Analysis Report · ACUBE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)	MalScore
FILE		2025-12-11 09:42:23	2025-12-11 09:42:55	32 seconds	Show Options	Show Analysis Log	0.8

vnc_port=5900

2025-12-06 10:13:07,542 [root] INFO: Date set to: 20251211T01:42:22, timeout set to: 180
2025-12-11 01:42:22,000 [root] DEBUG: Starting analyzer from: C:\tmpwmfufva4
2025-12-11 01:42:22,000 [root] DEBUG: Storing results at: C:\CdKXCZfAr
2025-12-11 01:42:22,000 [root] DEBUG: Pipe server name: \\.\PIPE\xfnEIV
2025-12-11 01:42:22,000 [root] DEBUG: Python path: C:\Python38
2025-12-11 01:42:22,000 [root] INFO: analysis running as an admin
2025-12-11 01:42:22,000 [root] DEBUG: no analysis package configured, picking one for you
2025-12-11 01:42:22,000 [root] INFO: analysis package selected: "zip"
2025-12-11 01:42:22,000 [root] DEBUG: importing analysis package module: "modules.packages.zip"...
2025-12-11 01:42:22,000 [root] DEBUG: imported analysis package "zip"
2025-12-11 01:42:22,000 [root] DEBUG: initializing analysis package "zip"...
2025-12-11 01:42:22,000 [lib.common.common] INFO: wrapping
2025-12-11 01:42:22,000 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-11 01:42:22,000 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\bd0141e88a0d56b508bc.zip
2025-12-11 01:42:22,000 [root] INFO: Analyzer: Package modules.packages.zip does not specify a DLL option
2025-12-11 01:42:22,000 [root] INFO: Analyzer: Package modules.packages.zip does not specify a DLL_64 option
2025-12-11 01:42:22,000 [root] INFO: Analyzer: Package modules.packages.zip does not specify a loader option
2025-12-11 01:42:22,000 [root] INFO: Analyzer: Package modules.packages.zip does not specify a loader_64 option
2025-12-11 01:42:22,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-12-11 01:42:22,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain"
2025-12-11 01:42:22,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-12-11 01:42:22,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script"
2025-12-11 01:42:22,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks"
2025-12-11 01:42:22,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx"
2025-12-11 01:42:22,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-12-11 01:42:22,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script"
2025-12-11 01:42:22,046 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-12-11 01:42:22,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-12-11 01:42:22,062 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-12-11 01:42:22,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-12-11 01:42:22,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon"
2025-12-11 01:42:22,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-12-11 01:42:22,078 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage"
2025-12-11 01:42:22,078 [root] DEBUG: Initialized auxiliary module "Browser"
2025-12-11 01:42:22,078 [root] DEBUG: attempting to configure 'Browser' from data
2025-12-11 01:42:22,078 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-12-11 01:42:22,078 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-12-11 01:42:22,078 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-12-11 01:42:22,078 [root] DEBUG: Initialized auxiliary module "Curtain"
2025-12-11 01:42:22,078 [root] DEBUG: attempting to configure 'Curtain' from data
2025-12-11 01:42:22,078 [root] DEBUG: module Curtain does not support data configuration, ignoring
2025-12-11 01:42:22,078 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"...
2025-12-11 01:42:22,078 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain
2025-12-11 01:42:22,078 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-12-11 01:42:22,078 [root] DEBUG: attempting to configure 'Disguise' from data
2025-12-11 01:42:22,078 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-12-11 01:42:22,078 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-12-11 01:42:22,093 [modules.auxiliary.disguise] INFO: Disguising GUID to 3062bb89-a704-4868-acf7-77622f7e3df2
2025-12-11 01:42:22,093 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-12-11 01:42:22,093 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks"
2025-12-11 01:42:22,093 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data
2025-12-11 01:42:22,093 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring
2025-12-11 01:42:22,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"...
2025-12-11 01:42:22,093 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe
2025-12-11 01:42:22,093 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks
2025-12-11 01:42:22,093 [root] DEBUG: Initialized auxiliary module "Evtx"
2025-12-11 01:42:22,093 [root] DEBUG: attempting to configure 'Evtx' from data
2025-12-11 01:42:22,093 [root] DEBUG: module Evtx does not support data configuration, ignoring
2025-12-11 01:42:22,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"...
2025-12-11 01:42:22,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
2025-12-11 01:42:22,093 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx
2025-12-11 01:42:22,093 [root] DEBUG: Initialized auxiliary module "Human"
2025-12-11 01:42:22,093 [root] DEBUG: attempting to configure 'Human' from data
2025-12-11 01:42:22,093 [root] DEBUG: module Human does not support data configuration, ignoring
2025-12-11 01:42:22,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-12-11 01:42:22,093 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-12-11 01:42:22,093 [root] DEBUG: Initialized auxiliary module "Pre_script"
2025-12-11 01:42:22,093 [root] DEBUG: attempting to configure 'Pre_script' from data
2025-12-11 01:42:22,093 [root] DEBUG: module Pre_script does not support data configuration, ignoring
2025-12-11 01:42:22,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"...
2025-12-11 01:42:22,093 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script
2025-12-11 01:42:22,093 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-12-11 01:42:22,093 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-12-11 01:42:22,093 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-12-11 01:42:22,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-12-11 01:42:22,093 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-12-11 01:42:22,093 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-12-11 01:42:22,093 [root] DEBUG: attempting to configure 'Sysmon' from data
2025-12-11 01:42:22,093 [root] DEBUG: module Sysmon does not support data configuration, ignoring
2025-12-11 01:42:22,093 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"...
2025-12-11 01:42:22,187 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
2025-12-11 01:42:22,218 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
2025-12-11 01:42:22,234 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.
2025-12-11 01:42:22,234 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-12-11 01:42:22,234 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-12-11 01:42:22,234 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-12-11 01:42:22,234 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-12-11 01:42:22,234 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 448
2025-12-11 01:42:22,234 [lib.api.process] INFO: Monitor config for <Process 448 lsass.exe>: C:\tmpwmfufva4\dll\448.ini
2025-12-11 01:42:22,234 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-12-11 01:42:22,234 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpwmfufva4\dll\LbddCtT.dll, loader C:\tmpwmfufva4\bin\wAmiQtFf.exe
2025-12-11 01:42:22,249 [root] DEBUG: Loader: Injecting process 448 with C:\tmpwmfufva4\dll\LbddCtT.dll.
2025-12-11 01:42:22,281 [root] DEBUG: 448: Python path set to 'C:\Python38'.
2025-12-11 01:42:22,281 [root] INFO: Disabling sleep skipping.
2025-12-11 01:42:22,281 [root] DEBUG: 448: TLS secret dump mode enabled.
2025-12-11 01:42:22,281 [root] DEBUG: 448: Monitor initialised: 64-bit capemon loaded in process 448 at 0x000007FEF4070000, thread 440, image base 0x00000000FF140000, stack from 0x00000000019C4000-0x00000000019D0000
2025-12-11 01:42:22,281 [root] DEBUG: 448: Commandline: C:\Windows\system32\lsass.exe
2025-12-11 01:42:22,281 [root] DEBUG: 448: Hooked 5 out of 5 functions
2025-12-11 01:42:22,296 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
2025-12-11 01:42:22,296 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-12-11 01:42:22,296 [root] DEBUG: Successfully injected DLL C:\tmpwmfufva4\dll\LbddCtT.dll.
2025-12-11 01:42:22,296 [lib.api.process] INFO: Injected into 64-bit <Process 448 lsass.exe>
2025-12-11 01:42:22,296 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-12-11 01:42:22,296 [root] DEBUG: Initialized auxiliary module "Usage"
2025-12-11 01:42:22,296 [root] DEBUG: attempting to configure 'Usage' from data
2025-12-11 01:42:22,296 [root] DEBUG: module Usage does not support data configuration, ignoring
2025-12-11 01:42:22,296 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"...
2025-12-11 01:42:22,296 [root] DEBUG: Started auxiliary module modules.auxiliary.usage
2025-12-11 01:42:22,296 [root] DEBUG: Initialized auxiliary module "During_script"
2025-12-11 01:42:22,296 [root] DEBUG: attempting to configure 'During_script' from data
2025-12-11 01:42:22,296 [root] DEBUG: module During_script does not support data configuration, ignoring
2025-12-11 01:42:22,296 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"...
2025-12-11 01:42:22,296 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script
2025-12-11 01:42:22,328 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe
2025-12-11 01:42:22,343 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable
2025-12-11 01:42:22,375 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable
2025-12-11 01:42:22,406 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe
2025-12-11 01:42:22,421 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
2025-12-11 01:42:22,453 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
2025-12-11 01:42:22,468 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe
2025-12-11 01:42:22,515 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
2025-12-11 01:42:22,531 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe
2025-12-11 01:42:22,546 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
2025-12-11 01:42:22,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
2025-12-11 01:42:22,593 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
2025-12-11 01:42:22,609 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f
2025-12-11 01:42:22,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
2025-12-11 01:42:22,625 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
2025-12-11 01:42:22,625 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
2025-12-11 01:42:22,656 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 0: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f
2025-12-11 01:42:22,656 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable
2025-12-11 01:42:22,671 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable
2025-12-11 01:42:22,687 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
2025-12-11 01:42:22,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable
2025-12-11 01:42:22,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2025-12-11 01:42:22,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
2025-12-11 01:42:22,734 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
2025-12-11 01:42:22,750 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable
2025-12-11 01:42:22,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
2025-12-11 01:42:22,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
2025-12-11 01:42:22,796 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
2025-12-11 01:42:22,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
2025-12-11 01:42:22,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
2025-12-11 01:42:22,843 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
2025-12-11 01:42:22,859 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
2025-12-11 01:42:22,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
2025-12-11 01:42:22,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
2025-12-11 01:42:22,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
2025-12-11 01:42:22,906 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
2025-12-11 01:42:22,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable
2025-12-11 01:42:22,937 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
2025-12-11 01:42:22,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
2025-12-11 01:42:22,968 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
2025-12-11 01:42:22,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
2025-12-11 01:42:23,000 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
2025-12-11 01:42:23,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
2025-12-11 01:42:23,031 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
2025-12-11 01:42:23,046 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
2025-12-11 01:42:23,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable
2025-12-11 01:42:23,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
2025-12-11 01:42:23,078 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
2025-12-11 01:42:23,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
2025-12-11 01:42:23,109 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
2025-12-11 01:42:23,125 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
2025-12-11 01:42:23,140 [modules.auxiliary.evtx] DEBUG: Wiping Application
2025-12-11 01:42:23,156 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents
2025-12-11 01:42:23,171 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer
2025-12-11 01:42:23,187 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service
2025-12-11 01:42:23,203 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts
2025-12-11 01:42:23,218 [modules.auxiliary.evtx] DEBUG: Wiping Security
2025-12-11 01:42:23,234 [modules.auxiliary.evtx] DEBUG: Wiping Setup
2025-12-11 01:42:23,249 [modules.auxiliary.evtx] DEBUG: Wiping System
2025-12-11 01:42:23,265 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell
2025-12-11 01:42:23,281 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational
2025-12-11 01:42:27,515 [root] INFO: Restarting WMI Service
2025-12-11 01:42:29,531 [root] DEBUG: package modules.packages.zip does not support configure, ignoring
2025-12-11 01:42:29,531 [root] WARNING: configuration error for package modules.packages.zip: error importing data.packages.zip: No module named 'data.packages'
2025-12-11 01:42:29,531 [lib.common.zip_utils] DEBUG: Archive is encrypted, using default password value: infected
2025-12-11 01:42:29,687 [lib.common.zip_utils] INFO: Uploading C:\Users\user\AppData\Local\Temp\file to host
2025-12-11 01:42:29,687 [lib.common.results] INFO: Uploading file C:\Users\user\AppData\Local\Temp\file to files/bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed; Size is 865144; Max size: 100000000
2025-12-11 01:42:29,703 [modules.packages.zip] DEBUG: No interesting files found, auto executing the first file: file
2025-12-11 01:42:29,703 [modules.packages.zip] DEBUG: Missing file option, auto executing: ['file']
2025-12-11 01:42:29,703 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation
2025-12-11 01:42:29,703 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c "cd ^"C:\Users\user\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\user\AppData\Local\Temp\file.exe^"" with pid 2328
2025-12-11 01:42:29,703 [lib.api.process] INFO: Monitor config for <Process 2328 cmd.exe>: C:\tmpwmfufva4\dll\2328.ini
2025-12-11 01:42:29,703 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpwmfufva4\dll\VdPiab.dll, loader C:\tmpwmfufva4\bin\chZmSXq.exe
2025-12-11 01:42:29,703 [root] DEBUG: Loader: Injecting process 2328 (thread 2352) with C:\tmpwmfufva4\dll\VdPiab.dll.
2025-12-11 01:42:29,703 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-12-11 01:42:29,703 [root] DEBUG: Successfully injected DLL C:\tmpwmfufva4\dll\VdPiab.dll.
2025-12-11 01:42:29,703 [lib.api.process] INFO: Injected into 32-bit <Process 2328 cmd.exe>
2025-12-11 01:42:31,703 [lib.api.process] INFO: Successfully resumed <Process 2328 cmd.exe>
2025-12-11 01:42:31,718 [root] DEBUG: 2328: Python path set to 'C:\Python38'.
2025-12-11 01:42:31,718 [root] INFO: Disabling sleep skipping.
2025-12-11 01:42:31,718 [root] DEBUG: 2328: Dropped file limit defaulting to 100.
2025-12-11 01:42:31,734 [root] DEBUG: 2328: YaraInit: Compiled 41 rule files
2025-12-11 01:42:31,734 [root] DEBUG: 2328: YaraInit: Compiled rules saved to file C:\tmpwmfufva4\data\yara\capemon.yac
2025-12-11 01:42:31,734 [root] DEBUG: 2328: YaraScan: Scanning 0x4AC80000, size 0x4bb2e
2025-12-11 01:42:31,734 [root] DEBUG: 2328: Monitor initialised: 32-bit capemon loaded in process 2328 at 0x740f0000, thread 2352, image base 0x4ac80000, stack from 0x263000-0x360000
2025-12-11 01:42:31,734 [root] DEBUG: 2328: Commandline: "C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\user\AppData\Local\Temp^" && start /wait ^"^" ^"C:\Users\user\AppData\Local\Temp\file.exe^"
2025-12-11 01:42:31,734 [root] DEBUG: 2328: GetAddressByYara: ModuleBase 0x77520000 FunctionName LdrpCallInitRoutine
2025-12-11 01:42:31,734 [root] DEBUG: 2328: hook_api: Warning - CreateRemoteThreadEx export address 0x75C5A337 differs from GetProcAddress -> 0x7540403A (KERNELBASE.dll::0x1403a)
2025-12-11 01:42:31,734 [root] DEBUG: 2328: hook_api: Warning - UpdateProcThreadAttribute export address 0x75C5ABB7 differs from GetProcAddress -> 0x753FFA26 (KERNELBASE.dll::0xfa26)
2025-12-11 01:42:31,734 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-12-11 01:42:31,734 [root] DEBUG: 2328: set_hooks: Unable to hook GetCommandLineA
2025-12-11 01:42:31,734 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-12-11 01:42:31,734 [root] DEBUG: 2328: set_hooks: Unable to hook GetCommandLineW
2025-12-11 01:42:31,750 [root] DEBUG: 2328: Hooked 611 out of 613 functions
2025-12-11 01:42:31,750 [root] DEBUG: 2328: WoW64 detected: 64-bit ntdll base: 0x77360000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773cb510, Wow64PrepareForException: 0x0
2025-12-11 01:42:31,750 [root] DEBUG: 2328: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x150000
2025-12-11 01:42:31,750 [root] INFO: Loaded monitor into process with pid 2328
2025-12-11 01:42:31,750 [root] DEBUG: 2328: caller_dispatch: Added region at 0x4AC80000 to tracked regions list (kernel32::GetSystemTimeAsFileTime returns to 0x4AC87CBD, thread 2352).
2025-12-11 01:42:31,750 [root] DEBUG: 2328: YaraScan: Scanning 0x4AC80000, size 0x4bb2e
2025-12-11 01:42:31,750 [root] DEBUG: 2328: ProcessImageBase: Main module image at 0x4AC80000 unmodified (entropy change 0.000000e+00)
2025-12-11 01:42:31,750 [root] DEBUG: 2328: DLL loaded at 0x749B0000: C:\Windows\SysWOW64\ntvdm64 (0x7000 bytes).
2025-12-11 01:42:31,750 [root] DEBUG: 2328: DLL loaded at 0x73570000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2025-12-11 01:42:31,765 [root] DEBUG: 2328: NtTerminateProcess hook: Attempting to dump process 2328
2025-12-11 01:42:31,765 [root] DEBUG: 2328: DoProcessDump: Skipping process dump as code is identical on disk.
2025-12-11 01:42:31,765 [root] INFO: Process with pid 2328 has terminated
2025-12-11 01:42:38,703 [root] INFO: Process list is empty, terminating analysis
2025-12-11 01:42:39,703 [root] INFO: Created shutdown mutex
2025-12-11 01:42:40,703 [root] INFO: Shutting down package
2025-12-11 01:42:40,703 [root] INFO: Stopping auxiliary modules
2025-12-11 01:42:40,703 [root] INFO: Stopping auxiliary module: Browser
2025-12-11 01:42:40,703 [root] INFO: Stopping auxiliary module: Curtain
2025-12-11 01:42:40,718 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1765388560.71875.curtain.log; Size is 36; Max size: 100000000
2025-12-11 01:42:40,718 [root] INFO: Stopping auxiliary module: End_noisy_tasks
2025-12-11 01:42:40,718 [root] INFO: Stopping auxiliary module: Evtx
2025-12-11 01:42:40,718 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2025-12-11 01:42:40,718 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Microsoft-Windows-Sysmon%4Operational.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\OAlerts.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump
2025-12-11 01:42:40,734 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump
2025-12-11 01:42:40,750 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2025-12-11 01:42:40,750 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 92719; Max size: 100000000
2025-12-11 01:42:40,750 [root] INFO: Stopping auxiliary module: Human
2025-12-11 01:42:44,562 [root] INFO: Stopping auxiliary module: Pre_script
2025-12-11 01:42:44,562 [root] INFO: Stopping auxiliary module: Screenshots
2025-12-11 01:42:47,125 [root] INFO: Stopping auxiliary module: Usage
2025-12-11 01:42:48,343 [root] INFO: Stopping auxiliary module: During_script
2025-12-11 01:42:48,343 [root] INFO: Finishing auxiliary modules
2025-12-11 01:42:48,343 [root] INFO: Shutting down pipe server and dumping dropped files
2025-12-11 01:42:48,343 [root] WARNING: Folder at path "C:\CdKXCZfAr\debugger" does not exist, skipping
2025-12-11 01:42:48,343 [root] WARNING: Folder at path "C:\CdKXCZfAr\tlsdump" does not exist, skipping
2025-12-11 01:42:48,343 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win7-64bit-2	win7-64bit-2	KVM	2025-12-11 09:42:23	2025-12-11 09:42:55	inetsim

File Details

File Name	bd0141e88a0d56b508bc.zip
File Type	Zip archive data, at least v2.0 to extract, compression method=deflate
File Size	247549 bytes
MD5	b105e7bc76522a50246fcc669eb6e633
SHA1	9bff2ec54e7a253d59fd502f84d5bcc045eff8da
SHA256	e271a8d1976ee2736d045c11c609ade5d56933f2b5f6535125ad493196d38c8b [VT] [MWDB] [Bazaar]
SHA3-384	c23ddaeacb6829f8e70b8b64f958da50a5471546747d7df131540c9f7e9db59698cdebb64565f1e93fb8cc9e2d5f2e23
CRC32	5FDE69C8
TLSH	T1383423EF8C2B572ACCFDCEF2424702954A045AB97A4DAEE9D691C53F9BCA1154F00B43
Ssdeep	6144:p3SAfs02s1ikv5wcOmYkTbY/XHvrwBlqk84UOBNW:pAZ45wc/xTbY/XHvrw724bNW
	File Strings BinGraph Vba2Graph

&$]2<

EZQ/a

HlqMcDa

-Q=SO

+G?6]

Xr^UoV

5UbrE

(kP.S

^i4v0U

dP&6B"X

:nss?

~_#2c

umV}Q

_Cg%(

BpDT>$

[IG.Gg

tW44GwN

-qb!@}

n?14+{*

pFz9o

oj5#g

D|706"

(r~@k

Y}GQs

C[.Ww

36 TT

~Swzjy

MD8/?

,iULx

"\Yc_

2Zs]GU

{wtP?P

81cdX

,b*Iy

xlR)

lQ1r^

Fu.~|<

epcm.

3-]>q

3*(xX

FeKPC

:'8I`

1ZAkW

sXB|?

lA2HZ

[_DhT`

*SzJ{

k,oE#_

FaTr-$G

Y>t8a

*WG%.R

%OImH

aSb&MK

zp2i)

-&aX!T

<5|"[

% 0pcWe

<%\k7

7smdJu

N^&Ub

nAoT=AA

%UZ"#

qJC*>

o<Pkj

;,Xj[

<{75t

1QR_"}

/u9>B

dDo-.

VZwO8

o e@6r

NJPDg

@_e\e$

R}ERH

DI0EN

wKo-!

[49oVy

NvU5y

:/Q 2

'=iXXc

xJ*U0

>HaST

F]50]W

l2wcL

qUE'fh

O+{pA

C}lMBG

;)60H

OdGCd

/aA"N/dt

_Y'L-

}g'T%

R$Y~O

*>pRI

85Zxm

0OAgx

!F^Di

jF7!+

ptz'`

nQckX%

j/iS?

Si6/`s,

G~Q`u

Ml;vf

E-!]m

eUJ &

C##A'B

;h9}O

F<f4v

,O'XX

_YYdf

b }L%

EStrT%

84`yx

9\8,:

FFKNx=bL

RpoW<|

bJ'I7

O5yLm

`n6hto

Ve@g!=>

%;s]t,d

^dBV;W

0*'LSp

SMM=5nQ$O

o.!$#

3;ZRv2

/)Vp\3-

<0^g.n

^wI=V

OvbBc

FYp3x

8_uj;

8+l,=

uq:W(

k|gb7

QacnH

-cBw<

@WKG/R:

@l(Q&

gY>D1.

M.'c@

nSZO9#

C1GVu

)amp?r

W^3Gq

^.=Dw

;R>Kv7c'

vYs-q[8

6Nj >

7TIvX

inJB}

T3"-Q

C-vk+

Y*|(7

'8:}z

JWrMP

7he8

{]!Y_oA

2ru/<

t8qM}

L."l9P

OFQPf

bQ`vmx~

;M!8%

DL1IT

S1uvV+

c^HbLE

j0L "

BSCo@

DtZ\pff

oX3qCeZu

mk DP

`&sZ/

I~UVDwDT

-Xpwu

)12kc%

k>sPl

,<1v\$Dt

GWV|s

Ba.ZXJ

pr0UI

3;a%X

W0fmw

idUt0

5[%|v

IV]_R

Hxe3:

Ol|;gC

MI(7%

gWCHo

j}!FL

T?q.v

1)CeV

:yTqX

}X:7=>'KK

z$A74Z<

A_5Lg

0,-,h

$x0pk

FJ.og

}68~*9M

vm_2B

wOG"VI)

G:JQU

*+:]\V05

P<zU)

0)B*,"

Yu<dE,3

vLe%U8

474!`

bAN-m

99JfN

}^Kws`

l@@G9

#a S}k

v9UqF

Q<Z5N=a

:/&Fd

t)_|P

=(eCWE

Tm7_6

OvK\<

ejr!L/;s,t

eE'ss

RY6A}.

|)d{o

y3?\'

F6@$t

VjYzr

ZE7R@

ZVF+X

+Qi[|

Oi63&

)Er&D

z\,9l

!AfpXK

YtDlZ

/eeDs

;,fJY

iDwD ]

,52)b1

oqn`(

#ZC1(

H'QiP

UYMi<

rw$CTwI

'9ZWiBWt

twCDR

"?NUZ.)

7I|0\

xAMJm

n(2h!

.&XQG

)PL_H

*":G\

vXt%R

3A^/]_O

2wuWXw

Myzdi

h_)Gz

BcJC{N

.@ss].fy

nX`"l

n"g(Zc

rm)N1

$g0ok

/["3K*

"+6NU_

l(7#;_

bO%R#

G5nE,

\2/ ?

3jX@tH

JU94P

dw9|f0~

HOkedr

pu{1]

0*1`(

Qt@Q\

5\mzP

d$)Ep

n;dDT{.

L-3Qw

bf%Q+

:hWrp

m_",N

Q<x6k

*_l_|l

@?;W1

:AUW#&

{%+5A

*V|f%

VXN+_

:DtHt

y!!A(

d*@)

Ex'J9V

A/S?A

!Y:g|

'Bf[aS

q/341

fAkS*

N@[`{`

|2f6!I&~O

C9P:sW

fJ~_V

,=N/!

{/;"-A0z

E24\Z

'B(s"6p

mwz#A

5CB<@

u)Z_y

:U#|(

K?+yq

u8%C$Dg

N.C1h

JBY6pr

i(T`mh

XJ$!^

a3[:4!

5]nZl

Nz"i9

.!hzIW

\c7j;7Q

[rQfvagn-~

dLx[7s67

|M=$C#

0<?V{

LulWg

IgrXb

kKd[$

; yum

V#cE!x

m4Iy)mdKV

>VlYK}

_:>G[

9xm#)

0t&G

H -ZyU

m`y$e,"

L6K'$

&QyR.9

9#v??

IMH|%

oduh8

7A^?/

CeQ(rG

BJ-Zf

1c?qT

p{=p-

(mw`B

fEA!j

omC(h+

1j+jO

vhI5{

]PC\r

"#RQ@

Ny1Gzs

VD"(y#b

I?]0pN

zKmw>

iHI8o

"fiFt

npQYnw

M@T'};h

H'Ndat

~ Z[Y)

7hkF6

ik@.Z

mnB5RxR

u@6d@1

]=#Oh

h}rM?

'~YsnU

R1b'`RI

4^t4Ni

"nZ<;[*a

# )$b

BtCO/3s

QtQu>

~BUibr

(}Vnw

fm|wj

j9l/{D

A=W]b

nLVv'

omnzL?

)FIcex

&d!TK

l,j.p

@<u>Ez

1KNm&

(z]?-*(1

63Zj2

YYd=4e"z

8yTFOs

h71Qnj

O;XJ#

'a_*M

Sqfdj

k~_IsMA;Zh~t

3<ht>

K\(mW

3$>`#

nLDHr

QmyP4a

JD#*tf

!x}+O

w*A,\%

VMQe|

*_,[A

prOeLj

$;/Lyj

}l ptY

l3/rf6l

{0BEX\0

3w]Gv\c

(45>@

c2ZAZ

fV.Dx

=WyjB:

|i^:r

JbKBc

#IHF1z

yP2<x

[x;vv

/1|JP

}H2*2

'&fl;

P0|j[

-LD*.

{nMrU

ZV~`A

Q~z*Z

]h~d8,

]R\"d

ci#au

u;3N~

|vm.E

1,AYE

&'cew

&+DM,

}>-)w;

87GdFR\

N^Q:Zx$

\0=/40

b$`_1

I4r<&

d2;.&7

Cu@)FS

{g=,xD

jRq?=

gro5/

LK;5oW[

R$i<`Y

lLH6(

. AvM

DMyV4rv/

pv\0h

e%&tI<

?L<;jk

Gq:1D

@HoUj

a"N}i(

"'4[wN

rVSxw

w)Vc(

R6Rv 3

,FL3{.j~)

pFHo@

"mX,q

ThOJix

qj(WT

Uvl1yu

tBjE9m-

e>-BK

3~$xNI

{lh@m

oSU\':

p8r5=

%e~7H%

94 x_

HrQT|

}Aa#:S

0)>ZS

MHH[i

Jh~b;X1

ZF_6v#

h@@kI

0)cYP;{

62\o}

92ux~

he jl

e>,Y}4r:@

l/Vxm

S92Dl

$<vON

[&`f&

kZ1'&

AfRiT

N3j2x

"&kFa

7(K/ixs2d

0ha%Q

)u#;-`

.#P?'

c1,4c

cLw}4}

>9YZ@

mrhI9@

kL/(Z

4cb"8

f6AO:

MS:%NcO

.qH;rfH

"SFp7

1fw 4

|rMR/

&MB@4

`~>KP

\|%v%

~m:OK

+y;ct

76!N['

].#Lq&Y

>:IiW

oK|p.U

1cY/D#

di='

$RGVu$

?k<z^r

W,6}

@5kyR

q0I !|

v;4j^

#mEK-1

qKK_$

l% lt

@y]y`M

D/EZ93~

?hI?Gn

yc?8W

Q!0++

yKDx+

~upX2

!1M&<R

*x):Qv

$ltS]

Ytn'93

0 *mul?

1ql)~

Y#y(*

de*LzU

UW~Tn

oK{;g

5zOye

5urCA

y#2t$

1#sYD

{rUT6

#{,y

~.|#2h=

cSZ{k

QI/-=1

)h{hN

`]81|

4[$Zb

MV&Fp

dt&}5

\3RbY

"&u{4

.Px]=

bERLM

^T?gRbx

cI8]

EfmRw

^NJz^

-,SV~

Z.\*+

S35+8Y

{juH#c

8f%WIET i

:Y.]zO

ri}_`

$iw)C

(cn>N

=9SC_jU

otu:}

6UcpW<

1f0#r*

JPqc^

[||&L

vR1?J

"+=kh

@\ol*

U$Nt?

H>&W:>

>h\En

K]AzDg

d^!;T([

&~R'&+

$B@ht

|}1gG

oh((e9

*Ip+H?

$26)$:

bTU]G64

kwEm#

An\he

j|`4Ms_R

P_(fah

-J}Ar~<

osvq)

v~rV

oa[VD

k'^`n}M

Xid$

.|0H>n

k$6W5

O jTk

C8Blcb

n{MNY

7!Wh(

NMI2C

xPcS(

/B1& R

-H&:7

dJEX|

1E\U1G

Rp3}9M

'wdbc7

b~l)A

+Eu|e,n

mN0v)

a8QwZ

cYE5f

WL%Xe

;t,sb~

!;mmG

13Ih<

b'?X5[?4

/Sy@7

j~9V:P|:

8\TH&

:25AA

]KO5}

d8H\:

u:{G?

YD(&t

J<C'W

^G,!a

0WD/6

:G[3$

82Jk97*N

%:Ryz

TolTG5

x-3/8

xr-OA}}

*6~a!W!

n%#tK}

K~sFi

NQTk+

<Ib <3

i!Tbh

NBYwGg

DOs(x

EtqTc3\

bsY(t

6@{1L

&aA.Klr

Hf(XY

29eSV

P&:!~

s uZ.

`-]{fya

I)!J2

zE.o;)

+wj==

WoNY)o2

A)+M<

TA%_`;

cB7={K<6`

KS5TT

4htV|

Jmlq 0

RR"0_!a#<

y,,eQ

kFn8)

I^IWP

F&lV~{V

LgzY~goY

,T|8n

STQqM

3ZbGJ

dEKEX

R]I}G

;t3&~OC

,rRc}

u/9N5

~1T#'

#:"~GN%y

sCrO{Hvaz-

>Fta]_

qr=yVM{

@S73>

Hp Bt

%ghj(

>|eNS#

{?2r07

fN:Cp

o<9)A

LCv4I

aL$;-

;Z6p`

"BMd]?

(Q=?x+$

z,S5d

qh:UxJSW

Q}7OM

|@r{duy

b)}&<

[jMzZ

&I%)A

"oCjs

)-G5dpS

IFlqC

ggKM!a

.a$[QfW

zhw*"6[

pUfc^Q

WcH1C

~rk^J

!.Iys

]~/\|X

f<:SA

I&9]v

w>1#2

n"^S>

8.]A>g

0bCmE

<0SJ2

Pjd="t

q5E/{`

:^&_X

IaH.j

3nCd>

8+m?/

`uYQUQ

j53dH

lkdhf

Aa1X%

Fft\M

Q~lH*

),hM+d4

q:L|`

;3P<@

36L]'.

j~*2c

z 7&t

\9us@#3P

Nv2Tz-(

?AcWxd

,{,GI

v<8u&

Yr-jL

P@to

@Cs*oF

e9.L#

XZU5Y

N*ooi

iF\ax

xah,Yx

.Aizwm

*NsjG

awmFC

rQ` P

Ghx#H

Gmxij

Dd/3Q/

OS9+Wn

#+7Zw

e{KG~

>xj.oQ

,*Xpo

oe>yi

~H/6N

$'EuxF5P

*MFC-

atKL4

n)92>

g -SX

Pf%nCF

YvN8lo

vV_iC

-vqi }

[Kj67

) g<I

4g)MM

<~wB5L

0P4B1p'

PN^61

5p}:8

#HR X

C83`8

HxxzQ

gR)8`

@3I(?

MFG$K

Z!AcG>

G!)n98Zgo

J:j>8

g9%WG

F0`c~n

3&MD_

S(ig]

J4Y#]

@S /j|

bI51Kr:RB

Q;e'IDM-h

KdrkF_

+ZlR7

fS\I?TW

1;'AfY

i%k(I`

E>/ixC

,RsXt

_*;E7

e7]'B

@6M*d

T;ck0vC

xMXAo

<|S|c~eFWgo

'1hdF

!zgv|Z]

ft)h"

?R,Bp

cSLE)

\a>f=

.wN<J~

SF#'&

mMV`]K

|.&Ne

=[n%-

@!~eR

bAq]*

GzvFC

vpKDV0

.[%0q

p^Ne]b

n#W+Tt

ZCj9i

rD;18

F~JFvX

_* Jb

@SLdX'

iq<cN

X?/1

pF@|l2

q`E+v

mE%SXGj

1FT-N

{'SLa

lB+.0{

q?f($

4%$<V@

RpwY.

Pi)_;

:Nq-6

pDI7Y`u\

N}uyG

KyJ1+

OB_>]

M'6AT

D#]OEy

W:h}R_RC3

bfGP\

+OI*8

J]>%y$

Da}>T`H

E\4[~

6x%KwF

Kxpw#

R3oAg

hlTrI

{X@Zx#n

8..x.@

,WR~30

/KVsCoD

1?l2#

jQs!y

\|Tmv'

yk'&#

A/yK1

6x)r8

"/t14

h7`~p5

d[!<e

kJNh\

G?qE6H!

ks6)uy`o

NXM&4fG

](t+9

zxr"u

_Y, y

r$o1U4

m"Nku

%$39l

fwU'$

Y,kUrWm

ONl%crM

.,G>oa%=X

"Mc_l*

f$'3>ZG

j{_KS

#=uc{8

<+Ir.?d

yDg6x

e[-'lY

LwaW5

!U<-;.

S!r/6-:

?!lS+

"rF?*

yL'KQv

yU,LuY

`lLIX`R

%\08!eA

Z|Pdyg

+*_Ke

dowY9

Gq.W9

!j#b&

k3W~V

;}K.&4L

$*z6Q

jkf24

}.vP$A

VXf3x

,Ln-F

c0ZYI

WBG9/

f~r&Y`

9Y/do

*kT!L

Zo XD

PyXEI

h :<C

.r]>u

V12jR

y"(gedl

V#MZ:

Ipjp|

WmLP{N

jR16)

~^*;m,

;aK0p

<Qd;c

SGb\w

:ec~`}t

qLk<d

m8c6)@

2``c^c

y-K6i

Cs$1M

9t9_]t

_y|sw

tXnue

,r~(A

VMi%)

DXNmEnST

]0&[r

`ijj~

wPc%^

w]k2`5k[

:5W`IX

Ess]%l

N}l$n

xmzhc

3R9|O

s?.T9

3Vu.j

73\4~

:I};,TM

hB}a}

U']3v

F[, n}

kMV#M5

K~G}v,

k'1V-

h3K"g)

DD0vc

?B"<%Q

5D-n4Q

`$6/&,

(aBRA

\vW;&2

VJK0Y#F>

%~&.a

NT"RS

?*<Cl

EivE3

7D68K

>P}Gh

e?;1z

)V*3*

zYAgd

sCJ&n

132`]

:c;8T/

l<.nl

)LsU\8

ws:um

(:v7b*(

:!TlJ

OQ-7&|

:d</ZAy

;V'CHDG

:[cP6sk

,\cd*E#[

3f%K

u{`xe

b#lBpP

Wc7i~

?C `p

.LgC!

SCKA+

=Y|=]

c,FuM

_NI`X

'V!/l

=.Js0

qt|jT

!i$#V5

Gc!D5

UrxOl

PHW!23_@aV

~2&$4R

GBTUv_

6/;Fm

6<wdo

]G]o5

PJXg{

{YFIz

mOKqL

\p)Da-fJ

.Bz0|X

B'vSv

0;8zb4(D

}u4~r

0IXC2

jGl@lC

zC4/l

GcoBJ

N 99/

W\wIUD

Q"XWA=

mGJt`

\vv']

wS]9l

63%;x

,5-g"

{M@"h

#/MRU

&@[53

;Q[gLz

+{dOn

LACG#n

j,cE>

4T>`oM

;zZ=?

)~R|,

:kUEZ>a7

@Efo+^

R9C;v

;nd=l

IDCMv

n}Nqg

Z1]wW

6=r4y

8/F;|

WI9v{

r,hQj$

3ihb#

jSfWZdn

K{Dnq

Tz.QC

Reports: JSON HTML Lite

Mitre ATT&CK

Execution
T1106 - Native API process_creation_suspicious_location

Statistics (1.03)

Usage

Processing ( 0.97 seconds )

0.492 CAPE
0.469 Heatmap
0.003 AnalysisInfo
0.003 BehaviorAnalysis

Signatures ( 0.02 seconds )

0.003 ransomware_files
0.002 antianalysis_detectfile
0.002 antiav_detectreg
0.002 ransomware_extensions
0.001 antianalysis_detectreg
0.001 antiav_detectfile
0.001 antivm_vbox_files
0.001 browser_security
0.001 infostealer_bitcoin
0.001 infostealer_ftp
0.001 infostealer_im
0.001 poullight_files
0.001 territorial_disputes_sigs
0.001 ursnif_behavior

Reporting ( 0.04 seconds )

0.043 ReportHTML
0.001 MITRE_TTPS

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: cmd.exe, PID 2328

Created a process from a suspicious location

file: C:\Users\user\AppData\Local\Temp\file.exe

command: "C:\Users\user\AppData\Local\Temp\file.exe

Screenshots

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\
C:\Users\user\AppData\Local\Temp\file.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui

DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW

"C:\Users\user\AppData\Local\Temp\file.exe

No results

Sorry! No behavior.

Sorry! No tracee.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.