Cuckoo Sandbox

File vt.exe

Summary
Download Resubmit sample

Size	15.6MB
Type	PE32+ executable (console) x86-64, for MS Windows
MD5	`41390788c9a89b7fde9975d9bf1f84cb`
SHA1	`e6c97494c341fddef9c7d711cba20d220d12ef26`
SHA256	`376de9530f0d22f3db8a13bf77a38b1fde52a91cef71b197c743a20e9c1a246c`
SHA512	`49cdc2ace4d67974e1db163b96f39cde7800bb13d0685d1b470add1aab031b28bd302a776678300bae54bec5734440a277eda85d5752ca3b1e024581e10d47fd`
CRC32	`F4FEE3B3`
ssdeep	`None`
Yara	powershell - (no description) DebuggerCheck__QueryInfo - (no description) DebuggerException__ConsoleCtrl - (no description) DebuggerException__SetConsoleCtrl - (no description) ThreadControl__Context - (no description) SEH__vectored - (no description) disable_dep - Bypass DEP create_service - Create a windows service network_udp_sock - Communications over UDP network network_tcp_listen - Listen for incoming communication

Score

This file shows numerous signs of malicious behavior.

The score of this file is 3.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	Feb. 19, 2026, 2:59 p.m.	Feb. 19, 2026, 3 p.m.	43 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2026-02-19 13:59:36,046 [analyzer] DEBUG: Starting analyzer from: C:\tmpht3fil
2026-02-19 13:59:36,046 [analyzer] DEBUG: Pipe server name: \??\PIPE\MwfAckHdGZQMFNrXjiAfFYZIt
2026-02-19 13:59:36,046 [analyzer] DEBUG: Log pipe server name: \??\PIPE\nOZJXddNgwjymZPOEkaiMDfbWmerNB
2026-02-19 13:59:36,296 [analyzer] DEBUG: Started auxiliary module Curtain
2026-02-19 13:59:36,296 [analyzer] DEBUG: Started auxiliary module DbgView
2026-02-19 13:59:36,765 [analyzer] DEBUG: Started auxiliary module Disguise
2026-02-19 13:59:36,967 [analyzer] DEBUG: Loaded monitor into process with pid 504
2026-02-19 13:59:36,967 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2026-02-19 13:59:36,967 [analyzer] DEBUG: Started auxiliary module Human
2026-02-19 13:59:36,967 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2026-02-19 13:59:36,967 [analyzer] DEBUG: Started auxiliary module Reboot
2026-02-19 13:59:37,062 [analyzer] DEBUG: Started auxiliary module RecentFiles
2026-02-19 13:59:37,062 [analyzer] DEBUG: Started auxiliary module Screenshots
2026-02-19 13:59:37,078 [analyzer] DEBUG: Started auxiliary module Sysmon
2026-02-19 13:59:37,078 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2026-02-19 13:59:37,421 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\vt.exe' with arguments '' and pid 848
2026-02-19 13:59:37,671 [analyzer] DEBUG: Loaded monitor into process with pid 848
2026-02-19 13:59:37,687 [analyzer] CRITICAL: Unable to change memory protection of advapi32!ControlService at 0x09f2f0 7 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,703 [analyzer] CRITICAL: Unable to change memory protection of advapi32!DeleteService at 0x09f498 5 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,717 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 9 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,717 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 5 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,717 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceA at 0x09f43e 6 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,717 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 6 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,717 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 5 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,733 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 9 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,733 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 5 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,750 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 6 to RWX (error code 0xc0000045)!
2026-02-19 13:59:37,750 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceW at 0x09f4cc 6 to RWX (error code 0xc0000045)!
2026-02-19 13:59:38,436 [analyzer] INFO: Process with pid 848 has terminated
2026-02-19 13:59:38,436 [analyzer] INFO: Process list is empty, terminating analysis.
2026-02-19 13:59:39,654 [analyzer] INFO: Terminating remaining processes before shutdown.
2026-02-19 13:59:39,654 [analyzer] INFO: Analysis completed.

Cuckoo Log

2026-02-19 14:59:36,994 [cuckoo.core.scheduler] INFO: Task #7458437: acquired machine win7x6411 (label=win7x6411)
2026-02-19 14:59:36,994 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.211 for task #7458437
2026-02-19 14:59:37,540 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1806684 (interface=vboxnet0, host=192.168.168.211)
2026-02-19 14:59:45,172 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6411
2026-02-19 14:59:45,953 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6411 to vmcloak
2026-02-19 14:59:55,820 [cuckoo.core.guest] INFO: Starting analysis #7458437 on guest (id=win7x6411, ip=192.168.168.211)
2026-02-19 14:59:56,826 [cuckoo.core.guest] DEBUG: win7x6411: not ready yet
2026-02-19 15:00:01,852 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6411, ip=192.168.168.211)
2026-02-19 15:00:01,941 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6411, ip=192.168.168.211, monitor=latest, size=6660546)
2026-02-19 15:00:04,259 [cuckoo.core.resultserver] DEBUG: Task #7458437: live log analysis.log initialized.
2026-02-19 15:00:05,177 [cuckoo.core.resultserver] DEBUG: Task #7458437 is sending a BSON stream
2026-02-19 15:00:05,817 [cuckoo.core.resultserver] DEBUG: Task #7458437 is sending a BSON stream
2026-02-19 15:00:06,458 [cuckoo.core.resultserver] DEBUG: Task #7458437: File upload for 'shots/0001.jpg'
2026-02-19 15:00:06,475 [cuckoo.core.resultserver] DEBUG: Task #7458437 uploaded file length: 113719
2026-02-19 15:00:07,600 [cuckoo.core.resultserver] DEBUG: Task #7458437: File upload for 'shots/0002.jpg'
2026-02-19 15:00:07,616 [cuckoo.core.resultserver] DEBUG: Task #7458437 uploaded file length: 133466
2026-02-19 15:00:07,802 [cuckoo.core.resultserver] DEBUG: Task #7458437: File upload for 'curtain/1771505979.55.curtain.log'
2026-02-19 15:00:07,817 [cuckoo.core.resultserver] DEBUG: Task #7458437 uploaded file length: 36
2026-02-19 15:00:07,919 [cuckoo.core.resultserver] DEBUG: Task #7458437: File upload for 'sysmon/1771505979.65.sysmon.xml'
2026-02-19 15:00:07,922 [cuckoo.core.resultserver] DEBUG: Task #7458437 uploaded file length: 34798
2026-02-19 15:00:08,667 [cuckoo.core.resultserver] DEBUG: Task #7458437 had connection reset for <Context for LOG>
2026-02-19 15:00:09,815 [cuckoo.core.guest] INFO: win7x6411: analysis completed successfully
2026-02-19 15:00:09,830 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-02-19 15:00:09,852 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-02-19 15:00:11,393 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6411 to path /srv/cuckoo/cwd/storage/analyses/7458437/memory.dmp
2026-02-19 15:00:11,396 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6411
2026-02-19 15:00:19,862 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.211 for task #7458437
2026-02-19 15:00:20,148 [cuckoo.core.scheduler] DEBUG: Released database task #7458437
2026-02-19 15:00:20,163 [cuckoo.core.scheduler] INFO: Task #7458437: analysis procedure completed

Signatures

Yara rules detected for file (10 events)

description	(no description)	rule	powershell
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	create_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.symtab

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 19, 2026, 2:52 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 22516448 registers.r15: 3 registers.rcx: 22849256 registers.rsi: 3210568 registers.r10: 0 registers.rbx: 22521968 registers.rsp: 3210024 registers.r11: 514 registers.r8: 22521184 registers.r9: 22848267 registers.rdx: 32 registers.r12: 3210664 registers.rbp: 3210384 registers.rdi: 8796092874752 registers.rax: 0 registers.r13: 824633737216	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (6 events)

section

{u'size_of_data': u'0x000d5a00', u'virtual_address': u'0x00b09000', u'entropy': 7.996069491057275, u'name': u'/19', u'virtual_size': u'0x000d585f'}

entropy

7.99606949106

description