Cuckoo Sandbox

File ca9545fd357a2c981d3d25398393f3e499f10aa8a48d5f2b93d1c44deb9edf63

Summary
Download Resubmit sample

Size	45.8KB
Type	HTML document, Unicode text, UTF-8 text, with very long lines (7259), with CRLF, LF line terminators
MD5	`8a00224aab26c0897bf9aa94d0c9a6c2`
SHA1	`c453200fe9f826520e92cd7990a00f05e7ec199c`
SHA256	`ca9545fd357a2c981d3d25398393f3e499f10aa8a48d5f2b93d1c44deb9edf63`
SHA512	`b619390194efe70104e5169cf3746fb3d453a77919c8a9275e5ab53bf49a6fe0633f50619c8154c98b86b4366abbcd89ac6ee98524ab6f67b7f36c901a8f766e`
CRC32	`B31F2402`
ssdeep	`None`
Yara	None matched

Score

This file is very suspicious, with a score of 10 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	July 10, 2025, 2:58 a.m.	July 10, 2025, 3:03 a.m.	327 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-07-07 23:13:11,015 [analyzer] DEBUG: Starting analyzer from: C:\tmptisd8w
2025-07-07 23:13:11,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\varRjjowaopIESFczMIFpUT
2025-07-07 23:13:11,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\NjZxeTAUIAaWYDUqVYDaKTgi
2025-07-07 23:13:11,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-07-07 23:13:11,030 [analyzer] INFO: Automatically selected analysis package "ie"
2025-07-07 23:13:11,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-07-07 23:13:11,312 [analyzer] DEBUG: Started auxiliary module DbgView
2025-07-07 23:13:11,733 [analyzer] DEBUG: Started auxiliary module Disguise
2025-07-07 23:13:11,937 [analyzer] DEBUG: Loaded monitor into process with pid 508
2025-07-07 23:13:11,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-07-07 23:13:11,937 [analyzer] DEBUG: Started auxiliary module Human
2025-07-07 23:13:11,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-07-07 23:13:11,937 [analyzer] DEBUG: Started auxiliary module Reboot
2025-07-07 23:13:12,015 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-07-07 23:13:12,015 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-07-07 23:13:12,015 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-07-07 23:13:12,015 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-07-07 23:13:12,015 [modules.packages.ie] INFO: Submitted file is missing extension, adding .html
2025-07-07 23:13:12,140 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments [u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\ca9545fd357a2c981d3d25398393f3e499f10aa8a48d5f2b93d1c44deb9edf63.html'] and pid 2372
2025-07-07 23:13:12,280 [analyzer] DEBUG: Loaded monitor into process with pid 2372
2025-07-07 23:13:14,046 [analyzer] DEBUG: Following legitimate IE11 process: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2!
2025-07-07 23:13:14,140 [analyzer] INFO: Injected into process with pid 356 and name u'iexplore.exe'
2025-07-07 23:13:14,217 [lib.api.process] ERROR: Failed to dump memory of 32-bit process with pid 356.
2025-07-07 23:13:14,342 [analyzer] INFO: Added new file to list with pid 2372 and path C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{30122CFF-5B77-11F0-B305-78589F4D5B44}.dat
2025-07-07 23:13:14,390 [analyzer] DEBUG: Loaded monitor into process with pid 356
2025-07-07 23:13:14,405 [analyzer] INFO: Added new file to list with pid 2372 and path C:\Users\Administrator\AppData\Local\Temp\~DF3D1B0F0F762372EF.TMP
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2025-07-07 23:13:14,592 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2025-07-07 23:13:14,608 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2025-07-07 23:13:14,608 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2025-07-07 23:13:14,608 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2025-07-07 23:13:14,608 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2025-07-07 23:13:14,608 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2025-07-07 23:13:14,953 [analyzer] INFO: Added new file to list with pid 2372 and path C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{30122D01-5B77-11F0-B305-78589F4D5B44}.dat
2025-07-07 23:13:14,983 [analyzer] INFO: Added new file to list with pid 2372 and path C:\Users\Administrator\AppData\Local\Temp\~DF15450CD59AB6BDD4.TMP
2025-07-07 23:13:15,030 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2025-07-07 23:13:15,030 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2025-07-07 23:13:15,030 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2025-07-07 23:13:15,030 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2025-07-07 23:13:15,030 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2025-07-07 23:13:15,030 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2025-07-07 23:13:15,046 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2025-07-07 23:13:20,530 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A9377E7E528F7E56B69A81C500ABC24
