08-11 11:39:20,614 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6421, ip=192.168.168.221, monitor=latest, size=6660546)
2025-08-11 11:39:22,011 [cuckoo.core.resultserver] DEBUG: Task #6829365: live log analysis.log initialized.
2025-08-11 11:39:23,166 [cuckoo.core.resultserver] DEBUG: Task #6829365 is sending a BSON stream
2025-08-11 11:39:23,742 [cuckoo.core.resultserver] DEBUG: Task #6829365 is sending a BSON stream
2025-08-11 11:39:24,489 [cuckoo.core.resultserver] DEBUG: Task #6829365: File upload for 'shots/0001.jpg'
2025-08-11 11:39:24,531 [cuckoo.core.resultserver] DEBUG: Task #6829365 uploaded file length: 133519
2025-08-11 11:39:24,633 [cuckoo.core.resultserver] DEBUG: Task #6829365 is sending a BSON stream
2025-08-11 11:39:25,555 [cuckoo.core.resultserver] DEBUG: Task #6829365 is sending a BSON stream
2025-08-11 11:39:36,528 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6829365 still processing
2025-08-11 11:39:51,849 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6829365 still processing
2025-08-11 11:39:53,036 [cuckoo.core.resultserver] DEBUG: Task #6829365: File upload for 'curtain/1754901592.87.curtain.log'
2025-08-11 11:39:53,040 [cuckoo.core.resultserver] DEBUG: Task #6829365 uploaded file length: 36
2025-08-11 11:39:53,042 [cuckoo.core.resultserver] DEBUG: Task #6829365: File upload for 'sysmon/1754901593.01.sysmon.xml'
2025-08-11 11:39:53,044 [cuckoo.core.resultserver] DEBUG: Task #6829365: File upload for 'files/534e58da42d4089d_skotes.job'
2025-08-11 11:39:53,046 [cuckoo.core.resultserver] DEBUG: Task #6829365 uploaded file length: 288
2025-08-11 11:39:53,050 [cuckoo.core.resultserver] DEBUG: Task #6829365 uploaded file length: 349790
2025-08-11 11:39:53,067 [cuckoo.core.resultserver] DEBUG: Task #6829365: File upload for 'files/476c96f2c3b7810f_skotes.exe'
2025-08-11 11:39:53,096 [cuckoo.core.resultserver] DEBUG: Task #6829365 uploaded file length: 2976256
2025-08-11 11:39:53,553 [cuckoo.core.resultserver] DEBUG: Task #6829365: File upload for 'shots/0002.jpg'
2025-08-11 11:39:53,564 [cuckoo.core.resultserver] DEBUG: Task #6829365 uploaded file length: 129623
2025-08-11 11:39:53,580 [cuckoo.core.resultserver] DEBUG: Task #6829365 had connection reset for <Context for LOG>
2025-08-11 11:39:54,866 [cuckoo.core.guest] INFO: win7x6421: analysis completed successfully
2025-08-11 11:39:54,880 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-08-11 11:39:54,910 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-08-11 11:39:56,710 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6421 to path /srv/cuckoo/cwd/storage/analyses/6829365/memory.dmp
2025-08-11 11:39:56,712 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6421
2025-08-11 11:40:06,425 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.221 for task #6829365
2025-08-11 11:40:06,766 [cuckoo.core.scheduler] DEBUG: Released database task #6829365
2025-08-11 11:40:06,787 [cuckoo.core.scheduler] INFO: Task #6829365: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (50 out of 61 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76fbf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2104 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76fbf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ef1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 11, 2025, 11:52 a.m.	process_identifier: 2832 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks if process is being debugged by a debugger (15 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0
IsDebuggerPresent Aug. 11, 2025, 11:52 a.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (5 events)

section	\x00
section	.idata
section	hvpntabg
section	otujhggi
section	.taggant

One or more processes crashed (50 out of 240 events)

