Analysis Details
| Category | Package | Started | Completed | Duration | Logs |
|---|---|---|---|---|---|
| FILE | exe | 2026-06-28 22:26:07 | 2026-06-28 22:26:29 | 22s |
|
Analysis Log
2026-06-28 14:55:57,893 [root] INFO: Date set to: 20260628T22:26:13, timeout set to: 200
2026-06-28 22:26:13,387 [root] DEBUG: Starting analyzer from: C:\7d7wfxi0
2026-06-28 22:26:13,389 [root] DEBUG: Storing results at: C:\cUJPOo
2026-06-28 22:26:13,390 [root] DEBUG: Pipe server name: \\.\PIPE\pcWTWbc
2026-06-28 22:26:13,391 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-28 22:26:13,391 [root] INFO: analysis running as an admin
2026-06-28 22:26:13,395 [root] INFO: analysis package specified: "exe"
2026-06-28 22:26:13,395 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2026-06-28 22:26:13,404 [root] DEBUG: imported analysis package "exe"
2026-06-28 22:26:13,408 [root] DEBUG: initializing analysis package "exe"...
2026-06-28 22:26:13,409 [lib.common.common] INFO: no wrapping
2026-06-28 22:26:13,409 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-28 22:26:13,411 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\geometry dash auto s.exe
2026-06-28 22:26:13,411 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll option
2026-06-28 22:26:13,411 [root] INFO: Analyzer: Package modules.packages.exe does not specify a dll_64 option
2026-06-28 22:26:13,411 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2026-06-28 22:26:13,411 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2026-06-28 22:26:15,883 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-28 22:26:15,897 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-28 22:26:15,951 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-28 22:26:15,981 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-28 22:26:15,988 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-06-28 22:26:15,989 [lib.api.screenshot] ERROR: No module named 'PIL'
2026-06-28 22:26:15,989 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-06-28 22:26:15,993 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-28 22:26:15,994 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-28 22:26:15,994 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-28 22:26:15,995 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-28 22:26:15,996 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-28 22:26:16,042 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-28 22:26:16,043 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-28 22:26:16,043 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-28 22:26:16,044 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-28 22:26:16,044 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-28 22:26:16,045 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-28 22:26:16,574 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-28 22:26:16,574 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-28 22:26:16,588 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-28 22:26:16,589 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-28 22:26:16,589 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-28 22:26:16,590 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-28 22:26:16,590 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-28 22:26:16,596 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 4732)
2026-06-28 22:26:16,602 [modules.auxiliary.disguise] INFO: Disguising GUID to 842c770e-8d4c-479e-81ce-001439b61ed1
2026-06-28 22:26:16,607 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-28 22:26:16,608 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-28 22:26:16,608 [root] DEBUG: attempting to configure 'Human' from data
2026-06-28 22:26:16,609 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-28 22:26:16,610 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-28 22:26:16,613 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-28 22:26:16,613 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-06-28 22:26:16,614 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-06-28 22:26:16,614 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-06-28 22:26:16,614 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-06-28 22:26:16,620 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2026-06-28 22:26:16,620 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-06-28 22:26:16,625 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-28 22:26:16,626 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-28 22:26:16,627 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-28 22:26:16,628 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-28 22:26:16,636 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-28 22:26:16,637 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-28 22:26:22,600 [root] INFO: Restarting WMI Service
2026-06-28 22:26:24,865 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2026-06-28 22:26:24,866 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2026-06-28 22:26:24,868 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-28 22:26:24,880 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\Rajesh\AppData\Local\Temp\geometry dash auto s.exe" with arguments "None" (Error: 740)
2026-06-28 22:26:24,880 [root] ERROR: You probably submitted the job with wrong package
Traceback (most recent call last):
File "C:\7d7wfxi0/analyzer.py", line 688, in run
pids = self.package.start(self.target)
File "C:\7d7wfxi0\modules\packages\exe.py", line 47, in start
return self.execute(path, args, path)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "C:\7d7wfxi0\lib\common\abstracts.py", line 181, in execute
raise CuckooPackageError("Unable to execute the initial process, analysis aborted")
lib.common.exceptions.CuckooPackageError: Unable to execute the initial process, analysis aborted
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "C:\7d7wfxi0/analyzer.py", line 1598, in <module>
success = analyzer.run()
File "C:\7d7wfxi0/analyzer.py", line 692, in run
raise CuckooError(f'The package "{self.package_name}" start function raised an error: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted
2026-06-28 22:26:24,984 [root] WARNING: Folder at path "C:\cUJPOo\debugger" does not exist, skipping
2026-06-28 22:26:24,984 [root] WARNING: Folder at path "C:\cUJPOo\tlsdump" does not exist, skipping
2026-06-28 22:26:24,985 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10 | win10 | KVM | 2026-06-28 22:26:07 | 2026-06-28 22:26:29 | none |
File Details
| File Name |
geometry dash auto s.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| File Size | 14848 bytes |
| MD5 | 19dbec50735b5f2a72d4199c4e184960 |
| SHA1 | 6fed7732f7cb6f59743795b2ab154a3676f4c822 |
| SHA256 | a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d VT MWDB Bazaar |
| SHA3-384 | ec2cc6b68157372b3b60124c6e7c708f416f67a62f770b542cbc5e21edd01f7fc22f0de544413da11912708d63b7a706 |
| CRC32 | D987E890 |
| TLSH | T180624BCFBE204417D8F0C57530659234DFBACABA1B968EDF9CF91E529AC4C072823265 |
| Ssdeep | 192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj |
Strings
UnhookWindowsHookEx
'h(p)pihH
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
Shx9@
SystemHand
iRich
MessageBoxA
@.data
Still using this computer?
jdX_^
http://google.co.ck/search?q=internet+explorer+is+the+best+browser
RtlAdjustPrivilege
/watchdog
http://google.co.ck/search?q=john+cena+midi+legit+not+converted
ShellExecuteW
http://google.co.ck/search?q=virus+builder+legit+free+download
LoadIconW
SetCursorPos
|\/|3|\/|2
http://google.co.ck/search?q=minecraft+hax+download+no+virus
HACKER!
BitBlt
gr8 m8 i r8 8/8
Get dank antivirus m9!
http://google.co.ck/search?q=vinesauce+meme+collection
GetCurrentProcess
REST IN PISS, FOREVER MISS.
j4WhH7@
.data
\note.txt
<Insert Joel quote here>
TranslateMessage
AdjustTokenPrivileges
GetProcessImageFileNameA
http://google.co.ck/search?q=mcafee+vs+norton
http://google.co.ck/search?q=how+2+buy+weed
http://play.clubpenguin.com
DefWindowProcW
4.464@4Q4V4^4r4
OpenProcessToken
http://google.co.ck/search?q=how+to+download+memz
SecureBoot sucks.
.text$mn
http://google.co.ck/search?q=best+way+to+kill+yourself
YOU TRIED SO HARD AND GOT SO FAR, BUT IN THE END, YOUR PC WAS STILL FUCKED!
THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGE MADE USING THIS MALWARE!
GetDesktopWindow
5$5L5R5X5^5{5
Process32FirstW
USER32.dll
`.rdata
8.868E8K8Q8W8p8
PPVh+
http://google.co.ck/search?q=facebook+hacking+tool+free+download+no+virus+working+2016
.idata$4
OpenProcess
http://google.co.ck/search?q=what+happens+if+you+delete+system32
CreateToolhelp32Snapshot
devmgmt.msc
BSOD INCOMING
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
GetCursorPos
0,080@0Z0`0f0m0u0
#4$LF
LoadLibraryA
CreateWindowExA
If you are seeing this message without knowing what you just executed, simply press No and nothing will happen.
ENJOY THE NYAN CAT
mspaint
StretchBlt
Nyan Cat.../
explorer
GetWindowDC
You are an idiot!
#MakeMalwareGreatAgain
http://google.co.ck/search?q=dank+memz
.idata$3
GetProcAddress
<security>
DispatchMessageW
6j7t7
- danooct1 2016
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
regedit
Yf9<Vu
so use it as long as you can!
@.reloc
</assembly>
.idata$6
STILL EXECUTE IT?
http://google.co.ck/search?q=skrillex+scay+onster+an+nice+sprites+midi
HAVE FUN TRYING TO RESTORE YOUR DATA :D
Sh$7@
Your PC is fucked anyway.
LocalAlloc
HAHA N00B L2P G3T R3KT
http://google.co.ck/search?q=bonzi+buddy+download+free
SeShutdownPrivilege
hHYour computer has been trashed by the MEMZ trojan. Now enjo_
Sleep
http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
</security>
destroyed instantly, so don't try it :D
1*11191@1e1p1
http://softonic.com
NtRaiseHardError
CloseHandle
http://google.co.ck/search?q=virus.exe
You failed at your 1337 h4x0r skillz.
This malware will harm your computer and makes it unusable.
SHELL32.dll
,*5So
LocalFree
Have you tried turning it off and on again?
Trying to kill MEMZ will cause your system to be
http://google.co.ck/search?q=my+computer+is+doing+weird+things+wtf+is+happenin+plz+halp
\\.\PhysicalDrive0
GetSystemMetrics
HA HA HA HA HA HA HA
1 1$1(1,10181@1H1P1X1`1h1p1x1
</requestedPrivileges>
CommandLineToArgvW
h(~'L&
CryptAcquireContextW
ENJOY BAN!
lstrcmpW
E~'~'pI
GetCurrentThreadId
EnumChildWindows
http://google.co.ck/search?q=g3t+r3kt
.rdata
Your computer won't boot up again,
SystemExclamation
MessageBoxW
*:p#*
THIS IS THE LAST WARNING!
control
WWWh"
http://google.co.ck/search?q=the+memz+are+real
http://google.co.ck/search?q=how+to+get+money
Why did you even tried to kill MEMZ?
.rsrc$02
*Y': &*
YOU KILLED MY TROJAN!
3-3:3D3K3\3f3n3|3
KERNEL32.dll
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
notepad
GDI32.dll
VIRUS PRANK (GONE WRONG)
GlobalAlloc
!This program cannot be run in DOS mode.
Pj2j2V
Now you are going to die.
.idata$2
http://google.co.ck/search?q=how+to+create+your+own+ransomware
Process32NextW
PSAPI.DLL
ntdll
http://google.co.ck/search?q=batch+virus+download
9 9.9I9b9
QQSVW
lstrlenW
CallNextHookEx
<requestedPrivileges>
The software you just executed is considered malware.
SSShJ
SSSSjdjdSSSSVS
Well, hello there. I don't believe we've been properly introduced. I'm Bonzi!
'Uh, Club Penguin. Time to get banned!'
SystemQuestion
GetCommandLineW
.rsrc
SetWindowsHookExW
/main
.idata$5
http://google.co.ck/search?q=montage+parody+making+program+2016
WriteFile
DrawIcon
ReleaseDC
CreateThread
ExitProcess
656A6g6m6s6y6
WINMM.dll
RegisterClassExA
SetPriorityClass
GetModuleFileNameW
http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
LookupPrivilegeValueW
ShellExecuteExW
'This is everything I want in my computer'
If you know what this malware does and are using a safe environment to test, press Yes to start it.
</trustInfo>
.rdata$zzzdbg
YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN.
http://pcoptimizerpro.com
CreateFileA
HpIhH]
SendInput
ADVAPI32.dll
GlobalFree
GetWindowRect
.rsrc$01
http://google.co.ck/search?q=half+life+3+release+date
http://google.co.ck/search?q=how+2+remove+a+virus
.text
p)~GLF^
http://google.co.ck/search?q=stanky+danky+maymays
msconfig
PlaySoundA
GetMessageW
lstrcmpA
SendMessageTimeoutW
; ;&;
http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
http://google.co.ck/search?q=is+illuminati+real
GET BETTER HAX NEXT TIME xD
ShellExecuteA
write
I WARNED YOU...
CryptGenRandom
272D2K2U2\2k2t2
ExitWindowsEx
http://motherboard.vice.com/read/watch-this-malware-turn-a-computer-into-a-digital-hellscape
taskmgr
SOMEBODY ONCE TOLD ME THE MEMZ ARE GONNA ROLL ME
DO YOU WANT TO EXECUTE THIS MALWARE, RESULTING IN AN UNUSABLE MACHINE?
:":O:Z:l:r:~:
Greetings to all GAiA members!
PE Information
Image Base
0x00400000
Entry Point
0x0000122d
Min OS
5.1
Compile Time
2016-07-10 12:59:43
Import Hash
52753d226ff5a8a88caf9829928cd5d1
| Name | RAW Addr | Virt Addr | Virt Size | Raw Size | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00000b2a | 0x00000c00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 5.86 |
| .rdata | 0x00001000 | 0x00002000 | 0x000021c2 | 0x00002200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 6.35 |
| .data | 0x00003200 | 0x00005000 | 0x00000194 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.58 |
| .rsrc | 0x00003400 | 0x00006000 | 0x000001e8 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.75 |
| .reloc | 0x00003600 | 0x00007000 | 0x0000020c | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 3.99 |
| Name | Offset | Size | Language | Entropy | Type |
|---|---|---|---|---|---|
| RT_MANIFEST | 0x00006060 | 0x00000188 | LANG_ENGLISH | 4.90 | None |
| Address | Name |
|---|---|
| 0x402024 | WriteFile |
| 0x402028 | CloseHandle |
| 0x40202c | lstrcmpA |
| 0x402030 | lstrcmpW |
| 0x402034 | LoadLibraryA |
| 0x402038 | GetModuleFileNameW |
| 0x40203c | GetCommandLineW |
| 0x402040 | Sleep |
| 0x402044 | SetPriorityClass |
| 0x402048 | CreateToolhelp32Snapshot |
| 0x40204c | Process32FirstW |
| 0x402050 | Process32NextW |
| 0x402054 | GlobalAlloc |
| 0x402058 | GlobalFree |
| 0x40205c | lstrlenW |
| 0x402060 | GetCurrentThreadId |
| 0x402064 | CreateThread |
| 0x402068 | ExitProcess |
| 0x40206c | GetCurrentProcess |
| 0x402070 | OpenProcess |
| 0x402074 | LocalFree |
| 0x402078 | LocalAlloc |
| 0x40207c | CreateFileA |
| 0x402080 | GetProcAddress |
| Address | Name |
|---|---|
| 0x4020a4 | GetWindowRect |
| 0x4020a8 | MessageBoxW |
| 0x4020ac | SetCursorPos |
| 0x4020b0 | GetCursorPos |
| 0x4020b4 | GetDesktopWindow |
| 0x4020b8 | EnumChildWindows |
| 0x4020bc | CallNextHookEx |
| 0x4020c0 | LoadIconW |
| 0x4020c4 | ReleaseDC |
| 0x4020c8 | UnhookWindowsHookEx |
| 0x4020cc | MessageBoxA |
| 0x4020d0 | GetSystemMetrics |
| 0x4020d4 | CreateWindowExA |
| 0x4020d8 | RegisterClassExA |
| 0x4020dc | DefWindowProcW |
| 0x4020e0 | ExitWindowsEx |
| 0x4020e4 | DispatchMessageW |
| 0x4020e8 | TranslateMessage |
| 0x4020ec | GetWindowDC |
| 0x4020f0 | DrawIcon |
| 0x4020f4 | SendInput |
| 0x4020f8 | SendMessageTimeoutW |
| 0x4020fc | GetMessageW |
| 0x402100 | SetWindowsHookExW |
| Address | Name |
|---|---|
| 0x402018 | BitBlt |
| 0x40201c | StretchBlt |
| Address | Name |
|---|---|
| 0x402000 | OpenProcessToken |
| 0x402004 | AdjustTokenPrivileges |
| 0x402008 | LookupPrivilegeValueW |
| 0x40200c | CryptAcquireContextW |
| 0x402010 | CryptGenRandom |
| Address | Name |
|---|---|
| 0x402090 | CommandLineToArgvW |
| 0x402094 | ShellExecuteW |
| 0x402098 | ShellExecuteA |
| 0x40209c | ShellExecuteExW |
| Address | Name |
|---|---|
| 0x402108 | PlaySoundA |
| Address | Name |
|---|---|
| 0x402088 | GetProcessImageFileNameA |
Processing 1.41s
- 1.366s CAPE
- 0.046s AnalysisInfo
- 0.001s BehaviorAnalysis
- 0.001s Debug
Signatures 0.03s
- 0.004s ransomware_files
- 0.003s antiav_detectreg
- 0.003s ransomware_extensions_known
- 0.001s accesses_mailslot
- 0.001s antianalysis_detectfile
- 0.001s antianalysis_detectreg
- 0.001s antiav_detectfile
- 0.001s antivm_vbox_files
- 0.001s browser_security
- 0.001s suspicious_browser_arguments
- 0.001s disables_backups
- 0.001s disables_browser_warn
- 0.001s disables_power_options
- 0.001s infostealer_bitcoin
- 0.001s infostealer_ftp
- 0.001s infostealer_im
- 0.001s infostealer_mail
- 0.001s masquerade_process_name
- 0.001s territorial_disputes_sigs
Reporting 0.00s
- 0.001s JsonDump
Screenshots
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
Sorry! No process dumps.