2025-07-07 23:13:20,530 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\14232B434CF29D4C4FB335A86D7FFFE3
2025-07-07 23:13:20,546 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A9377E7E528F7E56B69A81C500ABC24
2025-07-07 23:13:20,546 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\14232B434CF29D4C4FB335A86D7FFFE3
2025-07-07 23:13:20,562 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabE8BC.tmp
2025-07-07 23:13:20,562 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabE8BE.tmp
2025-07-07 23:13:20,578 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarE8CE.tmp
2025-07-07 23:13:20,578 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarE8BD.tmp
2025-07-07 23:13:20,592 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabE8E0.tmp
2025-07-07 23:13:20,592 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabE8DF.tmp
2025-07-07 23:13:20,592 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarE8E2.tmp
2025-07-07 23:13:20,592 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarE8E1.tmp
2025-07-07 23:13:20,717 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
2025-07-07 23:13:20,717 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
2025-07-07 23:13:20,733 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabE97F.tmp
2025-07-07 23:13:20,733 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarE980.tmp
2025-07-07 23:13:20,765 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabE991.tmp
2025-07-07 23:13:20,765 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarE992.tmp
2025-07-07 23:13:20,890 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
2025-07-07 23:13:20,905 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
2025-07-07 23:13:20,905 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
2025-07-07 23:13:20,905 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
2025-07-07 23:13:20,953 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
2025-07-07 23:13:20,953 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
2025-07-07 23:13:20,967 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
2025-07-07 23:13:20,967 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
2025-07-07 23:13:20,983 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\CabEA7D.tmp
2025-07-07 23:13:21,000 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Temp\TarEA7E.tmp
2025-07-07 23:13:21,062 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7OC751U\bootstrap.min[1].js
2025-07-07 23:13:21,078 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWUWK4DN\bootstrap.min[1].css
2025-07-07 23:13:21,092 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_43017E0D8EE639406D59058AE1BEA1DC
2025-07-07 23:13:21,108 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_43017E0D8EE639406D59058AE1BEA1DC
2025-07-07 23:13:21,155 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TPLTKY5I\js[1].js
2025-07-07 23:13:21,265 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7OC751U\page[1].js
2025-07-07 23:13:21,375 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MO0T7L88\eso.pt5ow5lr[1].js
2025-07-07 23:13:21,375 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MO0T7L88\sm.25[1].htm
2025-07-07 23:13:21,405 [analyzer] INFO: Added new file to list with pid 356 and path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWUWK4DN\core.pt5ow5lr[1].js
2025-07-07 23:13:41,140 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-07-07 23:13:41,717 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-07-07 23:13:41,717 [lib.api.process] INFO: Successfully terminated process with pid 2372.
2025-07-07 23:13:41,717 [lib.api.process] INFO: Successfully terminated process with pid 356.
2025-07-07 23:13:41,717 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabe8bc.tmp' does not exist, skip.
2025-07-07 23:13:41,717 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tare980.tmp' does not exist, skip.
2025-07-07 23:13:41,717 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tare8e1.tmp' does not exist, skip.
2025-07-07 23:13:41,750 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tare8bd.tmp' does not exist, skip.
2025-07-07 23:13:41,750 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\~df3d1b0f0f762372ef.tmp' does not exist, skip.
2025-07-07 23:13:41,796 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tare992.tmp' does not exist, skip.
2025-07-07 23:13:41,796 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabe8e0.tmp' does not exist, skip.
2025-07-07 23:13:41,812 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tare8ce.tmp' does not exist, skip.
2025-07-07 23:13:41,812 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabea7d.tmp' does not exist, skip.
2025-07-07 23:13:41,812 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\~df15450cd59ab6bdd4.tmp' does not exist, skip.
2025-07-07 23:13:41,812 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tarea7e.tmp' does not exist, skip.
2025-07-07 23:13:41,828 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabe8be.tmp' does not exist, skip.
2025-07-07 23:13:41,828 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabe97f.tmp' does not exist, skip.
2025-07-07 23:13:41,828 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabe8df.tmp' does not exist, skip.
2025-07-07 23:13:41,828 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\cabe991.tmp' does not exist, skip.
2025-07-07 23:13:41,858 [analyzer] WARNING: File at path u'c:\\users\\administrator\\appdata\\local\\temp\\tare8e2.tmp' does not exist, skip.
2025-07-07 23:13:41,890 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-07-10 02:58:06,113 [cuckoo.core.scheduler] INFO: Task #6676730: acquired machine win7x647 (label=win7x647)
2025-07-10 02:58:06,114 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.207 for task #6676730
2025-07-10 02:58:06,488 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3954650 (interface=vboxnet0, host=192.168.168.207)
2025-07-10 02:58:06,533 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x647
2025-07-10 02:58:07,288 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x647 to vmcloak
2025-07-10 03:00:26,989 [cuckoo.core.guest] INFO: Starting analysis #6676730 on guest (id=win7x647, ip=192.168.168.207)
2025-07-10 03:00:27,994 [cuckoo.core.guest] DEBUG: win7x647: not ready yet
2025-07-10 03:00:33,036 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x647, ip=192.168.168.207)
2025-07-10 03:00:33,182 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x647, ip=192.168.168.207, monitor=latest, size=6660546)
2025-07-10 03:00:34,419 [cuckoo.core.resultserver] DEBUG: Task #6676730: live log analysis.log initialized.
2025-07-10 03:00:35,299 [cuckoo.core.resultserver] DEBUG: Task #6676730 is sending a BSON stream
2025-07-10 03:00:35,643 [cuckoo.core.resultserver] DEBUG: Task #6676730 is sending a BSON stream
2025-07-10 03:00:36,571 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'shots/0001.jpg'
2025-07-10 03:00:36,603 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 133481
2025-07-10 03:00:37,751 [cuckoo.core.resultserver] DEBUG: Task #6676730 is sending a BSON stream
2025-07-10 03:00:38,697 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'shots/0002.jpg'
2025-07-10 03:00:38,700 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 24519
2025-07-10 03:00:39,795 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'shots/0003.jpg'
2025-07-10 03:00:39,800 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 31898
2025-07-10 03:00:45,086 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'shots/0004.jpg'
2025-07-10 03:00:45,099 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 67569
2025-07-10 03:00:49,196 [cuckoo.core.guest] DEBUG: win7x647: analysis #6676730 still processing
2025-07-10 03:01:04,304 [cuckoo.core.guest] DEBUG: win7x647: analysis #6676730 still processing
2025-07-10 03:01:04,764 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'curtain/1751922821.33.curtain.log'
2025-07-10 03:01:04,767 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 36
2025-07-10 03:01:05,107 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'sysmon/1751922821.67.sysmon.xml'
2025-07-10 03:01:05,148 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 2216494
2025-07-10 03:01:05,159 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/23b28f1777507b80_4a9377e7e528f7e56b69a81c500abc24'
2025-07-10 03:01:05,162 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 176
2025-07-10 03:01:05,190 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/ebd41040e4bb3ec7_14232b434cf29d4c4fb335a86d7fffe3'
2025-07-10 03:01:05,198 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 889
2025-07-10 03:01:05,201 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/7928b5ab63c6e89e_bootstrap.min[1].css'
2025-07-10 03:01:05,214 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 140936
2025-07-10 03:01:05,219 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/53d16f311b01e5f9_page[1].js'
2025-07-10 03:01:05,226 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 3179
2025-07-10 03:01:05,230 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/0bf4fb994be3a803_14232b434cf29d4c4fb335a86d7fffe3'
2025-07-10 03:01:05,234 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 170
2025-07-10 03:01:05,242 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/bb68b24b9a60dbf9_dde8b1b7e253a9758ec380bd648952af_43017e0d8ee639406d59058ae1bea1dc'
2025-07-10 03:01:05,245 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 398
2025-07-10 03:01:05,247 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/ef39bcc03d88448d_core.pt5ow5lr[1].js'
2025-07-10 03:01:05,249 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 71871
2025-07-10 03:01:05,255 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/466050c946ff503c_b46811c17859ffb409cf0e904a4aa8f8'
2025-07-10 03:01:05,260 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 170
2025-07-10 03:01:05,261 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/ad0b3979d719e819_24bd96d5497f70b3f510a6b53cd43f3e_3a89246fb90c5ee6620004f1ae0eb0ea'
2025-07-10 03:01:05,266 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 1446
2025-07-10 03:01:05,268 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/81b7fa53b692b4d2_8b2b9a00839eed1dfdccc3bfc2f5df12'
2025-07-10 03:01:05,272 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 1739
2025-07-10 03:01:05,274 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/07392a801a598090_{30122d01-5b77-11f0-b305-78589f4d5b44}.dat'
2025-07-10 03:01:05,277 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 8704
2025-07-10 03:01:05,278 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/9decf3c0f895a790_dde8b1b7e253a9758ec380bd648952af_43017e0d8ee639406d59058ae1bea1dc'
2025-07-10 03:01:05,281 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 472
2025-07-10 03:01:05,282 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/5ef7f77d79c64e14_eso.pt5ow5lr[1].js'
2025-07-10 03:01:05,284 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/56c12a125b021d21_bootstrap.min[1].js'
2025-07-10 03:01:05,287 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 51039
2025-07-10 03:01:05,288 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 80927
2025-07-10 03:01:05,291 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/14adb9312422098c_05ddc6aa91765aacacdb0a5f96df8199'
2025-07-10 03:01:05,298 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 170
2025-07-10 03:01:05,299 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/4c847e0c28733ed3_94308059b57b3142e455b38a6eb92015'
2025-07-10 03:01:05,308 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 73513
2025-07-10 03:01:05,313 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/8e0ed4e43518c883_8b2b9a00839eed1dfdccc3bfc2f5df12'
2025-07-10 03:01:05,316 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 174
2025-07-10 03:01:05,322 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/6fb1b8e593cb0388_b46811c17859ffb409cf0e904a4aa8f8'
2025-07-10 03:01:05,325 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 530
2025-07-10 03:01:05,327 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/274d4116239b6309_sm.25[1].htm'
2025-07-10 03:01:05,330 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 716
2025-07-10 03:01:05,332 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/a5fbaab81d72883a_recoverystore.{30122cff-5b77-11f0-b305-78589f4d5b44}.dat'
2025-07-10 03:01:05,413 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 5632
2025-07-10 03:01:05,417 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/eac173f6aa2de93a_05ddc6aa91765aacacdb0a5f96df8199'
2025-07-10 03:01:05,420 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 993
2025-07-10 03:01:05,421 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/5d2e01e595c66689_js[1].js'
2025-07-10 03:01:05,424 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/8f9785ab5e7f49b8_94308059b57b3142e455b38a6eb92015'
2025-07-10 03:01:05,426 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 344
2025-07-10 03:01:05,427 [cuckoo.core.resultserver] DEBUG: Task #6676730: File upload for 'files/6693d8fc16ab0d2f_24bd96d5497f70b3f510a6b53cd43f3e_3a89246fb90c5ee6620004f1ae0eb0ea'
2025-07-10 03:01:05,429 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 410
2025-07-10 03:01:05,434 [cuckoo.core.resultserver] DEBUG: Task #6676730 had connection reset for <Context for LOG>
2025-07-10 03:01:05,436 [cuckoo.core.resultserver] DEBUG: Task #6676730 uploaded file length: 285247
2025-07-10 03:01:07,490 [cuckoo.core.guest] INFO: win7x647: analysis completed successfully
2025-07-10 03:01:07,517 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-07-10 03:01:07,565 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-07-10 03:01:08,490 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x647 to path /srv/cuckoo/cwd/storage/analyses/6676730/memory.dmp
2025-07-10 03:01:08,491 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x647
2025-07-10 03:03:33,047 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.207 for task #6676730
2025-07-10 03:03:33,538 [cuckoo.core.scheduler] DEBUG: Released database task #6676730
2025-07-10 03:03:33,555 [cuckoo.core.scheduler] INFO: Task #6676730: analysis procedure completed

Signatures

Port scanning (1 event)

Port: 443

143 times

Allocates read-write-execute memory (usually to unpack itself) (50 out of 253 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefec98000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefec98000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefec98000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff1cf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff1a6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff1a6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff1a6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb5fb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef45d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd374000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa62c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa644000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa58b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef4444000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefb07a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff3eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff3eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff3eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff3eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefda31000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3792000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef383e000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd93f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:06 a.m.	process_identifier: 2372 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefd968000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x013b6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76eac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76eac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76eac000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ea7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ea7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ea7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x749c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75af0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75870000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ae1000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (5 events)

file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TPLTKY5I\js[1].js
file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7OC751U\bootstrap.min[1].js
file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IWUWK4DN\core.pt5ow5lr[1].js
file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MO0T7L88\eso.pt5ow5lr[1].js
file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P7OC751U\page[1].js

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 8, 2025, 12:13 a.m.	process_identifier: 356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x06f20000 process_handle: 0xffffffff	1	0	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2372 CREDAT:275457 /prefetch:2

Raised Suricata alerts (1 event)

suricata

ET INFO TLS Handshake Failure

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection

Process 2372 resumed a thread in remote process 356

Time & API	Arguments	Status	Return	Repeated
NtResumeThread July 8, 2025, 12:06 a.m.	thread_handle: 0x0000000000000374 suspend_count: 1 process_identifier: 356	1	0	0

File has been identified by 8 AntiVirus engine on IRMA as malicious (8 events)

G Data Antivirus (Windows)	Virus: Trojan.Generic.38177278 (Engine A)
Avast Core Security (Linux)	JS:Agent-ELQ [Trj]
WithSecure (Linux)	Malware.JS/Agent.MRCS
eScan Antivirus (Linux)	Trojan.Generic.38177278(DB)
ESET Security (Windows)	JS/Agent.RCS trojan
Sophos Anti-Virus (Linux)	Troj/JSInject-V
Bitdefender Antivirus (Linux)	Trojan.Generic.38177278
Emsisoft Commandline Scanner (Windows)	Trojan.Generic.38177278 (B)

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Symantec	ISB.Heuristic!gen119
ESET-NOD32	JS/Agent.RCS
Avast	JS:Agent-ELQ [Trj]
Cynet	Malicious (score: 99)
NANO-Antivirus	Trojan.Script.Redirector.ktxcpl
Rising	Trojan.Agent/JS!1.1024F (CLASSIC)
F-Secure	Malware.JS/Agent.MRCS
Zillya	Trojan.Agent.JS.45
Sophos	Troj/JSInject-V
Ikarus	Trojan.JS.Agent
Google	Detected
Avira	JS/Agent.MRCS
Microsoft	Trojan:JS/Iframe.EK!MTB
ZoneAlarm	Troj/JSInject-V
Varist	JS/Agent.CAW.gen!Eldorado
AhnLab-V3	Trojan/JS.Agent.SC196779
Tencent	Html.Win32.Script.505347
huorong	Trojan/JS.Agent.ee
MaxSecure	Trojan.W32.cryxos.13238
Fortinet	JS/Phishing.1369!tr
AVG	JS:Agent-ELQ [Trj]

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File ca9545fd357a2c981d3d25398393f3e499f10aa8a48d5f2b93d1c44deb9edf63

Summary Download Resubmit sample

Score

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample