Cuckoo Sandbox

File 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463

Summary
Download Resubmit sample

Size	7.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`75615594c6fc723fb3a9befa374d9e36`
SHA1	`d1c44a8f05539c90b749c76c77b8ec3b7fc82dd3`
SHA256	`3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463`
SHA512	`3c5475fd58847fad8099658b357e1dfc9d30f4419e9e45f6c4e4d24025d35499abf7ba3fa4edf3355e3ddd7971434db4f311613b1b2f796c2bf797beb972eb22`
CRC32	`472F202E`
ssdeep	`None`
Yara	escalate_priv - Escalade priviledges win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6215471

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	April 2, 2025, 12:14 p.m.	April 2, 2025, 12:21 p.m.	427 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-04-01 17:25:58,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpblqbwr
2025-04-01 17:25:58,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\KqNePgWkoLlKtWDWdBYbQuFwJex
2025-04-01 17:25:58,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\gjdylCuqRPjfZjfhQSVtUdMt
2025-04-01 17:25:58,500 [analyzer] DEBUG: Started auxiliary module Curtain
2025-04-01 17:25:58,515 [analyzer] DEBUG: Started auxiliary module DbgView
2025-04-01 17:25:59,312 [analyzer] DEBUG: Started auxiliary module Disguise
2025-04-01 17:25:59,515 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-04-01 17:25:59,515 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-04-01 17:25:59,515 [analyzer] DEBUG: Started auxiliary module Human
2025-04-01 17:25:59,515 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-04-01 17:25:59,530 [analyzer] DEBUG: Started auxiliary module Reboot
2025-04-01 17:25:59,655 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-04-01 17:25:59,655 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-04-01 17:25:59,655 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-04-01 17:25:59,655 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-04-01 17:26:00,015 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463.exe' with arguments '' and pid 2996
2025-04-01 17:26:00,203 [analyzer] DEBUG: Loaded monitor into process with pid 2996
2025-04-01 17:26:00,312 [analyzer] INFO: Added new file to list with pid 2996 and path C:\Users\Administrator\AppData\Local\Temp\is-PU5LU.tmp\3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463.tmp
2025-04-01 17:26:00,437 [analyzer] INFO: Injected into process with pid 3032 and name ''
2025-04-01 17:26:00,640 [analyzer] DEBUG: Loaded monitor into process with pid 3032
2025-04-01 17:26:00,842 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Temp\is-UFAV5.tmp\_isetup\_RegDLL.tmp
2025-04-01 17:26:00,858 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Temp\is-UFAV5.tmp\_isetup\_setup64.tmp
2025-04-01 17:26:00,858 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Temp\is-UFAV5.tmp\_isetup\_shfoldr.dll
2025-04-01 17:26:00,875 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Temp\is-UFAV5.tmp\_isetup\_iscrypt.dll
2025-04-01 17:26:02,421 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\uninstall\is-1UAV1.tmp
2025-04-01 17:26:02,453 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-5R7JI.tmp
2025-04-01 17:26:02,608 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-S2E4F.tmp
2025-04-01 17:26:02,750 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-UABCA.tmp
2025-04-01 17:26:02,765 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-D0KJO.tmp
2025-04-01 17:26:02,842 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-31TQ5.tmp
2025-04-01 17:26:02,905 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-0AR0D.tmp
2025-04-01 17:26:03,015 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-NI0V1.tmp
2025-04-01 17:26:03,078 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-B2AKB.tmp
2025-04-01 17:26:03,092 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-LLUC6.tmp
2025-04-01 17:26:03,483 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-SNQ5K.tmp
2025-04-01 17:26:03,842 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-PAAG3.tmp
2025-04-01 17:26:03,890 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\is-B7USJ.tmp
2025-04-01 17:26:04,592 [analyzer] INFO: Added new file to list with pid 3032 and path C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\uninstall\unins000.dat
2025-04-01 17:26:29,015 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-04-01 17:26:29,890 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-04-01 17:26:29,890 [lib.api.process] INFO: Successfully terminated process with pid 2996.
2025-04-01 17:26:29,890 [lib.api.process] INFO: Successfully terminated process with pid 3032.
2025-04-01 17:26:31,967 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-04-02 12:14:03,567 [cuckoo.core.scheduler] DEBUG: Task #6207560: no machine available yet
2025-04-02 12:14:04,592 [cuckoo.core.scheduler] DEBUG: Task #6207560: no machine available yet
2025-04-02 12:14:05,649 [cuckoo.core.scheduler] DEBUG: Task #6207560: no machine available yet
2025-04-02 12:14:06,721 [cuckoo.core.scheduler] DEBUG: Task #6207560: no machine available yet
2025-04-02 12:14:07,786 [cuckoo.core.scheduler] DEBUG: Task #6207560: no machine available yet
2025-04-02 12:14:08,873 [cuckoo.core.scheduler] DEBUG: Task #6207560: no machine available yet
2025-04-02 12:14:09,994 [cuckoo.core.scheduler] INFO: Task #6207560: acquired machine win7x6418 (label=win7x6418)
2025-04-02 12:14:09,995 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.218 for task #6207560
2025-04-02 12:14:10,461 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2152686 (interface=vboxnet0, host=192.168.168.218)
2025-04-02 12:14:15,946 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6418
2025-04-02 12:14:16,682 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6418 to vmcloak
2025-04-02 12:17:14,939 [cuckoo.core.guest] INFO: Starting analysis #6207560 on guest (id=win7x6418, ip=192.168.168.218)
2025-04-02 12:17:15,949 [cuckoo.core.guest] DEBUG: win7x6418: not ready yet
2025-04-02 12:17:20,987 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6418, ip=192.168.168.218)
2025-04-02 12:17:21,188 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6418, ip=192.168.168.218, monitor=latest, size=6660546)
2025-04-02 12:17:23,218 [cuckoo.core.resultserver] DEBUG: Task #6207560: live log analysis.log initialized.
2025-04-02 12:17:24,748 [cuckoo.core.resultserver] DEBUG: Task #6207560 is sending a BSON stream
2025-04-02 12:17:25,372 [cuckoo.core.resultserver] DEBUG: Task #6207560 is sending a BSON stream
2025-04-02 12:17:25,861 [cuckoo.core.resultserver] DEBUG: Task #6207560 is sending a BSON stream
2025-04-02 12:17:26,099 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'shots/0001.jpg'
2025-04-02 12:17:26,133 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 133441
2025-04-02 12:17:36,569 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'shots/0002.jpg'
2025-04-02 12:17:36,587 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 88980
2025-04-02 12:17:37,667 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'shots/0003.jpg'
2025-04-02 12:17:37,687 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 89593
2025-04-02 12:17:38,048 [cuckoo.core.guest] DEBUG: win7x6418: analysis #6207560 still processing
2025-04-02 12:17:38,805 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'shots/0004.jpg'
2025-04-02 12:17:38,827 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 90024
2025-04-02 12:17:39,971 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'shots/0005.jpg'
2025-04-02 12:17:40,025 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 90525
2025-04-02 12:17:41,121 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'shots/0006.jpg'
2025-04-02 12:17:41,147 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 90941
2025-04-02 12:17:53,601 [cuckoo.core.guest] DEBUG: win7x6418: analysis #6207560 still processing
2025-04-02 12:17:54,641 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'curtain/1743521189.31.curtain.log'
2025-04-02 12:17:54,663 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 36
2025-04-02 12:17:54,845 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'sysmon/1743521189.53.sysmon.xml'
2025-04-02 12:17:55,367 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 1175020
2025-04-02 12:17:55,433 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/201c3bf7995424b5_unins000.dat'
2025-04-02 12:17:55,449 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 6417
2025-04-02 12:17:55,457 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/ff6507a53076a9c3_qt5printsupport.dll'
2025-04-02 12:17:55,500 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 226304
2025-04-02 12:17:55,505 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/ee1d7d8f396d627f_libegl.dll'
2025-04-02 12:17:55,521 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 48128
2025-04-02 12:17:55,530 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/b50b7ac03ec6da86__setup64.tmp'
2025-04-02 12:17:55,545 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 5632
2025-04-02 12:17:55,556 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/16574f51785b0e2f_sqlite3.dll'
2025-04-02 12:17:55,591 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 645592
2025-04-02 12:17:55,598 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/3101defd22949bb9_unins000.exe'
2025-04-02 12:17:55,646 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 695578
2025-04-02 12:17:55,653 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/173092c4e256958b_icuin51.dll'
2025-04-02 12:17:55,766 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 1767424
2025-04-02 12:17:55,782 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/4b2d0e302a9b230b_deletemultiplefiles.exe'
2025-04-02 12:17:56,349 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 4704560
2025-04-02 12:17:56,380 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/5dcc1e0a19792290__regdll.tmp'
2025-04-02 12:17:56,385 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 3584
2025-04-02 12:17:56,391 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/2357806ca24c9d31_icuuc51.dll'
2025-04-02 12:17:56,430 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 1295872
2025-04-02 12:17:56,445 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/06bbe605d7b0ef04_libglesv2.dll'
2025-04-02 12:17:56,471 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 728576
2025-04-02 12:17:56,478 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/60c06e0fa4449314_msvcr100.dll'
2025-04-02 12:17:56,521 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 773968
2025-04-02 12:17:56,530 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/102ff5ae82519ef1_qt5gui.dll'
2025-04-02 12:17:56,678 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 2924032
2025-04-02 12:17:56,717 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/d769fafa2b3232de_msvcp100.dll'
2025-04-02 12:17:56,784 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 421200
2025-04-02 12:17:56,803 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/2f6294f9aa09f59a__iscrypt.dll'
2025-04-02 12:17:56,811 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 2560
2025-04-02 12:17:56,820 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/32b0acdf551507b4_qt5concurrent.dll'
2025-04-02 12:17:56,834 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 18432
2025-04-02 12:17:56,840 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/9884e9d1b4f8a873__shfoldr.dll'
2025-04-02 12:17:56,856 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 23312
2025-04-02 12:17:56,868 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/b262e859ce82479e_qt5core.dll'
2025-04-02 12:17:57,268 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 3853824
2025-04-02 12:17:57,348 [cuckoo.core.resultserver] DEBUG: Task #6207560: File upload for 'files/f2fcb818c0f1a3f4_3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463.tmp'
2025-04-02 12:17:57,367 [cuckoo.core.resultserver] DEBUG: Task #6207560 uploaded file length: 685056
2025-04-02 12:17:57,374 [cuckoo.core.resultserver] DEBUG: Task #6207560 had connection reset for <Context for LOG>
2025-04-02 12:17:59,668 [cuckoo.core.guest] INFO: win7x6418: analysis completed successfully
2025-04-02 12:17:59,683 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-04-02 12:17:59,718 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-04-02 12:18:01,219 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6418 to path /srv/cuckoo/cwd/storage/analyses/6207560/memory.dmp
2025-04-02 12:18:01,236 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6418
2025-04-02 12:21:09,940 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.218 for task #6207560
2025-04-02 12:21:10,547 [cuckoo.core.scheduler] DEBUG: Released database task #6207560
2025-04-02 12:21:10,574 [cuckoo.core.scheduler] INFO: Task #6207560: analysis procedure completed

Signatures

Yara rules detected for file (4 events)

description	Escalade priviledges	rule	escalate_priv
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_files_operation

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 1, 2025, 6:26 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2025, 6:26 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 40960 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 1, 2025, 6:26 p.m.	process_identifier: 2996 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 20480 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 1, 2025, 6:26 p.m.	process_identifier: 3032 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA April 1, 2025, 6:26 p.m.	computer_name: YRKRCIHM	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 1, 2025, 6:26 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 1, 2025, 6:26 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 events)

section	CODE
section	DATA
section	BSS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 1, 2025, 6:26 p.m.	stacktrace: 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x40aaa @ 0x440aaa 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x428ef @ 0x4428ef 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x47f98 @ 0x447f98 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3debd @ 0x43debd 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3cdf3 @ 0x43cdf3 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x8cfec @ 0x48cfec 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x79ab1 @ 0x479ab1 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x90c38 @ 0x490c38 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x754f33aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77a39f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77a39f45 exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00 exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea exception.instruction: mov eax, dword ptr [esi] exception.module: mpr.dll exception.exception_code: 0xc0000005 exception.offset: 11754 exception.address: 0x748c2dea registers.esp: 1637612 registers.edi: 5284756 registers.eax: 1637640 registers.ebp: 1637656 registers.edx: 44 registers.ebx: 0 registers.esi: 44 registers.ecx: 0	1	0	0
__exception__ April 1, 2025, 6:26 p.m.	stacktrace: 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3d9e2 @ 0x43d9e2 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3cdf3 @ 0x43cdf3 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x8cfec @ 0x48cfec 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x79ab1 @ 0x479ab1 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x90c38 @ 0x490c38 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x754f33aa RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77a39f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77a39f45 exception.instruction_r: f7 37 89 06 e9 dd 07 00 00 8b 06 33 d2 8a 17 8b exception.symbol: 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3acd7 exception.instruction: div dword ptr [edi] exception.module: 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463.tmp exception.exception_code: 0xc0000094 exception.offset: 240855 exception.address: 0x43acd7 registers.esp: 1637784 registers.edi: 5279932 registers.eax: 24746210 registers.ebp: 1637864 registers.edx: 0 registers.ebx: 1 registers.esi: 5279924 registers.ecx: 5279932	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 1, 2025, 6:26 p.m.

stacktrace:

3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x40aaa @ 0x440aaa
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x428ef @ 0x4428ef
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x47f98 @ 0x447f98
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3debd @ 0x43debd
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3cdf3 @ 0x43cdf3
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x8cfec @ 0x48cfec
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x79ab1 @ 0x479ab1
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x90c38 @ 0x490c38
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x754f33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77a39f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77a39f45

exception.instruction_r: 8b 06 c7 45 fc fe ff ff ff 85 db 0f 85 97 34 00
exception.symbol: WNetCloseEnum+0x14 WNetOpenEnumW-0x11c mpr+0x2dea
exception.instruction: mov eax, dword ptr [esi]
exception.module: mpr.dll
exception.exception_code: 0xc0000005
exception.offset: 11754
exception.address: 0x748c2dea
registers.esp: 1637612
registers.edi: 5284756
registers.eax: 1637640
registers.ebp: 1637656
registers.edx: 44
registers.ebx: 0
registers.esi: 44
registers.ecx: 0

__exception__

April 1, 2025, 6:26 p.m.

stacktrace:

3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3d9e2 @ 0x43d9e2
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3cdf3 @ 0x43cdf3
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x8cfec @ 0x48cfec
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x79ab1 @ 0x479ab1
3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x90c38 @ 0x490c38
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133aa @ 0x754f33aa
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77a39f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77a39f45

exception.instruction_r: f7 37 89 06 e9 dd 07 00 00 8b 06 33 d2 8a 17 8b
exception.symbol: 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463+0x3acd7
exception.instruction: div dword ptr [edi]
exception.module: 3943be83a242d76d8390a44ac624b78439f3aa4cdd199d963404189e09327463.tmp
exception.exception_code: 0xc0000094
exception.offset: 240855
exception.address: 0x43acd7
registers.esp: 1637784
registers.edi: 5279932
registers.eax: 24746210
registers.ebp: 1637864
registers.edx: 0
registers.ebx: 1
registers.esi: 5279924
registers.ecx: 5279932

Creates executable files on the filesystem (3 events)

file	C:\Users\Administrator\AppData\Local\Temp\is-UFAV5.tmp\_isetup\_shfoldr.dll
file	C:\Users\Administrator\AppData\Local\Temp\is-UFAV5.tmp\_isetup\_iscrypt.dll
file	C:\Users\Administrator\AppData\Local\Delete Multiple Files 1.8\deletemultiplefiles.exe

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExA April 1, 2025, 6:26 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1	2
RegOpenKeyExA April 1, 2025, 6:26 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1	2
RegOpenKeyExA April 1, 2025, 6:26 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1	2
RegOpenKeyExA April 1, 2025, 6:26 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Delete Multiple Files_is1	2

File has been identified by 5 AntiVirus engine on IRMA as malicious (5 events)

Avast Core Security (Linux)	Win32:Malware-gen
ESET Security (Windows)	multiple detections
Sophos Anti-Virus (Linux)	Mal/Generic-S
DrWeb Antivirus (Linux)	Trojan.DownLoader48.24080
Kaspersky Standard (Windows)	Trojan.Win32.Ekstak.azzbr

File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
F-Secure	Heuristic.HEUR/AGEN.1375587
SentinelOne	Static AI - Suspicious PE
Avira	HEUR/AGEN.1375587
huorong	HEUR:TrojanDropper/Agent.t