Cuckoo Sandbox

Archive Purchase Order.gz @ mail.eml

Summary
Download Resubmit sample

Size	976.6KB
Type	RAR archive data, v5
MD5	`ea853b8df79215efa2b45d5f78fb75b0`
SHA1	`f04599e074da7959fb7fdf1266aa7e6bab9d1ec7`
SHA256	`2bcac45d5034f621a91255351bf86e02b8626ed63e709b1f3842c45a37849fee`
SHA512	`9fe4d4ff0b318916a8cb8872b880a83a42491ee99794f5bfb5081906cd2da6d791375ab99ff4ad7d67b38cfbd2028314a638c98224249f9c8aaf34e8ecb2ed15`
CRC32	`A5434F85`
ssdeep	`None`
Yara	None matched

Score

This archive is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
ARCHIVE	June 21, 2025, 12:33 p.m.	June 21, 2025, 12:40 p.m.	439 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-06-20 15:41:06,030 [analyzer] DEBUG: Starting analyzer from: C:\tmpht3fil
2025-06-20 15:41:06,030 [analyzer] DEBUG: Pipe server name: \??\PIPE\rCWEWVTLHcerCtNut
2025-06-20 15:41:06,030 [analyzer] DEBUG: Log pipe server name: \??\PIPE\pMtzQmdyMdkSMapIRN
2025-06-20 15:41:06,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-20 15:41:06,296 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-20 15:41:06,812 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-20 15:41:07,015 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-06-20 15:41:07,015 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-20 15:41:07,015 [analyzer] DEBUG: Started auxiliary module Human
2025-06-20 15:41:07,015 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-20 15:41:07,030 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-20 15:41:07,171 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-20 15:41:07,171 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-20 15:41:07,171 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-20 15:41:07,171 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-20 15:41:07,187 [modules.packages.rar] INFO: None
2025-06-20 15:41:07,342 [modules.packages.rar] DEBUG: Missing file option, auto executing: Purchase Order.exe
2025-06-20 15:41:07,483 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Purchase Order.exe' with arguments '' and pid 624
2025-06-20 15:41:07,655 [analyzer] DEBUG: Loaded monitor into process with pid 624
2025-06-20 15:41:09,905 [analyzer] INFO: Injected into process with pid 2948 and name u'powershell.exe'
2025-06-20 15:41:36,483 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-20 15:41:36,717 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 624.
2025-06-20 15:41:36,796 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 2948.
2025-06-20 15:41:37,280 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-20 15:41:37,280 [lib.api.process] INFO: Successfully terminated process with pid 624.
2025-06-20 15:41:37,296 [lib.api.process] INFO: Successfully terminated process with pid 2948.
2025-06-20 15:41:37,296 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-21 12:33:32,895 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:33,913 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:34,935 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:35,962 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:36,982 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:38,004 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:39,027 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:40,048 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:41,358 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:42,415 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:43,499 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:44,567 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:45,639 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:46,829 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:48,030 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:49,144 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:50,206 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:51,247 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:52,652 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:53,736 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:54,821 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:55,900 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:56,975 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:58,073 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:33:59,434 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:00,522 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:01,947 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:03,070 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:04,176 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:05,278 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:06,382 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:07,465 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:08,517 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:09,577 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:10,635 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:11,692 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:12,745 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:13,803 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:15,190 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:16,245 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:17,311 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:18,565 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:19,641 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:20,737 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:21,814 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:22,888 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:24,140 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:25,268 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:26,313 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:27,586 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:28,682 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:29,799 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:30,938 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:32,010 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:33,037 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:34,442 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:35,839 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:37,586 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:39,154 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:40,199 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:41,249 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:42,299 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:43,346 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:45,000 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:46,049 [cuckoo.core.scheduler] DEBUG: Task #6570735: no machine available yet
2025-06-21 12:34:47,220 [cuckoo.core.scheduler] INFO: Task #6570735: acquired machine win7x6411 (label=win7x6411)
2025-06-21 12:34:47,234 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.211 for task #6570735
2025-06-21 12:34:47,863 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 281937 (interface=vboxnet0, host=192.168.168.211)
2025-06-21 12:34:47,941 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6411
2025-06-21 12:34:55,756 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6411 to vmcloak
2025-06-21 12:36:48,555 [cuckoo.core.guest] INFO: Starting analysis #6570735 on guest (id=win7x6411, ip=192.168.168.211)
2025-06-21 12:36:49,669 [cuckoo.core.guest] DEBUG: win7x6411: not ready yet
2025-06-21 12:36:54,713 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6411, ip=192.168.168.211)
2025-06-21 12:36:54,824 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6411, ip=192.168.168.211, monitor=latest, size=6660546)
2025-06-21 12:36:56,472 [cuckoo.core.resultserver] DEBUG: Task #6570735: live log analysis.log initialized.
2025-06-21 12:36:57,585 [cuckoo.core.resultserver] DEBUG: Task #6570735 is sending a BSON stream
2025-06-21 12:36:58,065 [cuckoo.core.resultserver] DEBUG: Task #6570735 is sending a BSON stream
2025-06-21 12:36:58,782 [cuckoo.core.resultserver] DEBUG: Task #6570735: File upload for 'shots/0001.jpg'
2025-06-21 12:36:58,802 [cuckoo.core.resultserver] DEBUG: Task #6570735 uploaded file length: 133462
2025-06-21 12:37:00,495 [cuckoo.core.resultserver] DEBUG: Task #6570735 is sending a BSON stream
2025-06-21 12:37:11,085 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6570735 still processing
2025-06-21 12:37:26,309 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6570735 still processing
2025-06-21 12:37:27,516 [cuckoo.core.resultserver] DEBUG: Task #6570735: File upload for 'curtain/1750426897.03.curtain.log'
2025-06-21 12:37:27,523 [cuckoo.core.resultserver] DEBUG: Task #6570735 uploaded file length: 553672
2025-06-21 12:37:27,739 [cuckoo.core.resultserver] DEBUG: Task #6570735: File upload for 'sysmon/1750426897.25.sysmon.xml'
2025-06-21 12:37:27,764 [cuckoo.core.resultserver] DEBUG: Task #6570735 uploaded file length: 1314316
2025-06-21 12:37:27,816 [cuckoo.core.resultserver] DEBUG: Task #6570735 had connection reset for <Context for LOG>
2025-06-21 12:37:29,324 [cuckoo.core.guest] INFO: win7x6411: analysis completed successfully
2025-06-21 12:37:29,344 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-21 12:37:29,378 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-21 12:37:30,676 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6411 to path /srv/cuckoo/cwd/storage/analyses/6570735/memory.dmp
2025-06-21 12:37:30,677 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6411
2025-06-21 12:40:41,166 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.211 for task #6570735
2025-06-21 12:40:42,190 [cuckoo.core.scheduler] DEBUG: Released database task #6570735
2025-06-21 12:40:42,232 [cuckoo.core.scheduler] INFO: Task #6570735: analysis procedure completed