Time & API	Arguments	Status
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x76f59f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x76f59f45 exception.instruction_r: fb 60 bd 14 b0 b3 ee e9 00 02 00 00 00 c3 e2 c8 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x6cc2f exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 445487 exception.address: 0xe0cc2f registers.esp: 2817500 registers.edi: 0 registers.eax: 2817516 registers.ebp: 2817516 registers.edx: 2817508 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 2c 24 89 3c 24 89 0c 24 68 d7 7d exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x6da25 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 449061 exception.address: 0xe0da25 registers.esp: 2817468 registers.edi: 0 registers.eax: 27260 registers.ebp: 4004753428 registers.edx: 14760511 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 31 ba 45 10 89 0c 24 89 2c 24 e9 00 00 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x6dc61 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 449633 exception.address: 0xe0dc61 registers.esp: 2817468 registers.edi: 0 registers.eax: 27260 registers.ebp: 4004753428 registers.edx: 14736503 registers.ebx: 0 registers.esi: 605849941 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 10 00 00 00 b9 52 1d 7e ce 81 c1 e9 0f f5 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x6e6fa exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 452346 exception.address: 0xe0e6fa registers.esp: 2817464 registers.edi: 0 registers.eax: 14736857 registers.ebp: 4004753428 registers.edx: 1507826956 registers.ebx: 0 registers.esi: 605849941 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 20 96 d5 1d 89 04 24 51 50 89 0c 24 c7 04 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x6e688 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 452232 exception.address: 0xe0e688 registers.esp: 2817468 registers.edi: 0 registers.eax: 14765947 registers.ebp: 4004753428 registers.edx: 1507826956 registers.ebx: 0 registers.esi: 605849941 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 fc 04 00 00 53 bb 68 be fa 7f 81 f3 9f 50 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x6df08 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 450312 exception.address: 0xe0df08 registers.esp: 2817468 registers.edi: 238825 registers.eax: 14765947 registers.ebp: 4004753428 registers.edx: 4294941060 registers.ebx: 0 registers.esi: 605849941 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 5a fe ff ff 50 b8 65 c0 77 6e e9 2a 02 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1e75ec exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 1996268 exception.address: 0xf875ec registers.esp: 2817464 registers.edi: 16282050 registers.eax: 26009 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 42992272 registers.esi: 16265663 registers.ecx: 656	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 31 db ff 34 3b 8b 0c 24 83 ec 04 89 04 24 e9 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1e79a3 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 1997219 exception.address: 0xf879a3 registers.esp: 2817468 registers.edi: 16308059 registers.eax: 26009 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 42992272 registers.esi: 16265663 registers.ecx: 656	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 e9 10 05 00 00 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1e720e exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 1995278 exception.address: 0xf8720e registers.esp: 2817468 registers.edi: 16308059 registers.eax: 26009 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 4294943668 registers.esi: 16265663 registers.ecx: 331753	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 e7 4f 3f 53 89 14 24 89 3c 24 e9 5a f7 ff exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1ea1ff exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2007551 exception.address: 0xf8a1ff registers.esp: 2817468 registers.edi: 16322417 registers.eax: 30724 registers.ebp: 4004753428 registers.edx: 95 registers.ebx: 16289504 registers.esi: 0 registers.ecx: 1758262819	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 ae fe ff ff 5d 55 54 5d 81 c5 04 00 00 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1e99ea exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2005482 exception.address: 0xf899ea registers.esp: 2817468 registers.edi: 16294721 registers.eax: 30724 registers.ebp: 4004753428 registers.edx: 95 registers.ebx: 16289504 registers.esi: 0 registers.ecx: 1259	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 aa f7 ff ff 33 0c 24 31 0c 24 33 0c 24 e9 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1f0804 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2033668 exception.address: 0xf90804 registers.esp: 2817468 registers.edi: 16294721 registers.eax: 26168 registers.ebp: 4004753428 registers.edx: 95 registers.ebx: 16344286 registers.esi: 0 registers.ecx: 14288	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 bb 44 08 75 ff 34 24 e9 d3 fb ff ff 5d 2d exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1f02f0 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2032368 exception.address: 0xf902f0 registers.esp: 2817468 registers.edi: 16294721 registers.eax: 202985 registers.ebp: 4004753428 registers.edx: 95 registers.ebx: 16320982 registers.esi: 0 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 89 34 24 89 14 24 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1f2388 exception.instruction: in eax, dx exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2040712 exception.address: 0xf92388 registers.esp: 2817460 registers.edi: 6107137 registers.eax: 1447909480 registers.ebp: 4004753428 registers.edx: 22104 registers.ebx: 1989218461 registers.esi: 16327342 registers.ecx: 20	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1f2a15 exception.address: 0xf92a15 exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc000001d exception.offset: 2042389 registers.esp: 2817460 registers.edi: 6107137 registers.eax: 1 registers.ebp: 4004753428 registers.edx: 22104 registers.ebx: 0 registers.esi: 16327342 registers.ecx: 20	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 f4 3a 2d 12 01 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1f40ec exception.instruction: in eax, dx exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2048236 exception.address: 0xf940ec registers.esp: 2817460 registers.edi: 6107137 registers.eax: 1447909480 registers.ebp: 4004753428 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 16327342 registers.ecx: 10	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 56 89 e6 53 bb 04 00 00 00 01 de 5b 83 ee 04 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1fb321 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2077473 exception.address: 0xf9b321 registers.esp: 2817468 registers.edi: 4294940072 registers.eax: 29827 registers.ebp: 4004753428 registers.edx: 1108320 registers.ebx: 3966764 registers.esi: 10 registers.ecx: 16393043	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 51 e8 03 00 00 00 20 59 c3 59 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1fbb1f exception.instruction: int 1 exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000005 exception.offset: 2079519 exception.address: 0xf9bb1f registers.esp: 2817428 registers.edi: 0 registers.eax: 2817428 registers.ebp: 4004753428 registers.edx: 4294949885 registers.ebx: 16366589 registers.esi: 508829825 registers.ecx: 16366176	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 fa 12 c8 67 e9 4d 02 00 00 58 01 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2030fd exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2109693 exception.address: 0xfa30fd registers.esp: 2817464 registers.edi: 4294940072 registers.eax: 31679 registers.ebp: 4004753428 registers.edx: 16394928 registers.ebx: 1896697523 registers.esi: 10 registers.ecx: 16378282	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 e9 cd fa ff ff c1 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x203341 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2110273 exception.address: 0xfa3341 registers.esp: 2817468 registers.edi: 4294938164 registers.eax: 31679 registers.ebp: 4004753428 registers.edx: 16426607 registers.ebx: 3775369320 registers.esi: 10 registers.ecx: 16378282	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 a5 d9 d5 3d 89 2c 24 50 b8 84 ba f2 52 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x20fee9 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2162409 exception.address: 0xfafee9 registers.esp: 2817460 registers.edi: 16478307 registers.eax: 31381 registers.ebp: 4004753428 registers.edx: 6 registers.ebx: 3966986 registers.esi: 1989153808 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 53 52 c7 04 24 00 06 e7 44 89 04 24 b8 f7 48 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x20f65f exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2160223 exception.address: 0xfaf65f registers.esp: 2817460 registers.edi: 16450423 registers.eax: 0 registers.ebp: 4004753428 registers.edx: 20441424 registers.ebx: 3966986 registers.esi: 1989153808 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 50 51 b9 cf 68 9f 39 c1 e9 06 e9 13 00 00 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x211062 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2166882 exception.address: 0xfb1062 registers.esp: 2817460 registers.edi: 67817 registers.eax: 28133 registers.ebp: 4004753428 registers.edx: 1969353971 registers.ebx: 16453793 registers.esi: 1989153808 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 30 b7 bf 31 f7 1c 24 e9 d7 06 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x215b8a exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2186122 exception.address: 0xfb5b8a registers.esp: 2817460 registers.edi: 16499684 registers.eax: 26742 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 1470091184 registers.esi: 1989153808 registers.ecx: 2009464832	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 46 3c af 1d ff 34 24 8b 1c 24 e9 5e fe ff exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x21675a exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2189146 exception.address: 0xfb675a registers.esp: 2817460 registers.edi: 16476232 registers.eax: 0 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 1470091184 registers.esi: 1989153808 registers.ecx: 84201	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 55 83 ec 04 e9 32 00 00 00 ba a4 4d 90 56 31 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x234a70 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2312816 exception.address: 0xfd4a70 registers.esp: 2817428 registers.edi: 59684 registers.eax: 30034 registers.ebp: 4004753428 registers.edx: 16627006 registers.ebx: 116969 registers.esi: 4294940036 registers.ecx: 2009464832	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 2e f8 ff ff bb 5c b4 37 3b 29 df 5b 52 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x235d0a exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2317578 exception.address: 0xfd5d0a registers.esp: 2817424 registers.edi: 16601513 registers.eax: 31750 registers.ebp: 4004753428 registers.edx: 978587455 registers.ebx: 116969 registers.esi: 4294940036 registers.ecx: 1650048755	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 53 e9 2a fc ff ff 81 ea 58 ef 0b ea 01 d0 5a exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x235c39 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2317369 exception.address: 0xfd5c39 registers.esp: 2817428 registers.edi: 16633263 registers.eax: 31750 registers.ebp: 4004753428 registers.edx: 978587455 registers.ebx: 116969 registers.esi: 4294940036 registers.ecx: 1650048755	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 89 14 24 e9 6f 05 00 00 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2355ec exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2315756 exception.address: 0xfd55ec registers.esp: 2817428 registers.edi: 16604807 registers.eax: 31750 registers.ebp: 4004753428 registers.edx: 978587455 registers.ebx: 0 registers.esi: 4294940036 registers.ecx: 2346224224	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 81 e9 60 ea fe 7f 52 ba 8a b3 df 17 e9 9f 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2369d2 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2320850 exception.address: 0xfd69d2 registers.esp: 2817424 registers.edi: 16604807 registers.eax: 25661 registers.ebp: 4004753428 registers.edx: 416693624 registers.ebx: 0 registers.esi: 4294940036 registers.ecx: 16606753	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 57 bf d3 00 ce 52 81 f7 16 56 92 7f 57 83 ec exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x236b53 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2321235 exception.address: 0xfd6b53 registers.esp: 2817428 registers.edi: 16604807 registers.eax: 25661 registers.ebp: 4004753428 registers.edx: 416693624 registers.ebx: 4294944080 registers.esi: 132732512 registers.ecx: 16632414	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 50 b8 d8 f5 eb 69 56 be db 30 18 37 31 f0 5e exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2375bb exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2323899 exception.address: 0xfd75bb registers.esp: 2817424 registers.edi: 16609891 registers.eax: 27924 registers.ebp: 4004753428 registers.edx: 1989333093 registers.ebx: 986001284 registers.esi: 16609227 registers.ecx: 16610237	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 57 e9 b5 00 00 00 89 e3 81 c3 04 00 00 00 81 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x237cbe exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2325694 exception.address: 0xfd7cbe registers.esp: 2817428 registers.edi: 0 registers.eax: 27924 registers.ebp: 4004753428 registers.edx: 1989333093 registers.ebx: 322689 registers.esi: 16609227 registers.ecx: 16613169	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 57 c7 04 24 8b 06 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x238586 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2327942 exception.address: 0xfd8586 registers.esp: 2817428 registers.edi: 0 registers.eax: 31054 registers.ebp: 4004753428 registers.edx: 1989333093 registers.ebx: 322689 registers.esi: 16644680 registers.ecx: 579928466	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 c7 04 24 58 85 5e 58 81 2c exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x238887 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2328711 exception.address: 0xfd8887 registers.esp: 2817428 registers.edi: 0 registers.eax: 0 registers.ebp: 4004753428 registers.edx: 1989333093 registers.ebx: 605849943 registers.esi: 16616280 registers.ecx: 579928466	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 81 ec 04 00 00 00 89 0c 24 56 be exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x23cff9 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2347001 exception.address: 0xfdcff9 registers.esp: 2817428 registers.edi: 0 registers.eax: 26086 registers.ebp: 4004753428 registers.edx: 16657580 registers.ebx: 14740052 registers.esi: 16616280 registers.ecx: 1960771726	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 c7 04 24 65 17 7f 4b e9 7b exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x23c973 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2345331 exception.address: 0xfdc973 registers.esp: 2817428 registers.edi: 0 registers.eax: 24811 registers.ebp: 4004753428 registers.edx: 16634740 registers.ebx: 14740052 registers.esi: 0 registers.ecx: 1960771726	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 5f 00 00 00 83 c4 04 c1 e8 02 40 57 89 0c exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x23fefe exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2359038 exception.address: 0xfdfefe registers.esp: 2817428 registers.edi: 16672355 registers.eax: 28787 registers.ebp: 4004753428 registers.edx: 16634740 registers.ebx: 615719935 registers.esi: 30099 registers.ecx: 65154	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 55 68 95 59 36 54 89 14 24 e9 7c ff ff ff 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x23fcb1 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2358449 exception.address: 0xfdfcb1 registers.esp: 2817428 registers.edi: 16672355 registers.eax: 28787 registers.ebp: 4004753428 registers.edx: 16634740 registers.ebx: 81129 registers.esi: 4294941604 registers.ecx: 65154	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 68 bd a8 2d 25 89 14 24 68 16 23 fc 17 5a 2d exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x241fa6 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2367398 exception.address: 0xfe1fa6 registers.esp: 2817424 registers.edi: 3998078583 registers.eax: 16654208 registers.ebp: 4004753428 registers.edx: 16634740 registers.ebx: 16794642 registers.esi: 16646663 registers.ecx: 33287190	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb e9 85 f8 ff ff 56 ff 74 24 04 5e 8f 04 24 8b exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2429a6 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2369958 exception.address: 0xfe29a6 registers.esp: 2817428 registers.edi: 3998078583 registers.eax: 16683009 registers.ebp: 4004753428 registers.edx: 16634740 registers.ebx: 16794642 registers.esi: 16646663 registers.ecx: 33287190	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 51 e9 80 00 00 00 5e 83 c4 04 87 1c 24 5c fb exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x241f97 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2367383 exception.address: 0xfe1f97 registers.esp: 2817428 registers.edi: 157417 registers.eax: 16656857 registers.ebp: 4004753428 registers.edx: 16634740 registers.ebx: 16794642 registers.esi: 16646663 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 51 e9 cf fd ff ff 81 e5 d4 78 95 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x24898c exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2394508 exception.address: 0xfe898c registers.esp: 2817428 registers.edi: 157417 registers.eax: 28103 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 16706859 registers.esi: 16658943 registers.ecx: 2009464832	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 a3 13 bb 7d ff 04 24 52 ba 0f 7b exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2481eb exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2392555 exception.address: 0xfe81eb registers.esp: 2817428 registers.edi: 157417 registers.eax: 4294941852 registers.ebp: 4004753428 registers.edx: 82608976 registers.ebx: 16706859 registers.esi: 16658943 registers.ecx: 2009464832	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 b9 84 bb bf 76 e9 20 01 00 00 56 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x25bf8e exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2473870 exception.address: 0xffbf8e registers.esp: 2817424 registers.edi: 16736985 registers.eax: 28118 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 1960771558 registers.esi: 16758731 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 00 38 fb 73 ff 04 24 c1 2c 24 06 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x25bdc1 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2473409 exception.address: 0xffbdc1 registers.esp: 2817428 registers.edi: 210457681 registers.eax: 28118 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 16761773 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 e9 04 fc ff ff 56 be 04 00 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x266c44 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2518084 exception.address: 0x1006c44 registers.esp: 2817428 registers.edi: 4021522571 registers.eax: 29220 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 16831722 registers.esi: 33547340 registers.ecx: 2147366796	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 57 55 bd d9 57 af 6d 83 ed 01 53 bb a6 3e 62 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x266b19 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2517785 exception.address: 0x1006b19 registers.esp: 2817428 registers.edi: 0 registers.eax: 29220 registers.ebp: 4004753428 registers.edx: 2130566132 registers.ebx: 16805682 registers.esi: 33547340 registers.ecx: 604292946	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 57 e9 63 04 00 00 29 ef 5d 52 ba 85 90 c5 3e exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x26a2a1 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2532001 exception.address: 0x100a2a1 registers.esp: 2817428 registers.edi: 0 registers.eax: 322689 registers.ebp: 4004753428 registers.edx: 16821086 registers.ebx: 16805682 registers.esi: 33547340 registers.ecx: 0	1
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: fb 56 be a7 2f 3f 7f 29 f3 5e 52 51 b9 5f 1b db exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x2746f4 exception.instruction: sti exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2574068 exception.address: 0x10146f4 registers.esp: 2817424 registers.edi: 0 registers.eax: 25438 registers.ebp: 4004753428 registers.edx: 698738290 registers.ebx: 16860777 registers.esi: 4174208 registers.ecx: 4294947200	1

A process attempted to delay the analysis task. (1 event)

description

skotes.exe tried to sleep 232 seconds, actually delayed analysis time by 232 seconds

Drops a binary and executes it (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\abc3bc1985\skotes.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\Administrator\AppData\Local\Temp\abc3bc1985\skotes.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 11, 2025, 11:52 a.m.	show_type: 0 filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\abc3bc1985\skotes.exe parameters: filepath: C:\Users\Administrator\AppData\Local\Temp\abc3bc1985\skotes.exe	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 11, 2025, 11:52 a.m.	flags: 46 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0002de00', u'virtual_address': u'0x00001000', u'entropy': 7.982647852462878, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98264785246

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 event)

process

system

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 103 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Aug. 11, 2025, 11:52 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (1 event)

file	C:\Windows\Tasks\skotes.job

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (10 events)

Time & API	Arguments	Status
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x00000334 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) value: 1 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionReason	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x00000334 regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) value: ,j Ü regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecisionTime	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x00000334 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadDecision	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x00000334 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) value: Network regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{092F0E6C-7874-4263-8D41-969F2B667EA2}\WpadNetworkName	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x000003d4 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) value: 1 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x000003d4 regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) value: ,j Ü regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x000003d4 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x000003d4 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) value: 1 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x000003d4 regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) value: ,j Ü regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	1
RegSetValueExW Aug. 11, 2025, 11:52 a.m.	key_handle: 0x000003d4 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	1

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 11, 2025, 11:52 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 50 89 34 24 89 14 24 89 exception.symbol: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72+0x1f2388 exception.instruction: in eax, dx exception.module: 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe exception.exception_code: 0xc0000096 exception.offset: 2040712 exception.address: 0xf92388 registers.esp: 2817460 registers.edi: 6107137 registers.eax: 1447909480 registers.ebp: 4004753428 registers.edx: 22104 registers.ebx: 1989218461 registers.esi: 16327342 registers.ecx: 20	1	0	0

File has been identified by 10 AntiVirus engine on IRMA as malicious (10 events)

G Data Antivirus (Windows)	Virus: Gen:Variant.Mikey.172612 (Engine A)
Avast Core Security (Linux)	Win32:MalwareX-gen [Drp]
WithSecure (Linux)	Trojan.TR/Crypt.TPM.Gen
eScan Antivirus (Linux)	Gen:Variant.Mikey.172612(DB)
ESET Security (Windows)	a variant of Win32/Packed.Themida.HZB trojan
Sophos Anti-Virus (Linux)	Mal/Amadey-D
DrWeb Antivirus (Linux)	Trojan.MulDrop28.52943
Bitdefender Antivirus (Linux)	Gen:Variant.Mikey.172612
Kaspersky Standard (Windows)	HEUR:Trojan-Downloader.Win32.Generic
Emsisoft Commandline Scanner (Windows)	Gen:Variant.Mikey.172612 (B)

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Amadey.4!c
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Ghanarava.1735400731268de2
Skyhigh	BehavesLike.Win32.Themida.vh
ALYac	Gen:Variant.Mikey.172612
Cylance	Unsafe
VIPRE	Gen:Variant.Mikey.172612
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Variant.Mikey.172612
K7GW	Trojan ( 00587f0f1 )
K7AntiVirus	Trojan ( 00587f0f1 )
Arcabit	Trojan.Mikey.D2A244
VirIT	Trojan.Win32.Genus.XLD
Symantec	Trojan.Gen.MBT
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:MalwareX-gen [Drp]
Kaspersky	UDS:DangerousObject.Multi.Generic
Alibaba	TrojanDownloader:Win32/Amadey.1c967e75
NANO-Antivirus	Trojan.Win32.TPM.kubzrr
MicroWorld-eScan	Gen:Variant.Mikey.172612
Rising	Trojan.Agent!1.1074D (CLASSIC)
Emsisoft	Gen:Variant.Mikey.172612 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.MulDrop28.52943
Zillya	Trojan.Themida.Win32.125360
McAfeeD	Real Protect-LS!1C41E3FBE310
Trapmine	malicious.high.ml.score
CTX	exe.trojan.amadey
Sophos	Mal/Amadey-D
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
Antiy-AVL	Trojan/Win32.Amadey
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Heur!.030120A1
Xcitium	Malware@#3brrslva9pd10
Microsoft	Trojan:Win32/Amadey.BAN!MTB
ViRobot	Trojan.Win.Z.Zusy.2976256.A
ZoneAlarm	Mal/Amadey-D
GData	Gen:Variant.Mikey.172612
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R687037
VBA32	TScope.Malware-Cryptor.SB
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.Themida.Generic

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 476c96f2c3b7810f96b535ae053b2daf1cc1c1154e81959afa01e0fb2a9aed72.exe

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample