Analysis Report · ACUBE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE		2025-12-10 09:35:23	2025-12-10 09:36:10	47 seconds	Show Options	Show Analysis Log	10.0

vnc_port=5900

2025-12-06 09:30:10,735 [root] INFO: Date set to: 20251210T01:35:23, timeout set to: 180
2025-12-10 01:35:23,000 [root] DEBUG: Starting analyzer from: C:\tmpxn2gzrkt
2025-12-10 01:35:23,000 [root] DEBUG: Storing results at: C:\xStflDFYtk
2025-12-10 01:35:23,000 [root] DEBUG: Pipe server name: \\.\PIPE\GJLnzPaTV
2025-12-10 01:35:23,000 [root] DEBUG: Python path: C:\Python38
2025-12-10 01:35:23,000 [root] INFO: analysis running as an admin
2025-12-10 01:35:23,000 [root] DEBUG: no analysis package configured, picking one for you
2025-12-10 01:35:23,000 [root] INFO: analysis package selected: "zip"
2025-12-10 01:35:23,000 [root] DEBUG: importing analysis package module: "modules.packages.zip"...
2025-12-10 01:35:23,015 [root] DEBUG: imported analysis package "zip"
2025-12-10 01:35:23,015 [root] DEBUG: initializing analysis package "zip"...
2025-12-10 01:35:23,015 [lib.common.common] INFO: wrapping
2025-12-10 01:35:23,015 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-10 01:35:23,015 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012.zip
2025-12-10 01:35:23,015 [root] INFO: Analyzer: Package modules.packages.zip does not specify a DLL option
2025-12-10 01:35:23,015 [root] INFO: Analyzer: Package modules.packages.zip does not specify a DLL_64 option
2025-12-10 01:35:23,015 [root] INFO: Analyzer: Package modules.packages.zip does not specify a loader option
2025-12-10 01:35:23,015 [root] INFO: Analyzer: Package modules.packages.zip does not specify a loader_64 option
2025-12-10 01:35:23,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-10 01:35:23,062 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-10 01:35:23,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-10 01:35:23,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-12-10 01:35:23,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-12-10 01:35:23,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-10 01:35:23,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-10 01:35:23,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-10 01:35:23,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-10 01:35:23,109 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-10 01:35:23,109 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-10 01:35:23,109 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-10 01:35:23,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-10 01:35:23,109 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-10 01:35:23,109 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-10 01:35:23,109 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-10 01:35:23,109 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-10 01:35:23,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-10 01:35:23,109 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-10 01:35:23,109 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-10 01:35:23,109 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-10 01:35:23,109 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-10 01:35:23,109 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-10 01:35:23,109 [modules.auxiliary.disguise] INFO: Disguising GUID to 42e9363b-001e-4227-b33f-314c41071e90
2025-12-10 01:35:23,109 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-10 01:35:23,109 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-10 01:35:23,125 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-10 01:35:23,125 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-10 01:35:23,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-10 01:35:23,125 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-10 01:35:23,125 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-10 01:35:23,125 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-10 01:35:23,125 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-10 01:35:23,125 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-10 01:35:23,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-10 01:35:23,125 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-10 01:35:23,125 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-10 01:35:23,125 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-10 01:35:23,125 [root] DEBUG: attempting to configure 'Human' from data
2025-12-10 01:35:23,125 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-10 01:35:23,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-10 01:35:23,125 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-10 01:35:23,125 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-10 01:35:23,125 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-10 01:35:23,125 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-10 01:35:23,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-10 01:35:23,125 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-10 01:35:23,125 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-10 01:35:23,125 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-10 01:35:23,125 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-10 01:35:23,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-10 01:35:23,125 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-10 01:35:23,125 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-10 01:35:23,125 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-10 01:35:23,125 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-10 01:35:23,125 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-10 01:35:23,203 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-10 01:35:23,218 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-10 01:35:23,218 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-10 01:35:23,218 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-10 01:35:23,218 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-10 01:35:23,218 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-10 01:35:23,218 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 392
2025-12-10 01:35:23,218 [lib.api.process] INFO: Monitor config for <Process 392 lsass.exe>: C:\tmpxn2gzrkt\dll\392.ini
2025-12-10 01:35:23,234 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-10 01:35:23,234 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpxn2gzrkt\dll\Hraflb.dll, loader C:\tmpxn2gzrkt\bin\flQBCkN.exe
2025-12-10 01:35:23,234 [root] DEBUG: Loader: Injecting process 392 with C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:23,249 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-10 01:35:23,265 [root] DEBUG: 392: Python path set to 'C:\Python38'.
2025-12-10 01:35:23,265 [root] INFO: Disabling sleep skipping.
2025-12-10 01:35:23,265 [root] DEBUG: 392: TLS secret dump mode enabled.
2025-12-10 01:35:23,265 [root] DEBUG: 392: Monitor initialised: 32-bit capemon loaded in process 392 at 0x6b9a0000, thread 3120, image base 0x570000, stack from 0xce6000-0xcf0000
2025-12-10 01:35:23,265 [root] DEBUG: 392: Commandline: C:\Windows\system32\lsass.exe
2025-12-10 01:35:23,265 [root] DEBUG: 392: Hooked 5 out of 5 functions
2025-12-10 01:35:23,265 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-10 01:35:23,265 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-10 01:35:23,281 [root] DEBUG: Successfully injected DLL C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:23,281 [lib.api.process] INFO: Injected into 32-bit <Process 392 lsass.exe>
2025-12-10 01:35:23,281 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-10 01:35:23,281 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-10 01:35:23,281 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-10 01:35:23,281 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-10 01:35:23,281 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-10 01:35:23,281 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-10 01:35:23,281 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-10 01:35:23,281 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-10 01:35:23,281 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-10 01:35:23,281 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-10 01:35:23,281 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-10 01:35:23,296 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-10 01:35:23,343 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-10 01:35:23,359 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-10 01:35:23,375 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-10 01:35:23,390 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-10 01:35:23,406 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-10 01:35:23,406 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-10 01:35:23,421 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-10 01:35:23,437 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-10 01:35:23,453 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-10 01:35:23,468 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-10 01:35:23,484 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-10 01:35:23,500 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-10 01:35:23,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-10 01:35:23,515 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-10 01:35:23,515 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-10 01:35:23,531 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-10 01:35:23,546 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-10 01:35:23,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-10 01:35:23,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-10 01:35:23,578 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-10 01:35:23,593 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-10 01:35:23,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-10 01:35:23,625 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-10 01:35:23,640 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-10 01:35:23,656 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-10 01:35:23,671 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-10 01:35:23,687 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-10 01:35:23,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-10 01:35:23,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-10 01:35:23,734 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-10 01:35:23,750 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-10 01:35:23,750 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-10 01:35:23,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-10 01:35:23,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-10 01:35:23,796 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-10 01:35:23,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-10 01:35:23,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-10 01:35:23,843 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-10 01:35:23,859 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-10 01:35:23,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-10 01:35:23,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-10 01:35:23,906 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-10 01:35:23,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-10 01:35:23,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-10 01:35:23,937 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-10 01:35:23,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-10 01:35:23,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-10 01:35:23,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-10 01:35:24,000 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-10 01:35:24,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-10 01:35:24,031 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-10 01:35:24,046 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-10 01:35:24,062 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-10 01:35:24,062 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-10 01:35:24,078 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-10 01:35:24,093 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-10 01:35:24,109 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-10 01:35:24,125 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-10 01:35:24,140 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-10 01:35:24,140 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-10 01:35:28,484 [root] INFO: Restarting WMI Service
2025-12-10 01:35:30,515 [root] DEBUG: package modules.packages.zip does not support configure, ignoring
2025-12-10 01:35:30,515 [root] WARNING: configuration error for package modules.packages.zip: error importing data.packages.zip: No module named 'data.packages'
2025-12-10 01:35:30,515 [lib.common.zip_utils] INFO: Uploading C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f to host
2025-12-10 01:35:30,515 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f to files/0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f; Size is 59750; Max size: 100000000
2025-12-10 01:35:30,531 [modules.packages.zip] DEBUG: No interesting files found, auto executing the first file: 0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f
2025-12-10 01:35:30,531 [modules.packages.zip] DEBUG: Missing file option, auto executing: ['0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f']
2025-12-10 01:35:30,531 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-10 01:35:30,531 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c "cd ^"C:\Users\user\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f.exe^"" with pid 3116
2025-12-10 01:35:30,531 [lib.api.process] INFO: Monitor config for <Process 3116 cmd.exe>: C:\tmpxn2gzrkt\dll\3116.ini
2025-12-10 01:35:30,531 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpxn2gzrkt\dll\Hraflb.dll, loader C:\tmpxn2gzrkt\bin\flQBCkN.exe
2025-12-10 01:35:30,531 [root] DEBUG: Loader: Injecting process 3116 (thread 3024) with C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:30,531 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-10 01:35:30,531 [root] DEBUG: Successfully injected DLL C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:30,531 [lib.api.process] INFO: Injected into 32-bit <Process 3116 cmd.exe>
2025-12-10 01:35:32,531 [lib.api.process] INFO: Successfully resumed <Process 3116 cmd.exe>
2025-12-10 01:35:32,546 [root] DEBUG: 3116: Python path set to 'C:\Python38'.
2025-12-10 01:35:32,546 [root] INFO: Disabling sleep skipping.
2025-12-10 01:35:32,546 [root] DEBUG: 3116: Dropped file limit defaulting to 100.
2025-12-10 01:35:32,546 [root] DEBUG: 3116: YaraInit: Compiled 41 rule files
2025-12-10 01:35:32,546 [root] DEBUG: 3116: YaraInit: Compiled rules saved to file C:\tmpxn2gzrkt\data\yara\capemon.yac
2025-12-10 01:35:32,546 [root] DEBUG: 3116: YaraScan: Scanning 0x4AAB0000, size 0x4bb2e
2025-12-10 01:35:32,546 [root] DEBUG: 3116: Monitor initialised: 32-bit capemon loaded in process 3116 at 0x6b9a0000, thread 3024, image base 0x4aab0000, stack from 0x73000-0x170000
2025-12-10 01:35:32,546 [root] DEBUG: 3116: Commandline: "C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\user\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f.exe^"
2025-12-10 01:35:32,546 [root] DEBUG: 3116: GetAddressByYara: ModuleBase 0x774E0000 FunctionName LdrpCallInitRoutine
2025-12-10 01:35:32,562 [root] DEBUG: 3116: hook_api: LdrpCallInitRoutine export address 0x77538810 obtained via GetFunctionAddress
2025-12-10 01:35:32,562 [root] DEBUG: 3116: hook_api: Warning - CreateRemoteThreadEx export address 0x764AF98F differs from GetProcAddress -> 0x754EBB18 (KERNELBASE.dll::0xbb18)
2025-12-10 01:35:32,562 [root] DEBUG: 3116: hook_api: Warning - UpdateProcThreadAttribute export address 0x764B020F differs from GetProcAddress -> 0x754F43FB (KERNELBASE.dll::0x143fb)
2025-12-10 01:35:32,562 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-10 01:35:32,562 [root] DEBUG: 3116: set_hooks: Unable to hook GetCommandLineA
2025-12-10 01:35:32,562 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-10 01:35:32,562 [root] DEBUG: 3116: set_hooks: Unable to hook GetCommandLineW
2025-12-10 01:35:32,562 [root] DEBUG: 3116: Hooked 611 out of 613 functions
2025-12-10 01:35:32,562 [root] DEBUG: 3116: WoW64 not detected.
2025-12-10 01:35:32,562 [root] INFO: Loaded monitor into process with pid 3116
2025-12-10 01:35:32,562 [root] DEBUG: 3116: caller_dispatch: Added region at 0x4AAB0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x4AAB7CBD, thread 3024).
2025-12-10 01:35:32,562 [root] DEBUG: 3116: YaraScan: Scanning 0x4AAB0000, size 0x4bb2e
2025-12-10 01:35:32,562 [root] DEBUG: 3116: ProcessImageBase: Main module image at 0x4AAB0000 unmodified (entropy change 0.000000e+00)
2025-12-10 01:35:32,578 [root] DEBUG: 3116: DLL loaded at 0x75390000: C:\Windows\system32\apphelp (0x4c000 bytes).
2025-12-10 01:35:32,593 [root] DEBUG: 3116: CreateProcessHandler: Injection info set for new process 3328: C:\Windows\system32\ntvdm.exe, ImageBase: 0x0E8E0000
2025-12-10 01:35:32,593 [root] INFO: Announced 32-bit process name: ntvdm.exe pid: 3328
2025-12-10 01:35:32,593 [lib.api.process] INFO: Monitor config for <Process 3328 ntvdm.exe>: C:\tmpxn2gzrkt\dll\3328.ini
2025-12-10 01:35:32,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpxn2gzrkt\dll\Hraflb.dll, loader C:\tmpxn2gzrkt\bin\flQBCkN.exe
2025-12-10 01:35:32,593 [root] DEBUG: Loader: Injecting process 3328 (thread 3308) with C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:32,593 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-10 01:35:32,593 [root] DEBUG: Successfully injected DLL C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:32,593 [lib.api.process] INFO: Injected into 32-bit <Process 3328 ntvdm.exe>
2025-12-10 01:35:32,593 [root] INFO: Announced 32-bit process name: ntvdm.exe pid: 3328
2025-12-10 01:35:32,593 [lib.api.process] INFO: Monitor config for <Process 3328 ntvdm.exe>: C:\tmpxn2gzrkt\dll\3328.ini
2025-12-10 01:35:32,593 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpxn2gzrkt\dll\Hraflb.dll, loader C:\tmpxn2gzrkt\bin\flQBCkN.exe
2025-12-10 01:35:32,609 [root] DEBUG: Loader: Injecting process 3328 (thread 3308) with C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:32,609 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-12-10 01:35:32,609 [root] DEBUG: Successfully injected DLL C:\tmpxn2gzrkt\dll\Hraflb.dll.
2025-12-10 01:35:32,609 [lib.api.process] INFO: Injected into 32-bit <Process 3328 ntvdm.exe>
2025-12-10 01:35:32,671 [root] DEBUG: 3328: Python path set to 'C:\Python38'.
2025-12-10 01:35:32,671 [root] DEBUG: 3328: Dropped file limit defaulting to 100.
2025-12-10 01:35:32,671 [root] DEBUG: 3328: VerifyCodeSection: Executable code does not match, 0x0 of 0x7044f matching
2025-12-10 01:35:32,671 [root] INFO: Disabling sleep skipping.
2025-12-10 01:35:32,671 [root] DEBUG: 3328: YaraInit: Compiled rules loaded from existing file C:\tmpxn2gzrkt\data\yara\capemon.yac
2025-12-10 01:35:32,671 [root] DEBUG: 3328: YaraScan: Scanning 0x0E8E0000, size 0xc181a
2025-12-10 01:35:32,671 [root] DEBUG: 3328: Monitor initialised: 32-bit capemon loaded in process 3328 at 0x6b9a0000, thread 3308, image base 0xe8e0000, stack from 0x10d6000-0x10e0000
2025-12-10 01:35:32,671 [root] DEBUG: 3328: Commandline: "C:\Windows\system32\ntvdm.exe" -i1
2025-12-10 01:35:32,687 [root] DEBUG: 3328: GetAddressByYara: ModuleBase 0x774E0000 FunctionName LdrpCallInitRoutine
2025-12-10 01:35:32,687 [root] DEBUG: 3328: hook_api: LdrpCallInitRoutine export address 0x77538810 obtained via GetFunctionAddress
2025-12-10 01:35:32,687 [root] DEBUG: 3328: hook_api: Warning - CreateRemoteThreadEx export address 0x764AF98F differs from GetProcAddress -> 0x754EBB18 (KERNELBASE.dll::0xbb18)
2025-12-10 01:35:32,687 [root] DEBUG: 3328: hook_api: Warning - UpdateProcThreadAttribute export address 0x764B020F differs from GetProcAddress -> 0x754F43FB (KERNELBASE.dll::0x143fb)
2025-12-10 01:35:32,687 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-10 01:35:32,687 [root] DEBUG: 3328: set_hooks: Unable to hook GetCommandLineA
2025-12-10 01:35:32,687 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-10 01:35:32,687 [root] DEBUG: 3328: set_hooks: Unable to hook GetCommandLineW
2025-12-10 01:35:32,687 [root] DEBUG: 3328: Hooked 611 out of 613 functions
2025-12-10 01:35:32,687 [root] DEBUG: 3328: WoW64 not detected.
2025-12-10 01:35:32,687 [root] INFO: Loaded monitor into process with pid 3328
2025-12-10 01:35:32,703 [root] DEBUG: 3328: caller_dispatch: Added region at 0x0E8E0000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x0E8E5659, thread 3308).
2025-12-10 01:35:32,703 [root] DEBUG: 3328: YaraScan: Scanning 0x0E8E0000, size 0xc181a
2025-12-10 01:35:32,703 [root] DEBUG: 3328: ProcessImageBase: Main module image at 0x0E8E0000 unmodified (entropy change 0.000000e+00)
2025-12-10 01:35:32,703 [root] DEBUG: 3328: AllocationHandler: Adding allocation to tracked region list: 0x000A0000, size: 0x60000.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: AddTrackedRegion: GetEntropy failed.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: NtSetContextThread: Protecting breakpoints for thread 3308: 0x00000000, 0x00000000, 0x00000000, 0x00000000.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: DLL loaded at 0x6E660000: C:\Windows\system32\WINMM (0x32000 bytes).
2025-12-10 01:35:32,703 [root] DEBUG: 3328: AllocationHandler: Adding allocation to tracked region list: 0x000CE000, size: 0x1a000.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: AddTrackedRegion: GetEntropy failed.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: AllocationHandler: Processing previous tracked region at: 0x000A0000.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: DumpPEsInRange: Scanning range 0x000A0000 - 0x000CD800.
2025-12-10 01:35:32,703 [root] DEBUG: 3328: ScanForDisguisedPE: No PE image located in range 0x000A0000-0x000CD800.
2025-12-10 01:35:32,718 [lib.common.results] INFO: Uploading file C:\xStflDFYtk\CAPE\3328_1364241832351792122025 to CAPE\7bab212abb1adc9456c196405c4d298ecbb6d8c4a9a2a480afadcf48591e37c4; Size is 186368; Max size: 100000000
2025-12-10 01:35:32,734 [root] DEBUG: 3328: DumpMemory: Payload successfully created: C:\xStflDFYtk\CAPE\3328_1364241832351792122025 (size 186368 bytes)
2025-12-10 01:35:32,734 [root] DEBUG: 3328: DumpRegion: Dumped entire allocation from 0x000A0000, size 188416 bytes.
2025-12-10 01:35:32,734 [root] DEBUG: 3328: ProcessTrackedRegion: Dumped region at 0x000A0000.
2025-12-10 01:35:32,734 [root] DEBUG: 3328: YaraScan: Scanning 0x000A0000, size 0x2d800
2025-12-10 01:35:32,734 [root] DEBUG: 3328: DLL loaded at 0x72740000: C:\Windows\system32\NTVDMD (0x7000 bytes).
2025-12-10 01:35:32,734 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Temp\scs60C5.tmp
2025-12-10 01:35:32,750 [root] DEBUG: 3328: DLL loaded at 0x753E0000: C:\Windows\system32\cryptbase (0xc000 bytes).
2025-12-10 01:35:32,750 [root] INFO: Added new file to list with pid None and path C:\Users\user\AppData\Local\Temp\scs60D5.tmp
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x71D10000: C:\Windows\system32\VDMREDIR (0x8000 bytes).
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x73AE0000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2025-12-10 01:35:32,765 [root] DEBUG: 3328: hook_api: Warning - NetUserGetInfo export address 0x73B1528E differs from GetProcAddress -> 0x73AE1BE2 (SAMCLI.DLL::0x1be2)
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x73AF0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2025-12-10 01:35:32,765 [root] DEBUG: 3328: hook_api: Warning - NetGetJoinInformation export address 0x73B14AD2 differs from GetProcAddress -> 0x73AF2C3F (WKSCLI.DLL::0x2c3f)
2025-12-10 01:35:32,765 [root] DEBUG: 3328: hook_api: Warning - NetUserGetLocalGroups export address 0x73B152A4 differs from GetProcAddress -> 0x73AE28AA (SAMCLI.DLL::0x28aa)
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x74D20000: C:\Windows\system32\LOGONCLI (0x22000 bytes).
2025-12-10 01:35:32,765 [root] DEBUG: 3328: hook_api: Warning - DsEnumerateDomainTrustsW export address 0x73B13C9E differs from GetProcAddress -> 0x74D2B1FA (LOGONCLI.DLL::0xb1fa)
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x73B10000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x73B00000: C:\Windows\system32\netutils (0x9000 bytes).
2025-12-10 01:35:32,765 [root] DEBUG: 3328: DLL loaded at 0x752C0000: C:\Windows\system32\srvcli (0x19000 bytes).
2025-12-10 01:35:32,781 [root] INFO: Added new file to list with pid None and path C:\Windows\system.ini
2025-12-10 01:35:32,781 [root] DEBUG: 3328: AllocationHandler: Adding allocation to tracked region list: 0x00110000, size: 0x1000.
2025-12-10 01:35:32,781 [root] DEBUG: 3328: AddTrackedRegion: GetEntropy failed.
2025-12-10 01:35:32,781 [root] DEBUG: 3328: AllocationHandler: Processing previous tracked region at: 0x000CE000.
2025-12-10 01:35:32,781 [root] DEBUG: 3328: DumpPEsInRange: Scanning range 0x000CE000 - 0x000DF225.
2025-12-10 01:35:32,781 [root] DEBUG: 3328: ScanForDisguisedPE: No PE image located in range 0x000CE000-0x000DF225.
2025-12-10 01:35:32,781 [lib.common.results] INFO: Uploading file C:\xStflDFYtk\CAPE\3328_1153068432351792122025 to CAPE\912e38996a3e8e487f97b347f4f31ee3c92b4c8abc5bea2eb613328fbf427472; Size is 70181; Max size: 100000000
2025-12-10 01:35:32,796 [root] DEBUG: 3328: DumpMemory: Payload successfully created: C:\xStflDFYtk\CAPE\3328_1153068432351792122025 (size 70181 bytes)
2025-12-10 01:35:32,796 [root] DEBUG: 3328: DumpRegion: Dumped entire allocation from 0x000CE000, size 106496 bytes.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: ProcessTrackedRegion: Dumped region at 0x000CE000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: YaraScan: Scanning 0x000CE000, size 0x11225
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Allocation already in tracked region list: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Adding allocation to tracked region list: 0x01070000, size: 0x1000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AddTrackedRegion: GetEntropy failed.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: AllocationHandler: Processing previous tracked region at: 0x00110000.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: DumpPEsInRange: Scanning range 0x00110000 - 0x0011A0EA.
2025-12-10 01:35:32,796 [root] DEBUG: 3328: ScanForDisguisedPE: No PE image located in range 0x00110000-0x0011A0EA.
2025-12-10 01:35:32,796 [lib.common.results] INFO: Uploading file C:\xStflDFYtk\CAPE\3328_135797632351792122025 to CAPE\953a83e1fdafca97fc1d5404362f5ff324c7fdfede92b5d99f4141d838ee86d9; Size is 41194; Max size: 100000000
2025-12-10 01:35:32,812 [root] DEBUG: 3328: DumpMemory: Payload successfully created: C:\xStflDFYtk\CAPE\3328_135797632351792122025 (size 41194 bytes)
2025-12-10 01:35:32,812 [root] DEBUG: 3328: DumpRegion: Dumped entire allocation from 0x00110000, size 45056 bytes.
2025-12-10 01:35:32,812 [root] DEBUG: 3328: ProcessTrackedRegion: Dumped region at 0x00110000.
2025-12-10 01:35:32,812 [root] DEBUG: 3328: YaraScan: Scanning 0x00110000, size 0xa0ea
2025-12-10 01:35:32,812 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Temp\scs60C5.tmp to files\ee06792197c3e025b84860a72460eaf628c66637685f8c52c5a08a9cc35d376c; Size is 174; Max size: 100000000
2025-12-10 01:35:32,828 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Temp\scs60D5.tmp to files\06d61c23e6ca59b9ddad1796eccc42c032cd8f6f424af6cfee5d085d36ff7dfd; Size is 139; Max size: 100000000
2025-12-10 01:35:33,312 [root] DEBUG: 3116: NtTerminateProcess hook: Attempting to dump process 3116
2025-12-10 01:35:33,312 [root] DEBUG: 3116: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-10 01:35:33,328 [root] INFO: Process with pid 3116 has terminated
2025-12-10 01:35:33,531 [root] INFO: Process with pid 3328 appears to have terminated
2025-12-10 01:35:54,531 [root] INFO: Process list is empty, terminating analysis
2025-12-10 01:35:55,531 [root] INFO: Created shutdown mutex
2025-12-10 01:35:56,531 [root] INFO: Shutting down package
2025-12-10 01:35:56,531 [root] INFO: Stopping auxiliary modules
2025-12-10 01:35:56,531 [root] INFO: Stopping auxiliary module: Browser
2025-12-10 01:35:56,531 [root] INFO: Stopping auxiliary module: Curtain
2025-12-10 01:35:56,546 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765301756.5468748.curtain.log; Size is 36; Max size: 100000000
2025-12-10 01:35:56,546 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-10 01:35:56,546 [root] INFO: Stopping auxiliary module: Evtx
2025-12-10 01:35:56,562 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Application.evtx to zip dump
2025-12-10 01:35:56,562 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-10 01:35:56,562 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-10 01:35:56,562 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-10 01:35:56,562 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-10 01:35:56,578 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\OAlerts.evtx to zip dump
2025-12-10 01:35:56,578 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Security.evtx to zip dump
2025-12-10 01:35:56,578 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Setup.evtx to zip dump
2025-12-10 01:35:56,578 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\System.evtx to zip dump
2025-12-10 01:35:56,578 [modules.auxiliary.evtx] DEBUG: Adding C:/Windows/System32/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-10 01:35:56,656 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-10 01:35:56,656 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 317816; Max size: 100000000
2025-12-10 01:35:56,656 [root] INFO: Stopping auxiliary module: Human
2025-12-10 01:35:59,687 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-10 01:35:59,687 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-10 01:36:03,171 [root] INFO: Stopping auxiliary module: Usage
2025-12-10 01:36:03,296 [root] INFO: Stopping auxiliary module: During_script
2025-12-10 01:36:03,296 [root] INFO: Finishing auxiliary modules
2025-12-10 01:36:03,296 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-10 01:36:03,296 [lib.common.results] INFO: Uploading file C:\Windows\system.ini to files\6f533ccc79227e38f18bfc63bfc961ef4d3ee0e2bf33dd097ccf3548a12b743b; Size is 219; Max size: 100000000
2025-12-10 01:36:03,296 [root] WARNING: Folder at path "C:\xStflDFYtk\debugger" does not exist, skipping
2025-12-10 01:36:03,296 [root] WARNING: Folder at path "C:\xStflDFYtk\tlsdump" does not exist, skipping
2025-12-10 01:36:03,296 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win7-32bit-1	win7-32bit-1	KVM	2025-12-10 09:35:23	2025-12-10 09:36:09	inetsim

File Details

File Name	0a76c55fa88d4c134012.zip
File Type	Zip archive data, at least v2.0 to extract, compression method=deflate
File Size	21407 bytes
MD5	a80d5661d84726166bab0defe7d0480f
SHA1	e359693458d70e0efcc9375949a50f77b3c23c9c
SHA256	5a2913632de0df5c4cb6315f04197534361bd187ab12e20af6a1e4098c7bc4ea [VT] [MWDB] [Bazaar]
SHA3-384	d49cfed7296954033ba7d7b39c95d4daf7df664281830fd4fda43eafa9b8f10c6151070f9aaeb1eee5f982e94a1ecbb9
CRC32	6E03B56F
TLSH	T15CA2D149F4FCD58A862DD3B8D2B49CC96787084C70899D998E6D75C8C0A8BCC3E91D8F
Ssdeep	384:mwJ540d72xZdV3pO3yMSTSR89ilVqan19I1F1mgS9K7sqUVd8eBFHv:mwL473dV3M3yMSt9owOJmBUVHP
	File Strings BinGraph Vba2Graph

aOrY+n

vn\Ex"B

MTA7M

ae|,tH

Wk|IM

W*U{RUcK

pl@D}

\Jo]ej

zXiIm

?*H?>

Jtr%>

PrY.}

EUSyZH

r^QK(W$

BlFbk

/kalu

.<iWf

8BKTl

4>:=D2

\N5 4<

D|j+y

epEGo=j%

quRt}&r9uU

W4TM*r

(QE#$a

#S\Nk

OM@i\

e5d\{

X]kP8

r;oG.

3P!6g;l

8~d\t=o

E7+pv"

;O)gTLM

su>y\

#4LbG

OR0EP

)-`[oX

>VJ~#

}E|cwX

>9ij>9iux

Zi[2}Ox

RsOG6

UIR+#

5kfvf

0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559fUT

5mt><

.<$bT!

*Ustu

mvD8@

!Ii$Mj.

q('r~

{cC-4

$My[(_.

ebN5[9

yW5IZ

.krWE

v%x0d

idfwIb

ZhMxC

7ru(t

esxwDTaw

d6y_5

s%|O~

K6`D[

n[df+

yz7KlHn

>_Ew+z

Tz41x

Pa<vz

*G|*8b

SL87qBY

tG,u{H

Y,(Dg{6(

-=`[=TU

X;*f4>

!F|RKT:

+fXNI

Reports: JSON HTML Lite

Mitre ATT&CK

Persistence	Privilege Escalation	Command and Control	Execution	Defense Evasion	Discovery
T1547 - Boot or Logon Autostart Execution persistence_autorun T1547.001 - Registry Run Keys / Startup Folder persistence_autorun	T1547 - Boot or Logon Autostart Execution persistence_autorun T1055 - Process Injection resumethread_remote_process T1547.001 - Registry Run Keys / Startup Folder persistence_autorun	T1071 - Application Layer Protocol dynamic_function_loading	T1106 - Native API process_creation_suspicious_location	T1036 - Masquerading modifies_windows_system_files T1055 - Process Injection resumethread_remote_process T1112 - Modify Registry persistence_autorun T1070 - Indicator Removal deletes_files T1497 - Virtualization/Sandbox Evasion antivm_vbox_keys T1070.004 - File Deletion deletes_files	T1010 - Application Window Discovery antidebug_windows T1497 - Virtualization/Sandbox Evasion antivm_vbox_keys T1057 - Process Discovery antidebug_windows antivm_vbox_keys T1012 - Query Registry antivm_vbox_keys

Statistics (2.15)

Usage

Processing ( 2.08 seconds )

1.505 CAPE
0.559 Heatmap
0.011 BehaviorAnalysis
0.003 AnalysisInfo
0.002 NetworkAnalysis

Signatures ( 0.02 seconds )

0.003 ransomware_files
0.002 antianalysis_detectfile
0.002 antiav_detectreg
0.002 ransomware_extensions
0.001 antianalysis_detectreg
0.001 antiav_detectfile
0.001 antivm_vbox_files
0.001 infostealer_bitcoin
0.001 infostealer_ftp
0.001 infostealer_im
0.001 infostealer_mail
0.001 poullight_files
0.001 masquerade_process_name
0.001 territorial_disputes_sigs
0.001 ursnif_behavior

Reporting ( 0.05 seconds )

0.041 ReportHTML
0.004 MITRE_TTPS
0.001 LiteReport
0.001 JsonDump

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)

Deletes files from disk

DeletedFile: C:\Users\user\AppData\Local\Temp\scs60C5.tmp

Dynamic (imported) function loading detected

DynamicLoader: kernel32.dll/FlsAlloc

DynamicLoader: kernel32.dll/FlsGetValue

DynamicLoader: kernel32.dll/FlsSetValue

DynamicLoader: kernel32.dll/FlsFree

DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount

DynamicLoader: WINMM.DLL/waveOutSetVolume

DynamicLoader: WINMM.DLL/waveOutGetVolume

DynamicLoader: WINMM.DLL/waveOutGetNumDevs

DynamicLoader: WINMM.DLL/waveOutGetDevCapsA

DynamicLoader: WINMM.DLL/waveOutOpen

DynamicLoader: WINMM.DLL/waveOutPause

DynamicLoader: WINMM.DLL/waveOutRestart

DynamicLoader: WINMM.DLL/waveOutReset

DynamicLoader: WINMM.DLL/waveOutClose

DynamicLoader: WINMM.DLL/waveOutGetPosition

DynamicLoader: WINMM.DLL/waveOutWrite

DynamicLoader: WINMM.DLL/waveOutPrepareHeader

DynamicLoader: WINMM.DLL/waveOutUnprepareHeader

DynamicLoader: WINMM.DLL/midiOutSetVolume

DynamicLoader: WINMM.DLL/midiOutGetVolume

DynamicLoader: WINMM.DLL/midiOutGetNumDevs

DynamicLoader: WINMM.DLL/midiOutGetDevCapsA

DynamicLoader: WINMM.DLL/midiOutOpen

DynamicLoader: WINMM.DLL/midiOutReset

DynamicLoader: WINMM.DLL/midiOutClose

DynamicLoader: WINMM.DLL/midiOutLongMsg

DynamicLoader: WINMM.DLL/midiOutShortMsg

DynamicLoader: WINMM.DLL/midiOutPrepareHeader

DynamicLoader: WINMM.DLL/midiOutUnprepareHeader

DynamicLoader: NTVDMD.DLL/xxxDbgDispatch

DynamicLoader: ntvdm.exe/RedirectShortFileName

DynamicLoader: ntvdm.exe/RedirectLongFileName

DynamicLoader: VDMREDIR.DLL/VrDispatch

DynamicLoader: VDMREDIR.DLL/VrInitialized

DynamicLoader: VDMREDIR.DLL/VrReadNamedPipe

DynamicLoader: VDMREDIR.DLL/VrWriteNamedPipe

DynamicLoader: VDMREDIR.DLL/VrIsNamedPipeName

DynamicLoader: VDMREDIR.DLL/VrIsNamedPipeHandle

DynamicLoader: VDMREDIR.DLL/VrAddOpenNamedPipeInfo

DynamicLoader: VDMREDIR.DLL/VrConvertLocalNtPipeName

DynamicLoader: VDMREDIR.DLL/VrRemoveOpenNamedPipeInfo

Resumed a thread in another process

thread_resumed: Process cmd.exe with process ID 3116 resumed a thread in another process with the process ID 3328

Checks for the presence of known windows from debuggers and forensic tools

window: ConsoleWindowClass

Created a process from a suspicious location

file: C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f.exe

command: "C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f.exe

Installs itself for autorun at Windows startup

file: C:\Windows\system.ini

Detects VirtualBox through the presence of a registry key

Modifies Windows System files (System32 / SysWOW64)

ModifiedFile: C:\Windows\System32

Screenshots

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\
C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f.exe
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\_default.pif
C:\DosDevices\A:
C:\DosDevices\B:
C:\MSDOS.SYS
C:\IO.SYS
C:\Windows\System32\NTIO.SYS
C:\Windows\System32\NTDOS.SYS
C:\Windows
C:\Windows\System32\config.nt
C:\Users\user\AppData\Local\Temp\scs60C5.tmp
C:\Windows\System32\HIMEM.SYS
C:\Windows\System32\country.sys
C:\DosDevices\C:
C:\Windows\System32\COMMAND.COM
C:\Windows\System32
C:\Windows\System32\autoexec.nt
C:\Users\user\AppData\Local\Temp\scs60D5.tmp
C:\ProgramData
C:\Users\user\AppData\Roaming
C:\Program Files\Common Files
C:\Program Files
C:\Windows\System32\mscdexnt.exe
A:
B:
D:
E:
F:
G:
H:
I:
J:
K:
L:
M:
N:
O:
P:
Q:
R:
S:
T:
U:
V:
W:
X:
Y:
Z:
C:\Windows\System32\REDIR">>>
C:\Windows\System32\redir.exe
C:\Windows\System32\DOSX">>>
C:\Windows\System32\dosx.exe
C:\Windows\System32\SYSTEM.INI
C:\SYSTEM.INI
C:\Python38\Scripts\SYSTEM.INI
C:\Python38\SYSTEM.INI
C:\Program Files\Common Files\Oracle\Java\javapath\SYSTEM.INI
C:\ProgramData\Boxstarter\SYSTEM.INI
C:\Windows\system.ini

C:\Users\user\AppData\Local\Temp\scs60C5.tmp
C:\Windows\System32
C:\Users\user\AppData\Local\Temp\scs60D5.tmp

C:\Users\user\AppData\Local\Temp\scs60C5.tmp

DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wow\CpuEnv
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\Console
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers\VDD
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\VirtualTempDirName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\BootDir
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WOW\DpmiLimit

DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\VirtualDeviceDrivers\VDD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\VirtualTempDirName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\BootDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WOW\DpmiLimit

kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
winmm.dll.waveOutSetVolume
winmm.dll.waveOutGetVolume
winmm.dll.waveOutGetNumDevs
winmm.dll.waveOutGetDevCapsA
winmm.dll.waveOutOpen
winmm.dll.waveOutPause
winmm.dll.waveOutRestart
winmm.dll.waveOutReset
winmm.dll.waveOutClose
winmm.dll.waveOutGetPosition
winmm.dll.waveOutWrite
winmm.dll.waveOutPrepareHeader
winmm.dll.waveOutUnprepareHeader
winmm.dll.midiOutSetVolume
winmm.dll.midiOutGetVolume
winmm.dll.midiOutGetNumDevs
winmm.dll.midiOutGetDevCapsA
winmm.dll.midiOutOpen
winmm.dll.midiOutReset
winmm.dll.midiOutClose
winmm.dll.midiOutLongMsg
winmm.dll.midiOutShortMsg
winmm.dll.midiOutPrepareHeader
winmm.dll.midiOutUnprepareHeader
ntvdmd.dll.xxxDbgDispatch
ntvdm.exe.RedirectShortFileName
ntvdm.exe.RedirectLongFileName
vdmredir.dll.VrDispatch
vdmredir.dll.VrInitialized
vdmredir.dll.VrReadNamedPipe
vdmredir.dll.VrWriteNamedPipe
vdmredir.dll.VrIsNamedPipeName
vdmredir.dll.VrIsNamedPipeHandle
vdmredir.dll.VrAddOpenNamedPipeInfo
vdmredir.dll.VrConvertLocalNtPipeName
vdmredir.dll.VrRemoveOpenNamedPipeInfo

"C:\Users\user\AppData\Local\Temp\0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f.exe
"C:\Windows\system32\ntvdm.exe" -i1

No results

Sorry! No behavior.

Sorry! No tracee.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.