Signatures

Allocates read-write-execute memory (usually to unpack itself) (36 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e52000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e52000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e52000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00475000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00477000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000 process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00984000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00985000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0435f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04350000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00986000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00987000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00988000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00989000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04351000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0098f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 20, 2025, 4:41 p.m.	process_identifier: 624 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04352000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 20, 2025, 4:41 p.m.			0	0
IsDebuggerPresent June 20, 2025, 4:41 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (6 events)

Time & API	Arguments	Status	Return
CryptExportKey June 20, 2025, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2025, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2025, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f1e68 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2025, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2025, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 20, 2025, 4:41 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004f25a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 20, 2025, 4:41 p.m.		1	1	0

Creates a suspicious process (2 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\OPTIMIZATIONDBE\svchost.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\OPTIMIZATIONDBE\svchost.exe" -Force

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW June 20, 2025, 4:41 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\OPTIMIZATIONDBE\svchost.exe" -Force filepath: powershell	1	1	0
ShellExecuteExW June 20, 2025, 4:41 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\OPTIMIZATIONDBE\svchost.exe" -Force filepath: powershell	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 20, 2025, 4:41 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Detects Avast Antivirus through the presence of a library (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetDllHandle June 20, 2025, 4:41 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0
LdrGetDllHandle June 20, 2025, 4:41 p.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0		3221225781	0

File has been identified by 8 AntiVirus engine on IRMA as malicious (8 events)

G Data Antivirus (Windows)	Virus: Trojan.GenericKD.47848432 (Engine A)
Avast Core Security (Linux)	Win32:Malware-gen
WithSecure (Linux)	Heuristic.HEUR/AGEN.1307175
eScan Antivirus (Linux)	Trojan.GenericKD.47848432(DB)
ESET Security (Windows)	a variant of MSIL/Kryptik.ADYC trojan
Sophos Anti-Virus (Linux)	Mal/DrodRar-AIC
DrWeb Antivirus (Linux)	Trojan.Inject4.23959
Emsisoft Commandline Scanner (Windows)	Trojan.GenericKD.47848432 (B)

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.MSIL.Agensla.i!c
CAT-QuickHeal	Trojan.IGENERIC
McAfee	Artemis!EA853B8DF792
ALYac	Spyware.AgentTesla
Malwarebytes	Spyware.AgentTesla
Sangfor	Infostealer.MSIL.Agensla.gen
K7AntiVirus	Trojan ( 00564f471 )
K7GW	Trojan ( 00564f471 )
Arcabit	Trojan.Generic.D2DA1BF0
Cyren	W32/Agensla.KFXO-6301
ESET-NOD32	a variant of MSIL/Kryptik.ADYC
Avast	Win32:Malware-gen
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.47848432
MicroWorld-eScan	Trojan.GenericKD.47848432
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL:EoavVC2L6RJ7cPuHO3QUhA)
Emsisoft	Trojan.GenericKD.47848432 (B)
Comodo	Malware@#2qvqmd85ch2pu
DrWeb	Trojan.Inject4.23959
TrendMicro	TROJ_FRS.0NA103AA22
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.47848432
Sophos	Mal/DrodRar-AIC
Ikarus	Trojan.Inject
Avira	TR/AD.GenSteal.yqnyk
MAX	malware (ai score=82)
Antiy-AVL	Trojan/Generic.ASMalwS.3501855
Microsoft	Trojan:MSIL/AgentTesla.DYB!MTB
GData	Trojan.GenericKD.47848432
AhnLab-V3	Trojan/Win.Generic.C4902410
VBA32	TScope.Trojan.MSIL
Yandex	Trojan.Igent.bXgN11.10
SentinelOne	Static AI - Suspicious Archive
MaxSecure	Trojan.Malware.74499699.susgen
Fortinet	W32/Malicious_Behavior.SBX
AVG	Win32:Malware-gen

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

Archive Purchase Order.gz @ mail.eml

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample