Summary

35b131914173b444_7d57ad13e21.exe

File 35b131914173b444_7d57ad13e21.exe

Summary
Download Resubmit sample Download yara

Size 5.7MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 bb81be5d3a2b24993f0c1841e0fdfe91
SHA1 d96dee48d4b9321861547a07d132991320b5f945
SHA256 35b131914173b444d7917d2d78a6cf2c6cfee00d99636e61b18370bd738e1f7d
SHA512
52099ea9150b0f8b566a2536074ceb923e3630a4341e25baaa52f8509ff265feeb6a5b21393d5140e216f7f814ff8572f8cb5e091a0bcb47fae767e6d9f47802
CRC32 E4D93DD1
ssdeep None
Yara
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6570723

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE June 25, 2025, 12:50 p.m. June 25, 2025, 1 p.m. 612 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2025-06-21 12:41:38,015 [analyzer] DEBUG: Starting analyzer from: C:\tmpqqrt4a
2025-06-21 12:41:38,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\UntddpXAmEJecdMeLgrvHwovJEf
2025-06-21 12:41:38,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\cMKMUfxULURzxcOSsLulMGUH
2025-06-21 12:41:38,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-06-21 12:41:38,030 [analyzer] INFO: Automatically selected analysis package "exe"
2025-06-21 12:41:38,312 [analyzer] DEBUG: Started auxiliary module Curtain
2025-06-21 12:41:38,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-06-21 12:41:38,921 [analyzer] DEBUG: Started auxiliary module Disguise
2025-06-21 12:41:39,155 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-06-21 12:41:39,155 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-06-21 12:41:39,155 [analyzer] DEBUG: Started auxiliary module Human
2025-06-21 12:41:39,155 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-06-21 12:41:39,155 [analyzer] DEBUG: Started auxiliary module Reboot
2025-06-21 12:41:39,203 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-06-21 12:41:39,203 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-06-21 12:41:39,217 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-06-21 12:41:39,217 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-06-21 12:41:39,467 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\35b131914173b444_7d57ad13e21.exe' with arguments '' and pid 1892
2025-06-21 12:41:39,625 [analyzer] DEBUG: Loaded monitor into process with pid 1892
2025-06-21 12:42:00,233 [analyzer] INFO: Added new file to list with pid 1892 and path C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
2025-06-21 12:42:00,546 [analyzer] INFO: Injected into process with pid 2844 and name u'reg.exe'
2025-06-21 12:42:00,780 [analyzer] DEBUG: Loaded monitor into process with pid 2844
2025-06-21 12:42:00,780 [analyzer] INFO: Injected into process with pid 1064 and name u'7D57AD13E21.exe'
2025-06-21 12:42:01,000 [analyzer] DEBUG: Loaded monitor into process with pid 1064
2025-06-21 12:42:01,390 [analyzer] INFO: Added new file to list with pid 1892 and path C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe
2025-06-21 12:42:01,467 [analyzer] INFO: Process with pid 2844 has terminated
2025-06-21 12:42:02,467 [analyzer] INFO: Process with pid 1892 has terminated
2025-06-21 12:44:58,467 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-06-21 12:44:59,733 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-06-21 12:44:59,733 [lib.api.process] INFO: Successfully terminated process with pid 1064.
2025-06-21 12:44:59,905 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-06-25 12:50:05,777 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:06,822 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:07,855 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:08,874 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:09,904 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:10,933 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:11,955 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:12,990 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:14,043 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:15,071 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:16,205 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:17,226 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:18,253 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:19,274 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:20,295 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:21,321 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:22,348 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:23,376 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:24,400 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:25,427 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:26,703 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:27,754 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:28,796 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:29,837 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:30,880 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:31,933 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:32,974 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:34,008 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:35,051 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:36,086 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:37,259 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:38,304 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:39,345 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:40,377 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:41,410 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:42,555 [cuckoo.core.scheduler] DEBUG: Task #6588615: no machine available yet
2025-06-25 12:50:43,615 [cuckoo.core.scheduler] INFO: Task #6588615: acquired machine win7x6428 (label=win7x6428)
2025-06-25 12:50:43,617 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.228 for task #6588615
2025-06-25 12:50:43,924 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3990858 (interface=vboxnet0, host=192.168.168.228)
2025-06-25 12:50:52,795 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6428
2025-06-25 12:50:53,342 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6428 to vmcloak
2025-06-25 12:54:04,521 [cuckoo.core.guest] INFO: Starting analysis #6588615 on guest (id=win7x6428, ip=192.168.168.228)
2025-06-25 12:54:05,527 [cuckoo.core.guest] DEBUG: win7x6428: not ready yet
2025-06-25 12:54:10,551 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6428, ip=192.168.168.228)
2025-06-25 12:54:10,660 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6428, ip=192.168.168.228, monitor=latest, size=6660546)
2025-06-25 12:54:12,322 [cuckoo.core.resultserver] DEBUG: Task #6588615: live log analysis.log initialized.
2025-06-25 12:54:13,411 [cuckoo.core.resultserver] DEBUG: Task #6588615 is sending a BSON stream
2025-06-25 12:54:13,864 [cuckoo.core.resultserver] DEBUG: Task #6588615 is sending a BSON stream
2025-06-25 12:54:14,645 [cuckoo.core.resultserver] DEBUG: Task #6588615: File upload for 'shots/0001.jpg'
2025-06-25 12:54:14,657 [cuckoo.core.resultserver] DEBUG: Task #6588615 uploaded file length: 133497
2025-06-25 12:54:27,136 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:54:35,021 [cuckoo.core.resultserver] DEBUG: Task #6588615 is sending a BSON stream
2025-06-25 12:54:35,257 [cuckoo.core.resultserver] DEBUG: Task #6588615 is sending a BSON stream
2025-06-25 12:54:42,276 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:54:57,374 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:55:12,803 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:55:27,909 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:55:43,450 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:55:58,672 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:56:13,790 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:56:28,950 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:56:44,047 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:56:59,145 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:57:14,273 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:57:29,484 [cuckoo.core.guest] DEBUG: win7x6428: analysis #6588615 still processing
2025-06-25 12:57:32,990 [cuckoo.core.resultserver] DEBUG: Task #6588615: File upload for 'curtain/1750502698.66.curtain.log'
2025-06-25 12:57:32,993 [cuckoo.core.resultserver] DEBUG: Task #6588615 uploaded file length: 36
2025-06-25 12:57:33,951 [cuckoo.core.resultserver] DEBUG: Task #6588615: File upload for 'sysmon/1750502699.62.sysmon.xml'
2025-06-25 12:57:34,056 [cuckoo.core.resultserver] DEBUG: Task #6588615 uploaded file length: 13533612
2025-06-25 12:57:34,125 [cuckoo.core.resultserver] DEBUG: Task #6588615: File upload for 'files/9fea97e4b6379e4a_scegli_nome_allegato.exe'
2025-06-25 12:57:34,136 [cuckoo.core.resultserver] DEBUG: Task #6588615 uploaded file length: 1050871
2025-06-25 12:57:34,191 [cuckoo.core.resultserver] DEBUG: Task #6588615: File upload for 'files/5dd6f4535e7a2cea_7d57ad13e21.exe'
2025-06-25 12:57:34,234 [cuckoo.core.resultserver] DEBUG: Task #6588615 uploaded file length: 6014905
2025-06-25 12:57:34,247 [cuckoo.core.resultserver] DEBUG: Task #6588615 had connection reset for <Context for LOG>
2025-06-25 12:57:35,519 [cuckoo.core.guest] INFO: win7x6428: analysis completed successfully
2025-06-25 12:57:35,536 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-06-25 12:57:35,651 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-06-25 12:57:36,535 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6428 to path /srv/cuckoo/cwd/storage/analyses/6588615/memory.dmp
2025-06-25 12:57:36,536 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6428
2025-06-25 13:00:17,387 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.228 for task #6588615
2025-06-25 13:00:17,859 [cuckoo.core.scheduler] DEBUG: Released database task #6588615
2025-06-25 13:00:17,877 [cuckoo.core.scheduler] INFO: Task #6588615: analysis procedure completed

Signatures

Yara rules detected for file (5 events)
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Affect system registries rule win_registry
description Affect private profile rule win_files_operation
description Affect hook table rule win_hook
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1064
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Command line console output was observed (1 event)
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (7 events)
section CODE\x00U
section DATA\x00s\x1dm
section BSS\x00\xba\x7f
section .data2
section .tls\x00\x7f
section .rdata\x00\
section .reloc\x00h
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Creates executable files on the filesystem (2 events)
file C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe
file C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
Drops a binary and executes it (2 events)
file C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
file C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe
Drops an executable to the user AppData folder (2 events)
file C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe
file C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
A process created a hidden window (1 event)
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: reg.exe
parameters: ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe" /f
filepath: reg.exe
1 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 events)
section {u'size_of_data': u'0x001a3e00', u'virtual_address': u'0x0005d000', u'entropy': 7.97621457712309, u'name': u'.rsrc', u'virtual_size': u'0x001a3c78'} entropy 7.97621457712 description A section with a high entropy has been found
entropy 0.827543729983 description Overall entropy of this PE file is high
Uses Windows utilities for basic Windows functionality (2 events)
cmdline "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe" /f
cmdline reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe" /f
One or more of the buffers contains an embedded PE file (1 event)
buffer Buffer with sha1: 8927d71b5ac3d97b23dd343f8f8c6a4992ce9f8f
Allocates execute permission to another process indicative of possible code injection (1 event)
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 679936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000ec
1 0 0
Installs itself for autorun at Windows startup (1 event)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update reg_value C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
Manipulates memory of a non-child process indicative of process injection (3 events)
Process injection Process 1064 manipulating memory of non-child process 2784
Time & API Arguments Status Return Repeated

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2784
process_handle: 0x000000ec
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 679936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000ec
1 0 0
Potential code injection by writing to the memory of another process (2 events)
Process injection Process 1064 injected into non-child 2784
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2784
process_handle: 0x000000ec
1 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)
Process injection Process 1064 called NtSetContextThread to modify thread in remote process 2784
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2011365812
registers.esp: 1638384
registers.edi: 0
registers.eax: 4741652
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000e8
process_identifier: 2784
1 0 0
Executed a process and injected code into it, probably while unpacking (10 events)
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 1540
thread_handle: 0x0000022c
process_identifier: 2844
current_directory: C:\Users\Administrator\AppData\Local\Temp
filepath: C:\Windows\System32\reg.exe
track: 1
command_line: "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Windows Update" /t REG_SZ /d "C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe" /f
filepath_r: C:\Windows\System32\reg.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000234
1 1 0

CreateProcessInternalW

 thread_identifier: 1768
thread_handle: 0x000002a4
process_identifier: 1064
current_directory: C:\Users\Administrator\AppData\Local\Temp
filepath: C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
track: 1
command_line: "C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe"
filepath_r: C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002a8
1 1 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory: C:\Users\Administrator\AppData\Local\Temp
filepath: C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe
track: 0
command_line: "C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe"
filepath_r: C:\Users\Administrator\AppData\Roaming\Scegli_nome_allegato.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 2080
thread_handle: 0x000000e8
process_identifier: 2784
current_directory:
filepath: C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator\AppData\Roaming\7D57AD13E21.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x000000ec
1 1 0

NtGetContextThread

 thread_handle: 0x000000e8
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2784
process_handle: 0x000000ec
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2784
region_size: 679936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x000000ec
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00400000
process_identifier: 2784
process_handle: 0x000000ec
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2784
process_handle: 0x000000ec
1 1 0

NtSetContextThread

 registers.eip: 2011365812
registers.esp: 1638384
registers.edi: 0
registers.eax: 4741652
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x000000e8
process_identifier: 2784
1 0 0
File has been identified by 13 AntiVirus engine on IRMA as malicious (13 events)
G Data Antivirus (Windows) Virus: Gen:Variant.Genie.689 (Engine A)
Avast Core Security (Linux) Win32:MBRlock-DV [Trj]
C4S ClamAV (Linux) Win.Trojan.Mbrlock-9779766-0
Trellix (Linux) GenericRXIP-BJ
WithSecure (Linux) Trojan.TR/Crypt.XPACK.Gen
eScan Antivirus (Linux) Gen:Variant.Genie.689(DB)
ESET Security (Windows) a variant of Win32/Injector.ERFT trojan
Sophos Anti-Virus (Linux) Troj/Inject-JDR
DrWeb Antivirus (Linux) Trojan.DownLoader6.7779
ClamAV (Linux) Win.Trojan.Mbrlock-9779766-0
Bitdefender Antivirus (Linux) Gen:Variant.Genie.689
Kaspersky Standard (Windows) HEUR:Trojan-Ransom.Win32.Blocker.vho
Emsisoft Commandline Scanner (Windows) Gen:Variant.Genie.689 (B)
Screenshots
Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action VT Location
No hosts contacted.
Cuckoo

We're processing your submission... This could take a few seconds.