Summary

subfinder.exe

File subfinder.exe

Summary
Download Resubmit sample

Size 29.7MB
Type PE32+ executable (console) x86-64, for MS Windows
MD5 909a94ddbaa8ebfc2b82a478f8994263
SHA1 dcaa8a44ed2eeab6d957dc81844f2381ea4fc23f
SHA256 a18383bb03ffe2c41022d29b3b53b86520e56978f720fa5938babce65d50f816
SHA512
37ea297514d15cb49bf0d2986b202b1d4cd09f2438501c31a7754a5a4a6b4d5102abe2c41f4d54b2455e3a567297f5a96bd99caaf12632aafa53e282d44a8e52
CRC32 9E092917
ssdeep None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
  • dropper_generic_wscript - Generic WScript dropper
  • powershell - (no description)
  • DebuggerCheck__QueryInfo - (no description)
  • DebuggerException__ConsoleCtrl - (no description)
  • DebuggerException__SetConsoleCtrl - (no description)
  • ThreadControl__Context - (no description)
  • SEH__vectored - (no description)
  • disable_dep - Bypass DEP
  • hijack_network - Hijack network configuration

Score

This file appears fairly benign with a score of 0.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis
Category Started Completed Duration Routing Logs
FILE Feb. 19, 2026, 3:11 p.m. Feb. 19, 2026, 3:12 p.m. 51 seconds internet Show Analyzer Log
Show Cuckoo Log

Analyzer Log

2026-02-19 14:11:35,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpzepe2z
2026-02-19 14:11:35,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\MRrJKJbqgskQozGfOCIUOjaGYJhED
2026-02-19 14:11:35,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\pwGZGlzBLsyWISSE
2026-02-19 14:11:35,265 [analyzer] DEBUG: Started auxiliary module Curtain
2026-02-19 14:11:35,265 [analyzer] DEBUG: Started auxiliary module DbgView
2026-02-19 14:11:35,671 [analyzer] DEBUG: Started auxiliary module Disguise
2026-02-19 14:11:35,875 [analyzer] DEBUG: Loaded monitor into process with pid 504
2026-02-19 14:11:35,875 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2026-02-19 14:11:35,875 [analyzer] DEBUG: Started auxiliary module Human
2026-02-19 14:11:35,875 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2026-02-19 14:11:35,875 [analyzer] DEBUG: Started auxiliary module Reboot
2026-02-19 14:11:35,953 [analyzer] DEBUG: Started auxiliary module RecentFiles
2026-02-19 14:11:35,953 [analyzer] DEBUG: Started auxiliary module Screenshots
2026-02-19 14:11:35,953 [analyzer] DEBUG: Started auxiliary module Sysmon
2026-02-19 14:11:35,953 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2026-02-19 14:11:36,453 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\subfinder.exe' with arguments '' and pid 2096
2026-02-19 14:11:36,717 [analyzer] DEBUG: Loaded monitor into process with pid 2096
2026-02-19 14:11:36,733 [analyzer] CRITICAL: Unable to change memory protection of advapi32!ControlService at 0x09f2f0 7 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,780 [analyzer] CRITICAL: Unable to change memory protection of advapi32!DeleteService at 0x09f498 5 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,796 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerA at 0x09f336 9 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,796 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenSCManagerW at 0x09f4a8 5 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,796 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceA at 0x09f43e 6 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,796 [analyzer] CRITICAL: Unable to change memory protection of advapi32!OpenServiceW at 0x09f488 6 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,796 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegCloseKey at 0x09f6b4 5 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,812 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueA at 0x09f5ee 9 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,812 [analyzer] CRITICAL: Unable to change memory protection of advapi32!RegDeleteValueW at 0x09f5dc 5 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,842 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceCtrlDispatcherW at 0x09f276 6 to RWX (error code 0xc0000045)!
2026-02-19 14:11:36,842 [analyzer] CRITICAL: Unable to change memory protection of advapi32!StartServiceW at 0x09f4cc 6 to RWX (error code 0xc0000045)!
2026-02-19 14:11:37,467 [analyzer] INFO: Process with pid 2096 has terminated
2026-02-19 14:11:37,467 [analyzer] INFO: Process list is empty, terminating analysis.
2026-02-19 14:11:38,624 [analyzer] INFO: Terminating remaining processes before shutdown.
2026-02-19 14:11:38,624 [analyzer] INFO: Analysis completed.

Cuckoo Log

2026-02-19 15:11:37,193 [cuckoo.core.scheduler] INFO: Task #7458445: acquired machine win7x6417 (label=win7x6417)
2026-02-19 15:11:37,194 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.217 for task #7458445
2026-02-19 15:11:37,832 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 1811655 (interface=vboxnet0, host=192.168.168.217)
2026-02-19 15:11:50,182 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6417
2026-02-19 15:11:51,065 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6417 to vmcloak
2026-02-19 15:12:01,247 [cuckoo.core.guest] INFO: Starting analysis #7458445 on guest (id=win7x6417, ip=192.168.168.217)
2026-02-19 15:12:02,253 [cuckoo.core.guest] DEBUG: win7x6417: not ready yet
2026-02-19 15:12:07,291 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6417, ip=192.168.168.217)
2026-02-19 15:12:07,385 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6417, ip=192.168.168.217, monitor=latest, size=6660546)
2026-02-19 15:12:10,423 [cuckoo.core.resultserver] DEBUG: Task #7458445: live log analysis.log initialized.
2026-02-19 15:12:11,250 [cuckoo.core.resultserver] DEBUG: Task #7458445 is sending a BSON stream
2026-02-19 15:12:12,018 [cuckoo.core.resultserver] DEBUG: Task #7458445 is sending a BSON stream
2026-02-19 15:12:12,506 [cuckoo.core.resultserver] DEBUG: Task #7458445: File upload for 'shots/0001.jpg'
2026-02-19 15:12:12,533 [cuckoo.core.resultserver] DEBUG: Task #7458445 uploaded file length: 115542
2026-02-19 15:12:13,662 [cuckoo.core.resultserver] DEBUG: Task #7458445: File upload for 'shots/0002.jpg'
2026-02-19 15:12:13,678 [cuckoo.core.resultserver] DEBUG: Task #7458445 uploaded file length: 133458
2026-02-19 15:12:13,996 [cuckoo.core.resultserver] DEBUG: Task #7458445: File upload for 'curtain/1771506698.55.curtain.log'
2026-02-19 15:12:13,999 [cuckoo.core.resultserver] DEBUG: Task #7458445 uploaded file length: 36
2026-02-19 15:12:14,067 [cuckoo.core.resultserver] DEBUG: Task #7458445: File upload for 'sysmon/1771506698.62.sysmon.xml'
2026-02-19 15:12:14,071 [cuckoo.core.resultserver] DEBUG: Task #7458445 uploaded file length: 19326
2026-02-19 15:12:14,729 [cuckoo.core.resultserver] DEBUG: Task #7458445 had connection reset for <Context for LOG>
2026-02-19 15:12:16,035 [cuckoo.core.guest] INFO: win7x6417: analysis completed successfully
2026-02-19 15:12:16,049 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2026-02-19 15:12:16,078 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2026-02-19 15:12:17,656 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6417 to path /srv/cuckoo/cwd/storage/analyses/7458445/memory.dmp
2026-02-19 15:12:17,658 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6417
2026-02-19 15:12:25,877 [cuckoo.machinery.virtualbox] DEBUG: VBoxManage returns error checking status for machine win7x6417: VBoxManage: error: Failed to create the VirtualBox object!
VBoxManage: error: Code NS_ERROR_FAILURE (0x80004005) - Operation failed (extended info not available)
VBoxManage: error: Most likely, the VirtualBox COM server is not running or failed to start.

2026-02-19 15:12:25,890 [cuckoo.common.abstracts] DEBUG: Waiting 0 cuckooseconds for machine win7x6417 to switch to status ('poweroff', 'aborted', 'saved')
2026-02-19 15:12:27,904 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.217 for task #7458445
2026-02-19 15:12:28,226 [cuckoo.core.scheduler] DEBUG: Released database task #7458445
2026-02-19 15:12:28,242 [cuckoo.core.scheduler] INFO: Task #7458445: analysis procedure completed

Signatures

Yara rules detected for file (10 events)
description Possibly employs anti-virtualization techniques rule vmdetect
description Generic WScript dropper rule dropper_generic_wscript
description (no description) rule powershell
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
description Hijack network configuration rule hijack_network
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)
section .symtab
One or more processes crashed (1 event)
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.symbol:
        
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.address:
        0x0
        

      
    
  
    
      
        registers.r14:
        32613792
        

      
        registers.r15:
        3
        

      
        registers.rcx:
        32942120
        

      
        registers.rsi:
        37420072
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        32621976
        

      
        registers.rsp:
        37419528
        

      
        registers.r11:
        514
        

      
        registers.r8:
        32621216
        

      
        registers.r9:
        32937611
        

      
        registers.rdx:
        32
        

      
        registers.r12:
        37420168
        

      
        registers.rbp:
        37419888
        

      
        registers.rdi:
        8796092882944
        

      
        registers.rax:
        0
        

      
        registers.r13:
        824633737216
        

      
    
  



    
        1
    



  
    0
  
  


    
        0
    

 

                                  
                                


                            

                        

                    


                

            

        

        

    






                    


    

        

             Screenshots
            

                
            

        


        

            
                
    







                    

                        





    

        
            

                Name
                Response
                Post-Analysis Lookup
            

        
        

            
                

                    No hosts contacted.
                

            

        
    






                        


    

        
            

                IP Address
                Status
                Action
                VT
                Location
            

        
        
            

                

                    No hosts contacted.
                


            

        
    






                    


                


            


            
            

        


    



	



    
    
    

    
    


    
    

        

            Cuckoo
        

        

            
            
        

        

            
We're processing your submission... This could take a few seconds.