Summary

26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe

File 26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe

Summary
Download Resubmit sample

Size 84.5KB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 120d18a69769add27031f647b521b569
SHA1 1d7cb78b43935f33d3dbbc97e8d90172c0ae7278
SHA256 26061aa44583771575bed8755660f338623bccbc6e734fcae02bfa8ebc43ed49
SHA512
73ab5753f837c72484928fd49f4a0978fc0c74f96697bf133f2857eeafdb822f354f08919dba0ffc5c4ef3b5ea1f370fe58b50bef6ddbda1e5d653a2c188effc
CRC32 20BC4492
ssdeep None
Yara
  • ThreadControl__Context - (no description)
  • win_files_operation - Affect private profile

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6879283

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Aug. 26, 2025, 12:40 a.m. Aug. 26, 2025, 12:49 a.m. 527 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-08-23 18:52:57,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpsftntc
2025-08-23 18:52:57,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\glPsrTelrqfOcDqdvtS
2025-08-23 18:52:57,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\plMUwiTeDrDOdamOaM
2025-08-23 18:52:57,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-08-23 18:52:57,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-08-23 18:52:57,437 [analyzer] DEBUG: Started auxiliary module Curtain
2025-08-23 18:52:57,437 [analyzer] DEBUG: Started auxiliary module DbgView
2025-08-23 18:52:58,030 [analyzer] DEBUG: Started auxiliary module Disguise
2025-08-23 18:52:58,250 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-08-23 18:52:58,250 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-08-23 18:52:58,250 [analyzer] DEBUG: Started auxiliary module Human
2025-08-23 18:52:58,250 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-08-23 18:52:58,250 [analyzer] DEBUG: Started auxiliary module Reboot
2025-08-23 18:52:58,312 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-08-23 18:52:58,312 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-08-23 18:52:58,312 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-08-23 18:52:58,312 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-08-23 18:52:58,453 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe' with arguments '' and pid 1132
2025-08-23 18:52:58,640 [analyzer] DEBUG: Loaded monitor into process with pid 1132
2025-08-23 18:52:58,687 [analyzer] INFO: Injected into process with pid 1128 and name ''
2025-08-23 18:52:58,765 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 1128.
2025-08-23 18:52:58,875 [analyzer] INFO: Added new file to list with pid 1132 and path C:\Users\Administrator\AppData\Local\Temp\RCXE05D.tmp
2025-08-23 18:56:17,453 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-08-23 18:56:18,608 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-08-23 18:56:18,608 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-08-26 00:40:31,838 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:32,859 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:33,879 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:34,901 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:35,929 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:36,957 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:37,986 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:39,006 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:40,029 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:41,058 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:42,081 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:43,155 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:44,454 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:45,526 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:46,574 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:47,631 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:48,679 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:49,748 [cuckoo.core.scheduler] DEBUG: Task #6904226: no machine available yet
2025-08-26 00:40:51,049 [cuckoo.core.scheduler] INFO: Task #6904226: acquired machine win7x6421 (label=win7x6421)
2025-08-26 00:40:51,055 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.221 for task #6904226
2025-08-26 00:40:51,643 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1085515 (interface=vboxnet0, host=192.168.168.221)
2025-08-26 00:40:52,047 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6421
2025-08-26 00:40:52,918 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6421 to vmcloak
2025-08-26 00:43:31,217 [cuckoo.core.guest] INFO: Starting analysis #6904226 on guest (id=win7x6421, ip=192.168.168.221)
2025-08-26 00:43:32,224 [cuckoo.core.guest] DEBUG: win7x6421: not ready yet
2025-08-26 00:43:37,247 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6421, ip=192.168.168.221)
2025-08-26 00:43:37,388 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6421, ip=192.168.168.221, monitor=latest, size=6660546)
2025-08-26 00:43:38,698 [cuckoo.core.resultserver] DEBUG: Task #6904226: live log analysis.log initialized.
2025-08-26 00:43:39,988 [cuckoo.core.resultserver] DEBUG: Task #6904226 is sending a BSON stream
2025-08-26 00:43:40,257 [cuckoo.core.resultserver] DEBUG: Task #6904226 is sending a BSON stream
2025-08-26 00:43:41,127 [cuckoo.core.resultserver] DEBUG: Task #6904226: File upload for 'shots/0001.jpg'
2025-08-26 00:43:41,145 [cuckoo.core.resultserver] DEBUG: Task #6904226 uploaded file length: 133487
2025-08-26 00:43:53,301 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:44:08,390 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:44:23,475 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:44:38,547 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:44:53,794 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:45:09,197 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:45:24,484 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:45:39,643 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:45:54,895 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:46:10,226 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:46:25,342 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:46:40,465 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:46:55,877 [cuckoo.core.guest] DEBUG: win7x6421: analysis #6904226 still processing
2025-08-26 00:46:59,322 [cuckoo.core.resultserver] DEBUG: Task #6904226: File upload for 'curtain/1755968177.62.curtain.log'
2025-08-26 00:46:59,325 [cuckoo.core.resultserver] DEBUG: Task #6904226 uploaded file length: 36
2025-08-26 00:47:00,225 [cuckoo.core.resultserver] DEBUG: Task #6904226: File upload for 'sysmon/1755968178.52.sysmon.xml'
2025-08-26 00:47:00,307 [cuckoo.core.resultserver] DEBUG: Task #6904226 uploaded file length: 13592180
2025-08-26 00:47:00,331 [cuckoo.core.resultserver] DEBUG: Task #6904226: File upload for 'files/9775ac2983e20662_26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe'
2025-08-26 00:47:00,334 [cuckoo.core.resultserver] DEBUG: Task #6904226 uploaded file length: 86528
2025-08-26 00:47:00,335 [cuckoo.core.resultserver] DEBUG: Task #6904226 had connection reset for <Context for LOG>
2025-08-26 00:47:02,042 [cuckoo.core.guest] INFO: win7x6421: analysis completed successfully
2025-08-26 00:47:02,070 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-08-26 00:47:02,096 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-08-26 00:47:03,275 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6421 to path /srv/cuckoo/cwd/storage/analyses/6904226/memory.dmp
2025-08-26 00:47:03,279 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6421
2025-08-26 00:49:18,304 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.221 for task #6904226
2025-08-26 00:49:19,358 [cuckoo.core.scheduler] DEBUG: Released database task #6904226
2025-08-26 00:49:19,390 [cuckoo.core.scheduler] INFO: Task #6904226: analysis procedure completed

Signatures

Yara rules detected for file (2 events)
description (no description) rule ThreadControl__Context
description Affect private profile rule win_files_operation
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
The binary likely contains encrypted or compressed data indicative of a packer (2 events)
section {u'size_of_data': u'0x00006c00', u'virtual_address': u'0x00014000', u'entropy': 7.988872449590448, u'name': u'.rsrc', u'virtual_size': u'0x00006b80'} entropy 7.98887244959 description A section with a high entropy has been found
entropy 0.323353293413 description Overall entropy of this PE file is high
Allocates execute permission to another process indicative of possible code injection (1 event)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1128
region_size: 77824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000008c
1 0 0
Manipulates memory of a non-child process indicative of process injection (3 events)
Process injection Process 1132 manipulating memory of non-child process 1128
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 1128
process_handle: 0x0000008c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1128
region_size: 77824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000008c
1 0 0
Potential code injection by writing to the memory of another process (13 events)
Process injection Process 1132 injected into non-child 1128
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèL^ŽÅà  8`ÐP@0Ae ˆ °’d.text`68`P`.dataP<@0À.rdataø`>@0@/4Œ p F@0@.bss€€`À.idataˆ R@0À.CRT `@0À.tls °b@0À/148Àd@@B/29BÐ f@B/41Ið†@B/55Ȉ@B/678Š@0B/80— Œ@B
base_address: 0x00400000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ýÿÿÿ@F@ÿÿÿÿ
base_address: 0x00405000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infoAPPDATA\WPDNSE\\a.exea.exeSOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows Atapi x86_64 Driver <CAPSLOCK> <SHIFT> <LCTRL> <RCTRL> <INSERT> <END> <PRINT> <DEL> <BK> <LEFT> <RIGHT> <UP> <DOWN> <SPACE> <TAB> <ENTER> <ESC> 0123456789´@J@€@€@€@c@€@€@@€@€@€@ì@€@€@€@€@€@€@|@€@€@€@€@1@€@€@i@€@Í@ÿ@æ@@€@‚@€@€@P@›@€@@¨@Á@Ú@ó@ @%@>@T@j@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@•@®@Ç@à@ù@@+@D@]@v@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@@7@InformationPress OK to stop logging.keys.txt£@â@â@â@â@`@â@â@0@â@0@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@0@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@à@p@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@0@â@0@â@0@P"@Mingw runtime failure: VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d. Unknown pseudo relocation bit size %d. .glob-1.0-mingw32.GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (MinGW.org GCC-8.2.0-5) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0
base_address: 0x00406000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: zR| ˆàŸÿÿ’C q L 8d¡ÿÿìA…B DƒT8¢ÿÿ?C@{l`¢ÿÿC €l¢ÿÿC ”x¢ÿÿ¨t¢ÿÿzR| ˆ(X¢ÿÿ¡A…B E†ƒ{ ÃAÆAÅ K HÜ¢ÿÿ.A…B jÅ zR| ˆÔ¢ÿÿWA…B SÅ zPLR|L@ ˆ$$ë¢ÿÿ_F@A…B GƒTÅà $L"¤ÿÿñ+F@A…B GƒæÅà ¬ë¤ÿÿAA…B ;Å Ì ©ÿÿxA…B rÅ ìd©ÿÿA…B NÅ  V©ÿÿA…B NÅ $ôH©ÿÿ™MF@A…B Dƒ‘Åà T¹©ÿÿA…B XÅ zPLR|L@ ˆ$$ ÒÿÿG=F@A…B DƒÅà zR| ˆ<Ü©ÿÿfA…B F‡†ƒR ÃAÆAÇAÅ B æ ÃAÆAÇAÅ G zR| ˆ$ô¬ÿÿ]ƒH  …AÅ _ÃzR| ˆ8„ÑÿÿÂD GuEutu|ux«Á AÃAÆAÅC zR| ˆp­ÿÿ1N\ 4˜­ÿÿFAƒC j AÃA XÄ­ÿÿzR| ˆ¸­ÿÿCC U H `D<è­ÿÿšA†A ƒC d  FÃAÆC t  FÃAÆC _ FÃAÆ„@®ÿÿzR| ˆ8$®ÿÿ`A†A ƒC LI PC jC C AÃAÆDXH®ÿÿ‚A†C ƒC L  CÃAÆI sN OE C  AÃAÆA < ®ÿÿ›AƒC P CÃI LI gC C CÃK ZC 0àð®ÿÿ±C c J iC _ E ^ B LC zR| ˆd¯ÿÿJA†A ƒC d<”¯ÿÿìA…A ‡C†CƒEPXDCPm AÃAÆ AÇAÅG d@CPB@CPC AÃAÆ AÇAÅA T¤°ÿÿÚj…A ‡A†AƒC@‹ AÃAÆ AÇAÅA ò AÃAÆ AÇAÅJ zR| ˆܱÿÿwC A A zR| ˆ<(²ÿÿ)A…C ‡A†CƒCP AÃAÆ AÇAÅF T\µÿÿA…A ‡C†AƒC@’ CÃAÆ AÇAÅA C CÃCÆ AÇAÅC 0´Ð¶ÿÿŽA†F ƒE ÃAÆC v ÃAÆC 4è,·ÿÿOA†C ƒC x  CÃAÆA C FÃAÆD D·ÿÿ\A‡A †CƒE @ Cà AÆAÇA CFà AÆAÇ(h\·ÿÿIA†C ƒE o  AÃAÆF <”€·ÿÿxA…B F‡†ƒ ÃAÆAÇAÅ A Ç ÃAÆAÇAÅ H ,ÔÀ¿ÿÿ×A…B F‡†ƒF ÃAÆAÇAÅ A @pÀÿÿWA‡A †AƒC O Aà AÆAÇH oAà AÆAÇzR| ˆ,tÀÿÿåA…B F‡†ƒ´ ÃAÆAÇAÅ A zR| ˆ@ÄÿÿÓA†A ƒHàPØCàH  CÃAÆG M  CÃAÆA L`¸Äÿÿ¢A†A ƒHàPØCàG  CÃAÆH M  CÃAÆA [ CÃAÆT°ÅÿÿñA…A ‡A†AƒFÀS CÃAÆ AÇAÅA O CÃAÆ AÇAÅG ÀÆÿÿOAƒCv CÃC (,ìÆÿÿBAƒC VC Q AÃA ,XÇÿÿXAƒC VC R AÃA eAÈ@Çÿÿ'CQ A 4¤TÇÿÿqA†A ƒC R  AÃAÆG N AÃAÆzR| ˆ`Êÿÿ
base_address: 0x00407000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer:  äš’°P›’‘h›t’‘𛀒œ‘ œ“°‘$œ“À‘xœ$“h“v“†“˜“¤“¸“Гè“ö“””$”2”D”^”n”„”˜”ª”¼”ؔ𔕕,•>•N•X•d•t•„•”•¢•´•¾•È•Ô•à•è•ô•þ•–––&–0–8–B–L–X–b–l–x–‚–Œ––– –ª–¶––Ԗè–ö– — —<—T—˜—¨—¸—ð—X˜Œ˜Ð˜™T™™Ì™ šLšˆšÀšh“v“†“˜“¤“¸“Гè“ö“””$”2”D”^”n”„”˜”ª”¼”ؔ𔕕,•>•N•X•d•t•„•”•¢•´•¾•È•Ô•à•è•ô•þ•–––&–0–8–B–L–X–b–l–x–‚–Œ––– –ª–¶––Ԗè–ö– — —<—T—˜—¨—¸—ð—X˜Œ˜Ð˜™T™™Ì™ šLšˆšÀšƒRegCloseKey¯RegOpenKeyExAËRegSetValueExAqCopyFileA|CreateDirectoryAÐDeleteCriticalSectioníEnterCriticalSectionExitProcess-FindClose1FindFirstFileABFindNextFileAaFreeLibrary…GetCommandLineAÚGetEnvironmentVariableAÿGetLastErrorGetModuleFileNameAGetModuleHandleABGetProcAddress_GetStartupInfoAßInitializeCriticalSection/LeaveCriticalSection2LoadLibraryAlSetUnhandledExceptionFilterTlsGetValueµVirtualProtect·VirtualQueryQ_strdupS_stricollY__getmainargsx__mb_cur_max„__p__environ†__p__fmodeš__set_app_type×_cexit_errno@_fpresetZ_fullpath_iob¢_isctype­_onexit¶_pctypeí_setmode7abort?atexitFcallocgfreerfwriteŸmalloc¦mbstowcs«memcpyÀreallocÇsetlocaleÉsignalÖstrcoll×strcpyÝstrlenùtolowervfprintf)wcstombsCallNextHookExàGetAsyncKeyState³MessageBoxACSetWindowsHookExA_Unwind_Resume%__deregister_frame_infok__register_frame_infoá_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5c_strEvå_ZNSaIcEC1Evè_ZNSaIcED1Ev¢_ZNSt14basic_ofstreamIcSt11char_traitsIcEE5closeEv¦_ZNSt14basic_ofstreamIcSt11char_traitsIcEEC1ERKNSt7__cxx1112basic_stringIcS1_SaIcEEESt13_Ios_Openmode¯_ZNSt14basic_ofstreamIcSt11char_traitsIcEED1Evö _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendEPKc6 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_9 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1ERKS4_@ _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EvT _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1EvW _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEPKc\ _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKcø_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKcû_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_cZ__gxx_personality_v0ADVAPI32.DLLKERNEL32.dll((msvcrt.dll<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<msvcrt.dllPPPPUSER32.dlldddlibgcc_s_dw2-1.dllxxxxxxxxxxxxxxxxlibstdc++-6.dll
base_address: 0x00409000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: P"@"@
base_address: 0x0040a000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: °@°@X@ @
base_address: 0x0040b000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ˆ(@*&
base_address: 0x0040c000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: %% $ > &I : ; 9  : ; 9 I8  I: ; 9 II ! 4: ; 9 I?< 4: ;9 I?< !I/ 'II&> I: ; 9 (  : ; 9  : ;9 I8  : ;9 I8> I: ;9 <'4G: ;9 
base_address: 0x0040f000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: mIû ../../../src/gcc-8.2.0/libgcc/config/i386cygwin.Sˆ(@Ž""YK0g=YY0/>""SMû /home/keith/mingw32-gcc-8.2.0/include../../../src/gcc-8.2.0/libgcc/../include../.././gcc../../../src/gcc-8.2.0/libgcc/../gcc/config/i386../../../src/gcc-8.2.0/libgccstdio.hstdlib.hgetopt.htime.hhashtab.hinsn-constants.hi386.hi386-opts.hlibgcc2.hgbl-ctors.hlibgcc2.c
base_address: 0x00410000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ| ˆ ˆ(@*AA €fÀAÁ
base_address: 0x00411000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ../../../src/gcc-8.2.0/libgcc/config/i386/cygwin.S/home/keith/src/mingw/gcc-build/gcc-8.2.0-mingw32-cross-native-sandbox/mingw32/libgccGNU AS 2.31.1
base_address: 0x00412000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0
Code injection by writing an executable or DLL to the memory of another process (2 events)
Process injection Process 1132 injected into non-child 1128
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèL^ŽÅà  8`ÐP@0Ae ˆ °’d.text`68`P`.dataP<@0À.rdataø`>@0@/4Œ p F@0@.bss€€`À.idataˆ R@0À.CRT `@0À.tls °b@0À/148Àd@@B/29BÐ f@B/41Ið†@B/55Ȉ@B/678Š@0B/80— Œ@B
base_address: 0x00400000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)
Process injection Process 1132 called NtSetContextThread to modify thread in remote process 1128
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995637172
registers.esp: 2686960
registers.edi: 0
registers.eax: 4199120
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000088
process_identifier: 1128
1 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)
Process injection Process 1132 resumed a thread in remote process 1128
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 1
process_identifier: 1128
1 0 0
Executed a process and injected code into it, probably while unpacking (22 events)
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1368
thread_handle: 0x00000088
process_identifier: 1128
current_directory:
filepath: C:\Users\Administrator\AppData\Local\Temp\26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator\AppData\Local\Temp\26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000008c
1 1 0

NtGetContextThread

 thread_handle: 0x00000088
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 1128
process_handle: 0x0000008c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1128
region_size: 77824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000008c
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELèL^ŽÅà  8`ÐP@0Ae ˆ °’d.text`68`P`.dataP<@0À.rdataø`>@0@/4Œ p F@0@.bss€€`À.idataˆ R@0À.CRT `@0À.tls °b@0À/148Àd@@B/29BÐ f@B/41Ið†@B/55Ȉ@B/678Š@0B/80— Œ@B
base_address: 0x00400000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ýÿÿÿ@F@ÿÿÿÿ
base_address: 0x00405000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infoAPPDATA\WPDNSE\\a.exea.exeSOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows Atapi x86_64 Driver <CAPSLOCK> <SHIFT> <LCTRL> <RCTRL> <INSERT> <END> <PRINT> <DEL> <BK> <LEFT> <RIGHT> <UP> <DOWN> <SPACE> <TAB> <ENTER> <ESC> 0123456789´@J@€@€@€@c@€@€@@€@€@€@ì@€@€@€@€@€@€@|@€@€@€@€@1@€@€@i@€@Í@ÿ@æ@@€@‚@€@€@P@›@€@@¨@Á@Ú@ó@ @%@>@T@j@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@•@®@Ç@à@ù@@+@D@]@v@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@€@@7@InformationPress OK to stop logging.keys.txt£@â@â@â@â@`@â@â@0@â@0@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@0@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@à@p@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@â@0@â@0@â@0@P"@Mingw runtime failure: VirtualQuery failed for %d bytes at address %p Unknown pseudo relocation protocol version %d. Unknown pseudo relocation bit size %d. .glob-1.0-mingw32.GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (MinGW.org GCC-8.2.0-5) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0GCC: (GNU) 8.2.0
base_address: 0x00406000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: zR| ˆàŸÿÿ’C q L 8d¡ÿÿìA…B DƒT8¢ÿÿ?C@{l`¢ÿÿC €l¢ÿÿC ”x¢ÿÿ¨t¢ÿÿzR| ˆ(X¢ÿÿ¡A…B E†ƒ{ ÃAÆAÅ K HÜ¢ÿÿ.A…B jÅ zR| ˆÔ¢ÿÿWA…B SÅ zPLR|L@ ˆ$$ë¢ÿÿ_F@A…B GƒTÅà $L"¤ÿÿñ+F@A…B GƒæÅà ¬ë¤ÿÿAA…B ;Å Ì ©ÿÿxA…B rÅ ìd©ÿÿA…B NÅ  V©ÿÿA…B NÅ $ôH©ÿÿ™MF@A…B Dƒ‘Åà T¹©ÿÿA…B XÅ zPLR|L@ ˆ$$ ÒÿÿG=F@A…B DƒÅà zR| ˆ<Ü©ÿÿfA…B F‡†ƒR ÃAÆAÇAÅ B æ ÃAÆAÇAÅ G zR| ˆ$ô¬ÿÿ]ƒH  …AÅ _ÃzR| ˆ8„ÑÿÿÂD GuEutu|ux«Á AÃAÆAÅC zR| ˆp­ÿÿ1N\ 4˜­ÿÿFAƒC j AÃA XÄ­ÿÿzR| ˆ¸­ÿÿCC U H `D<è­ÿÿšA†A ƒC d  FÃAÆC t  FÃAÆC _ FÃAÆ„@®ÿÿzR| ˆ8$®ÿÿ`A†A ƒC LI PC jC C AÃAÆDXH®ÿÿ‚A†C ƒC L  CÃAÆI sN OE C  AÃAÆA < ®ÿÿ›AƒC P CÃI LI gC C CÃK ZC 0àð®ÿÿ±C c J iC _ E ^ B LC zR| ˆd¯ÿÿJA†A ƒC d<”¯ÿÿìA…A ‡C†CƒEPXDCPm AÃAÆ AÇAÅG d@CPB@CPC AÃAÆ AÇAÅA T¤°ÿÿÚj…A ‡A†AƒC@‹ AÃAÆ AÇAÅA ò AÃAÆ AÇAÅJ zR| ˆܱÿÿwC A A zR| ˆ<(²ÿÿ)A…C ‡A†CƒCP AÃAÆ AÇAÅF T\µÿÿA…A ‡C†AƒC@’ CÃAÆ AÇAÅA C CÃCÆ AÇAÅC 0´Ð¶ÿÿŽA†F ƒE ÃAÆC v ÃAÆC 4è,·ÿÿOA†C ƒC x  CÃAÆA C FÃAÆD D·ÿÿ\A‡A †CƒE @ Cà AÆAÇA CFà AÆAÇ(h\·ÿÿIA†C ƒE o  AÃAÆF <”€·ÿÿxA…B F‡†ƒ ÃAÆAÇAÅ A Ç ÃAÆAÇAÅ H ,ÔÀ¿ÿÿ×A…B F‡†ƒF ÃAÆAÇAÅ A @pÀÿÿWA‡A †AƒC O Aà AÆAÇH oAà AÆAÇzR| ˆ,tÀÿÿåA…B F‡†ƒ´ ÃAÆAÇAÅ A zR| ˆ@ÄÿÿÓA†A ƒHàPØCàH  CÃAÆG M  CÃAÆA L`¸Äÿÿ¢A†A ƒHàPØCàG  CÃAÆH M  CÃAÆA [ CÃAÆT°ÅÿÿñA…A ‡A†AƒFÀS CÃAÆ AÇAÅA O CÃAÆ AÇAÅG ÀÆÿÿOAƒCv CÃC (,ìÆÿÿBAƒC VC Q AÃA ,XÇÿÿXAƒC VC R AÃA eAÈ@Çÿÿ'CQ A 4¤TÇÿÿqA†A ƒC R  AÃAÆG N AÃAÆzR| ˆ`Êÿÿ
base_address: 0x00407000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00408000
process_identifier: 1128
process_handle: 0x0000008c
0 0

WriteProcessMemory

 buffer:  äš’°P›’‘h›t’‘𛀒œ‘ œ“°‘$œ“À‘xœ$“h“v“†“˜“¤“¸“Гè“ö“””$”2”D”^”n”„”˜”ª”¼”ؔ𔕕,•>•N•X•d•t•„•”•¢•´•¾•È•Ô•à•è•ô•þ•–––&–0–8–B–L–X–b–l–x–‚–Œ––– –ª–¶––Ԗè–ö– — —<—T—˜—¨—¸—ð—X˜Œ˜Ð˜™T™™Ì™ šLšˆšÀšh“v“†“˜“¤“¸“Гè“ö“””$”2”D”^”n”„”˜”ª”¼”ؔ𔕕,•>•N•X•d•t•„•”•¢•´•¾•È•Ô•à•è•ô•þ•–––&–0–8–B–L–X–b–l–x–‚–Œ––– –ª–¶––Ԗè–ö– — —<—T—˜—¨—¸—ð—X˜Œ˜Ð˜™T™™Ì™ šLšˆšÀšƒRegCloseKey¯RegOpenKeyExAËRegSetValueExAqCopyFileA|CreateDirectoryAÐDeleteCriticalSectioníEnterCriticalSectionExitProcess-FindClose1FindFirstFileABFindNextFileAaFreeLibrary…GetCommandLineAÚGetEnvironmentVariableAÿGetLastErrorGetModuleFileNameAGetModuleHandleABGetProcAddress_GetStartupInfoAßInitializeCriticalSection/LeaveCriticalSection2LoadLibraryAlSetUnhandledExceptionFilterTlsGetValueµVirtualProtect·VirtualQueryQ_strdupS_stricollY__getmainargsx__mb_cur_max„__p__environ†__p__fmodeš__set_app_type×_cexit_errno@_fpresetZ_fullpath_iob¢_isctype­_onexit¶_pctypeí_setmode7abort?atexitFcallocgfreerfwriteŸmalloc¦mbstowcs«memcpyÀreallocÇsetlocaleÉsignalÖstrcoll×strcpyÝstrlenùtolowervfprintf)wcstombsCallNextHookExàGetAsyncKeyState³MessageBoxACSetWindowsHookExA_Unwind_Resume%__deregister_frame_infok__register_frame_infoá_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE5c_strEvå_ZNSaIcEC1Evè_ZNSaIcED1Ev¢_ZNSt14basic_ofstreamIcSt11char_traitsIcEE5closeEv¦_ZNSt14basic_ofstreamIcSt11char_traitsIcEEC1ERKNSt7__cxx1112basic_stringIcS1_SaIcEEESt13_Ios_Openmode¯_ZNSt14basic_ofstreamIcSt11char_traitsIcEED1Evö _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE6appendEPKc6 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_9 _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1ERKS4_@ _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EvT _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1EvW _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEaSEPKc\ _ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEpLEPKcø_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKcû_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_cZ__gxx_personality_v0ADVAPI32.DLLKERNEL32.dll((msvcrt.dll<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<msvcrt.dllPPPPUSER32.dlldddlibgcc_s_dw2-1.dllxxxxxxxxxxxxxxxxlibstdc++-6.dll
base_address: 0x00409000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: P"@"@
base_address: 0x0040a000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: °@°@X@ @
base_address: 0x0040b000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ˆ(@*&
base_address: 0x0040c000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x0040d000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: %% $ > &I : ; 9  : ; 9 I8  I: ; 9 II ! 4: ; 9 I?< 4: ;9 I?< !I/ 'II&> I: ; 9 (  : ; 9  : ;9 I8  : ;9 I8> I: ;9 <'4G: ;9 
base_address: 0x0040f000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: mIû ../../../src/gcc-8.2.0/libgcc/config/i386cygwin.Sˆ(@Ž""YK0g=YY0/>""SMû /home/keith/mingw32-gcc-8.2.0/include../../../src/gcc-8.2.0/libgcc/../include../.././gcc../../../src/gcc-8.2.0/libgcc/../gcc/config/i386../../../src/gcc-8.2.0/libgccstdio.hstdlib.hgetopt.htime.hhashtab.hinsn-constants.hi386.hi386-opts.hlibgcc2.hgbl-ctors.hlibgcc2.c
base_address: 0x00410000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ÿÿÿÿ| ˆ ˆ(@*AA €fÀAÁ
base_address: 0x00411000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

WriteProcessMemory

 buffer: ../../../src/gcc-8.2.0/libgcc/config/i386/cygwin.S/home/keith/src/mingw/gcc-build/gcc-8.2.0-mingw32-cross-native-sandbox/mingw32/libgccGNU AS 2.31.1
base_address: 0x00412000
process_identifier: 1128
process_handle: 0x0000008c
1 1 0

NtSetContextThread

 registers.eip: 1995637172
registers.esp: 2686960
registers.edi: 0
registers.eax: 4199120
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000088
process_identifier: 1128
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 1
process_identifier: 1128
1 0 0

CreateProcessInternalW

 thread_identifier: 2352
thread_handle: 0x0000008c
process_identifier: 2256
current_directory:
filepath:
track: 1
command_line: C:\Users\Administrator\AppData\Local\Temp\26061aa445837715_c4cd302acef1cc16abc10c84e86abbbab2c9133db00b20aa589d13c1af8db088.exe delete
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000000c8
1 1 0
File has been identified by 12 AntiVirus engine on IRMA as malicious (12 events)
G Data Antivirus (Windows) Virus: Gen:Trojan.ProcessHijack.fKW@a0CCV2h (Engine A)
Avast Core Security (Linux) Win32:Evo-gen [Trj]
C4S ClamAV (Linux) Win.Trojan.Processhijack-10056424-0
WithSecure (Linux) Trojan.TR/Hijacker.Gen
eScan Antivirus (Linux) Gen:Trojan.ProcessHijack.fKW@a0CCV2h(DB)
ESET Security (Windows) a variant of Win32/Injector.EJEN trojan
Sophos Anti-Virus (Linux) Troj/Inject-KAK
DrWeb Antivirus (Linux) Trojan.Inject5.53255
ClamAV (Linux) Win.Trojan.Processhijack-10056424-0
Bitdefender Antivirus (Linux) Gen:Trojan.ProcessHijack.fKW@a0CCV2h
Kaspersky Standard (Windows) HEUR:Trojan.Win32.Inject.gen
Emsisoft Commandline Scanner (Windows) Gen:Trojan.ProcessHijack.fKW@a0CCV2h (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.