Cuckoo Sandbox

File 40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7

Summary
Download Resubmit sample

Size	2.0MB
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5	`38b97cdf4b554dc1d4c18f62cd235a5d`
SHA1	`69002d8279c81d7ee5569373fdf9042c908de0ce`
SHA256	`40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7`
SHA512	`ddd46f7d0cebcc28cb36575654e170493ed19b63595c0e5d32a4d4f2f455414a24e0e65b5c66dacb94a3226be1628508d9812748cd8eee88f450df54654c2032`
CRC32	`A92F8B0A`
ssdeep	`None`
Yara	suspicious_packer_section - The packer/protector section names/keywords SEH__vba - (no description)

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

6667487

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	July 7, 2025, 2:54 p.m.	July 7, 2025, 3 p.m.	403 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-07-07 10:05:23,030 [analyzer] DEBUG: Starting analyzer from: C:\tmp4w2pkt
2025-07-07 10:05:23,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\QZtVHAcIyLzDAqtIrYtXqpmTxVB
2025-07-07 10:05:23,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\PLoobvDDWYhldFkXjIAEjTbGOFEV
2025-07-07 10:05:23,342 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-07 10:05:23,358 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-07 10:05:23,842 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-07 10:05:24,046 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-07-07 10:05:24,046 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-07 10:05:24,046 [analyzer] DEBUG: Started auxiliary module Human
2025-07-07 10:05:24,062 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-07 10:05:24,062 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-07 10:05:24,140 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-07 10:05:24,140 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-07 10:05:24,140 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-07 10:05:24,140 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-07 10:05:24,312 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7.exe' with arguments '' and pid 2360
2025-07-07 10:05:24,530 [analyzer] DEBUG: Loaded monitor into process with pid 2360
2025-07-07 10:05:24,625 [analyzer] INFO: io=NULL
2025-07-07 10:05:24,625 [analyzer] DEBUG: Error resolving function vbscript!COleScript_Compile through our custom callback.
2025-07-07 10:05:24,625 [analyzer] INFO: io=NULL
2025-07-07 10:05:24,640 [analyzer] DEBUG: Error resolving function vbscript!COleScript_Compile through our custom callback.
2025-07-07 10:05:24,858 [analyzer] INFO: Added new file to list with pid 2360 and path C:\Users\Administrator\AppData\Local\Temp\lkdsu.txt
2025-07-07 10:05:25,171 [analyzer] INFO: Injected into process with pid 1716 and name u'cmd.exe'
2025-07-07 10:05:25,375 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1716.
2025-07-07 10:05:25,592 [analyzer] DEBUG: Loaded monitor into process with pid 1716
2025-07-07 10:05:25,703 [analyzer] INFO: Injected into process with pid 408 and name u'reg.exe'
2025-07-07 10:05:25,875 [analyzer] DEBUG: Loaded monitor into process with pid 408
2025-07-07 10:05:25,967 [analyzer] INFO: Added new file to list with pid 2360 and path C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.txt
2025-07-07 10:05:26,312 [analyzer] INFO: Process with pid 1716 has terminated
2025-07-07 10:05:26,765 [analyzer] INFO: Injected into process with pid 1916 and name u'Windowsdef.exe'
2025-07-07 10:05:26,858 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1916.
2025-07-07 10:05:27,030 [analyzer] DEBUG: Loaded monitor into process with pid 1916
2025-07-07 10:05:27,108 [analyzer] INFO: io=NULL
2025-07-07 10:05:27,108 [analyzer] DEBUG: Error resolving function vbscript!COleScript_Compile through our custom callback.
2025-07-07 10:05:27,108 [analyzer] INFO: io=NULL
2025-07-07 10:05:27,108 [analyzer] DEBUG: Error resolving function vbscript!COleScript_Compile through our custom callback.
2025-07-07 13:58:30,263 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-07-07 13:58:30,686 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-07 13:58:30,686 [lib.api.process] INFO: Successfully terminated process with pid 1916.
2025-07-07 13:58:30,686 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-07 14:54:15,868 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:16,897 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:18,080 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:19,208 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:20,321 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:21,459 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:22,795 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:23,965 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:25,081 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:26,357 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:27,383 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:28,407 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:29,436 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:30,461 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:31,488 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:32,511 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:33,534 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:34,554 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:35,579 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:36,613 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:37,637 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:38,664 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:39,689 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:40,717 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:41,740 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:42,761 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:43,787 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:44,818 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:46,043 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:47,214 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:48,248 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:49,462 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:50,557 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:51,618 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:52,794 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:53,871 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:54,912 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:55,946 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:57,009 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:58,196 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:54:59,270 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:55:00,343 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:55:01,420 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:55:02,687 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:55:03,799 [cuckoo.core.scheduler] DEBUG: Task #6660507: no machine available yet
2025-07-07 14:55:04,841 [cuckoo.core.scheduler] INFO: Task #6660507: acquired machine win7x6423 (label=win7x6423)
2025-07-07 14:55:04,851 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.223 for task #6660507
2025-07-07 14:55:05,432 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 2190439 (interface=vboxnet0, host=192.168.168.223)
2025-07-07 14:55:07,331 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6423
2025-07-07 14:55:08,258 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6423 to vmcloak
2025-07-07 14:57:52,176 [cuckoo.core.guest] INFO: Starting analysis #6660507 on guest (id=win7x6423, ip=192.168.168.223)
2025-07-07 14:57:53,182 [cuckoo.core.guest] DEBUG: win7x6423: not ready yet
2025-07-07 14:57:58,224 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6423, ip=192.168.168.223)
2025-07-07 14:57:58,322 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6423, ip=192.168.168.223, monitor=latest, size=6660546)
2025-07-07 14:58:00,082 [cuckoo.core.resultserver] DEBUG: Task #6660507: live log analysis.log initialized.
2025-07-07 14:58:00,938 [cuckoo.core.resultserver] DEBUG: Task #6660507 is sending a BSON stream
2025-07-07 14:58:01,400 [cuckoo.core.resultserver] DEBUG: Task #6660507 is sending a BSON stream
2025-07-07 14:58:01,875 [cuckoo.core.resultserver] DEBUG: Task #6660507: File upload for 'files/c91b07a98f7d795d_lkdsu.txt'
2025-07-07 14:58:01,883 [cuckoo.core.resultserver] DEBUG: Task #6660507 uploaded file length: 160
2025-07-07 14:58:02,226 [cuckoo.core.resultserver] DEBUG: Task #6660507: File upload for 'shots/0001.jpg'
2025-07-07 14:58:02,250 [cuckoo.core.resultserver] DEBUG: Task #6660507 uploaded file length: 133464
2025-07-07 14:58:02,463 [cuckoo.core.resultserver] DEBUG: Task #6660507 is sending a BSON stream
2025-07-07 14:58:02,750 [cuckoo.core.resultserver] DEBUG: Task #6660507 is sending a BSON stream
2025-07-07 14:58:02,945 [cuckoo.core.resultserver] DEBUG: Task #6660507: File upload for 'files/be6b1d2c2d620cef_Windowsdef.txt'
2025-07-07 14:58:03,005 [cuckoo.core.resultserver] DEBUG: Task #6660507 uploaded file length: 2075010
2025-07-07 14:58:03,903 [cuckoo.core.resultserver] DEBUG: Task #6660507 is sending a BSON stream
2025-07-07 14:58:14,853 [cuckoo.core.guest] DEBUG: win7x6423: analysis #6660507 still processing
2025-07-07 14:58:30,372 [cuckoo.core.guest] DEBUG: win7x6423: analysis #6660507 still processing
2025-07-07 14:58:30,463 [cuckoo.core.resultserver] DEBUG: Task #6660507: File upload for 'curtain/1751889510.45.curtain.log'
2025-07-07 14:58:30,475 [cuckoo.core.resultserver] DEBUG: Task #6660507 uploaded file length: 36
2025-07-07 14:58:30,658 [cuckoo.core.resultserver] DEBUG: Task #6660507: File upload for 'sysmon/1751889510.65.sysmon.xml'
2025-07-07 14:58:30,684 [cuckoo.core.resultserver] DEBUG: Task #6660507 uploaded file length: 2168774
2025-07-07 14:58:31,018 [cuckoo.core.resultserver] DEBUG: Task #6660507 had connection reset for <Context for LOG>
2025-07-07 14:58:33,392 [cuckoo.core.guest] INFO: win7x6423: analysis completed successfully
2025-07-07 14:58:33,409 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-07 14:58:33,440 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-07 14:58:34,982 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6423 to path /srv/cuckoo/cwd/storage/analyses/6660507/memory.dmp
2025-07-07 14:58:34,983 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6423
2025-07-07 15:00:48,510 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.223 for task #6660507
2025-07-07 15:00:49,158 [cuckoo.core.scheduler] DEBUG: Released database task #6660507
2025-07-07 15:00:49,206 [cuckoo.core.scheduler] INFO: Task #6660507: analysis procedure completed

Signatures

Yara rules detected for file (2 events)

description	The packer/protector section names/keywords				rule	suspicious_packer_section
description	(no description)				rule	SEH__vba

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 7, 2025, 11:05 a.m.	buffer: C:\Users\Administrator\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2025, 11:05 a.m.	buffer: REG console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2025, 11:05 a.m.	buffer: ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe" /f console_handle: 0x00000007	1	1
WriteConsoleW July 7, 2025, 11:05 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.imports

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ July 7, 2025, 11:05 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 50207 exception.address: 0x7507c41f registers.esp: 1637184 registers.edi: 7671920 registers.eax: 1637184 registers.ebp: 1637264 registers.edx: 0 registers.ebx: 7671920 registers.esi: 7671920 registers.ecx: 2	1
__exception__ July 7, 2025, 11:05 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44 ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7+0x10e2 @ 0x4010e2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77599f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77599f45 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 50207 exception.address: 0x7507c41f registers.esp: 1637224 registers.edi: 7671800 registers.eax: 1637224 registers.ebp: 1637304 registers.edx: 0 registers.ebx: 4226744 registers.esi: 1637380 registers.ecx: 2	1
__exception__ July 7, 2025, 11:05 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44 EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048 BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981 ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600 40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7+0x10e2 @ 0x4010e2 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77599f72 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77599f45 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 50207 exception.address: 0x7507c41f registers.esp: 1637420 registers.edi: 7671800 registers.eax: 1637420 registers.ebp: 1637500 registers.edx: 0 registers.ebx: 4228892 registers.esi: 1637588 registers.ecx: 2	1

Time & API

Arguments

Status

Return

Repeated

__exception__

July 7, 2025, 11:05 a.m.

stacktrace:

EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 50207
exception.address: 0x7507c41f
registers.esp: 1637184
registers.edi: 7671920
registers.eax: 1637184
registers.ebp: 1637264
registers.edx: 0
registers.ebx: 7671920
registers.esi: 7671920
registers.ecx: 2

__exception__

July 7, 2025, 11:05 a.m.

stacktrace:

EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44
ProcCallEngine+0x2ad __vbaUdtVar-0x6607 msvbvm60+0xfd30a @ 0x72a3d30a
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7+0x10e2 @ 0x4010e2
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77599f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77599f45

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 50207
exception.address: 0x7507c41f
registers.esp: 1637224
registers.edi: 7671800
registers.eax: 1637224
registers.ebp: 1637304
registers.edx: 0
registers.ebx: 4226744
registers.esi: 1637380
registers.ecx: 2

__exception__

July 7, 2025, 11:05 a.m.

stacktrace:

EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf
ProcCallEngine+0x4ce7 __vbaUdtVar-0x1bcd msvbvm60+0x101d44 @ 0x72a41d44
EbLoadRunTime+0x1166 DllFunctionCall-0xb5 msvbvm60+0xa048 @ 0x7294a048
BASIC_CLASS_QueryInterface+0xeca EbLoadRunTime-0x13a4 msvbvm60+0x7b3e @ 0x72947b3e
ThunRTMain+0x3dd EbCreateContext-0x2e36 msvbvm60+0x3981 @ 0x72943981
ThunRTMain+0x156 EbCreateContext-0x30bd msvbvm60+0x36fa @ 0x729436fa
ThunRTMain+0x5c EbCreateContext-0x31b7 msvbvm60+0x3600 @ 0x72943600
40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7+0x10e2 @ 0x4010e2
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa5 ntdll+0x39f72 @ 0x77599f72
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xd2 ntdll+0x39f45 @ 0x77599f45

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xc41f
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc000008f
exception.offset: 50207
exception.address: 0x7507c41f
registers.esp: 1637420
registers.edi: 7671800
registers.eax: 1637420
registers.ebp: 1637500
registers.edx: 0
registers.ebx: 4228892
registers.esi: 1637588
registers.ecx: 2

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Drops an executable to the user AppData folder (1 event)

file	C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.txt

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 7, 2025, 11:05 a.m.	show_type: 0 filepath_r: C:\Users\ADMINI~1\AppData\Local\Temp\lkdsu.bat parameters: filepath: C:\Users\Administrator\AppData\Local\Temp\lkdsu.bat	1	1	0
ShellExecuteExW July 7, 2025, 11:05 a.m.	show_type: 0 filepath_r: C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe parameters: filepath: C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 7, 2025, 11:05 a.m.	process_identifier: 2360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x003f0000 process_handle: 0xffffffff	1	0	0

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe" /f

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: eca37c0894a976db1188f6a05c0a8b9e368c54cb

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 7, 2025, 11:05 a.m.	process_identifier: 2236 region_size: 376832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d8	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDef

reg_value

C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe

Manipulates memory of a non-child process indicative of process injection (3 events)

Process injection

Process 1916 manipulating memory of non-child process 2236

Time & API	Arguments	Status	Return	Repeated
NtUnmapViewOfSection July 7, 2025, 11:05 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2236 process_handle: 0x000000d8	1	0	0
NtAllocateVirtualMemory July 7, 2025, 11:05 a.m.	process_identifier: 2236 region_size: 376832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d8	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection

Process 1916 called NtSetContextThread to modify thread in remote process 2236

Time & API	Arguments	Status	Return	Repeated
NtSetContextThread July 7, 2025, 11:05 a.m.	registers.eip: 2002190772 registers.esp: 1638384 registers.edi: 0 registers.eax: 4564944 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000d4 process_identifier: 2236	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Process injection	Process 2360 resumed a thread in remote process 1716
Process injection	Process 2360 resumed a thread in remote process 1916

Time & API	Arguments	Status	Return	Repeated
NtResumeThread July 7, 2025, 11:05 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 1716	1	0	0
NtResumeThread July 7, 2025, 11:05 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 1916	1	0	0

Executed a process and injected code into it, probably while unpacking (11 events)

Time & API	Arguments	Status	Return
NtResumeThread July 7, 2025, 11:05 a.m.	thread_handle: 0x000001f8 suspend_count: 1 process_identifier: 2360	1	0
CreateProcessInternalW July 7, 2025, 11:05 a.m.	thread_identifier: 1332 thread_handle: 0x000001c8 process_identifier: 1716 current_directory: C:\Users\Administrator\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\ADMINI~1\AppData\Local\Temp\lkdsu.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000238	1	1
NtResumeThread July 7, 2025, 11:05 a.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 1716	1	0
CreateProcessInternalW July 7, 2025, 11:05 a.m.	thread_identifier: 2740 thread_handle: 0x000002bc process_identifier: 1916 current_directory: C:\Users\Administrator\AppData\Local\Temp filepath: C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe track: 1 command_line: "C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe" filepath_r: C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b8	1	1
NtResumeThread July 7, 2025, 11:05 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 1916	1	0
CreateProcessInternalW July 7, 2025, 11:05 a.m.	thread_identifier: 1576 thread_handle: 0x00000088 process_identifier: 408 current_directory: C:\Users\Administrator\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDef" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 7, 2025, 11:05 a.m.	thread_identifier: 2396 thread_handle: 0x000000d4 process_identifier: 2236 current_directory: filepath: track: 1 command_line: C:\Users\Administrator\AppData\Roaming\Directory\Windowsdef.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000000d8	1	1
NtUnmapViewOfSection July 7, 2025, 11:05 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2236 process_handle: 0x000000d8	1	0
NtAllocateVirtualMemory July 7, 2025, 11:05 a.m.	process_identifier: 2236 region_size: 376832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000000d8	1	0
NtGetContextThread July 7, 2025, 11:05 a.m.	thread_handle: 0x000000d4	1	0
NtSetContextThread July 7, 2025, 11:05 a.m.	registers.eip: 2002190772 registers.esp: 1638384 registers.edi: 0 registers.eax: 4564944 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000000d4 process_identifier: 2236	1	0

File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)

G Data Antivirus (Windows)	Virus: Trojan.GenericKDZ.95426 (Engine A)
Avast Core Security (Linux)	Win32:Kryptik-ANO [Trj]
C4S ClamAV (Linux)	Win.Packed.Manbat-6793302-0
Trellix (Linux)	PWS-FCJD
WithSecure (Linux)	Trojan.TR/Dropper.Gen
eScan Antivirus (Linux)	Trojan.GenericKDZ.95426(DB)
ESET Security (Windows)	a variant of Win32/Injector.EYU trojan
Sophos Anti-Virus (Linux)	Mal/Darkeye-C
DrWeb Antivirus (Linux)	Trojan.PWS.Stealer.379
ClamAV (Linux)	Win.Packed.Manbat-6793302-0
Bitdefender Antivirus (Linux)	Trojan.GenericKDZ.95426
Kaspersky Standard (Windows)	Trojan.Win32.VBKrypt.cgnr
Emsisoft Commandline Scanner (Windows)	Trojan.GenericKDZ.95426 (B)

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.tt
ALYac	Trojan.GenericKDZ.95426
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKDZ.95426
K7GW	NetWorm ( 700000151 )
K7AntiVirus	NetWorm ( 700000151 )
Arcabit	Trojan.Generic.D174C2
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Injector.EYU
APEX	Malicious
Avast	Win32:Kryptik-ANO [Trj]
ClamAV	Win.Packed.Manbat-6793302-0
Kaspersky	Trojan.Win32.VBKrypt.cgnr
NANO-Antivirus	Trojan.Win32.Stealer.eaiffn
SUPERAntiSpyware	Trojan.Agent/Gen-VBKrypt
MicroWorld-eScan	Trojan.GenericKDZ.95426
Rising	Trojan.Injector!1.AB1E (CLASSIC)
Emsisoft	Trojan.GenericKDZ.95426 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.PWS.Stealer.379
VIPRE	Trojan.GenericKDZ.95426
McAfeeD	Real Protect-LS!38B97CDF4B55
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generickdz
Sophos	Mal/Darkeye-C
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.VBKrypt.pmn
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Virus/Win32.Expiro.imp
Kingsoft	malware.kb.b.995
Gridinsoft	Trojan.Win32.Downloader.dd!n
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Microsoft	Trojan:Win32/EyeStye!pz
ZoneAlarm	Mal/Darkeye-C
GData	Trojan.GenericKDZ.95426
Varist	W32/Trojan.VJQL-6829
AhnLab-V3	Trojan/Win32.Agent.R74955
Acronis	suspicious
VBA32	SScope.Trojan.VBRA.6299
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.VB

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 40390d043fe0131afcf00e297b2d350bd5d3d4bf6ead3efaef007aa635348fe7

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample