Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | mht | 2025-12-08 13:58:21 | 2025-12-08 13:58:44 | 23 seconds | Show Options | Show Analysis Log |
vnc_port=5902
2025-12-06 18:31:41,645 [root] INFO: Date set to: 20251208T05:51:54, timeout set to: 180 2025-12-06 18:31:41,645 [root] DEBUG: Starting analyzer from: C:\tmpet5am7x7 2025-12-06 18:31:41,645 [root] DEBUG: Storing results at: C:\UxUSjBSea 2025-12-06 18:31:41,645 [root] DEBUG: Pipe server name: \\.\PIPE\jPUzOZ 2025-12-06 18:31:41,645 [root] DEBUG: Python path: C:\Python38 2025-12-06 18:31:41,645 [root] INFO: analysis running as a normal user 2025-12-06 18:31:41,645 [root] INFO: analysis package specified: "mht" 2025-12-06 18:31:41,645 [root] DEBUG: importing analysis package module: "modules.packages.mht"... 2025-12-06 18:31:41,645 [root] DEBUG: imported analysis package "mht" 2025-12-06 18:31:41,645 [root] DEBUG: initializing analysis package "mht"... 2025-12-06 18:31:41,645 [lib.common.common] INFO: wrapping 2025-12-06 18:31:41,645 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-06 18:31:41,645 [root] DEBUG: New location of moved file: C:\Users\user\AppData\Local\Temp\test.eml 2025-12-06 18:31:41,645 [root] INFO: Analyzer: Package modules.packages.mht does not specify a DLL option 2025-12-06 18:31:41,645 [root] INFO: Analyzer: Package modules.packages.mht does not specify a DLL_64 option 2025-12-06 18:31:41,645 [root] INFO: Analyzer: Package modules.packages.mht does not specify a loader option 2025-12-06 18:31:41,645 [root] INFO: Analyzer: Package modules.packages.mht does not specify a loader_64 option 2025-12-06 18:31:41,676 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-12-06 18:31:41,676 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain" 2025-12-06 18:31:41,676 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-12-06 18:31:41,676 [root] DEBUG: Imported auxiliary module "modules.auxiliary.during_script" 2025-12-06 18:31:41,676 [root] DEBUG: Imported auxiliary module "modules.auxiliary.end_noisy_tasks" 2025-12-06 18:31:41,676 [root] DEBUG: Imported auxiliary module "modules.auxiliary.evtx" 2025-12-06 18:31:41,692 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-12-06 18:31:41,692 [root] DEBUG: Imported auxiliary module "modules.auxiliary.pre_script" 2025-12-06 18:31:41,692 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-12-06 18:31:41,707 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2025-12-06 18:31:41,707 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2025-12-06 18:31:41,723 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-12-06 18:31:41,723 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon" 2025-12-06 18:31:41,723 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-12-06 18:31:41,723 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage" 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Browser" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Browser' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Curtain" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Curtain' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Curtain does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.curtain"... 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Disguise' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-12-06 18:31:41,723 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.disguise: [WinError 5] Access is denied 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "End_noisy_tasks" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'End_noisy_tasks' from data 2025-12-06 18:31:41,723 [root] DEBUG: module End_noisy_tasks does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.end_noisy_tasks"... 2025-12-06 18:31:41,723 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wuauclt.exe 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.end_noisy_tasks 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Evtx" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Evtx' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Evtx does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.evtx"... 2025-12-06 18:31:41,723 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Human" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Human' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Human does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Pre_script" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Pre_script' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Pre_script does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.pre_script"... 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.pre_script 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-12-06 18:31:41,723 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-12-06 18:31:41,723 [root] DEBUG: Initialized auxiliary module "Sysmon" 2025-12-06 18:31:41,723 [root] DEBUG: attempting to configure 'Sysmon' from data 2025-12-06 18:31:41,723 [root] DEBUG: module Sysmon does not support data configuration, ignoring 2025-12-06 18:31:41,723 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.sysmon"... 2025-12-06 18:31:41,817 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 2025-12-06 18:31:41,864 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM wusa.exe 2025-12-06 18:31:41,864 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 2025-12-06 18:31:41,864 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques. 2025-12-06 18:31:41,864 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-12-06 18:31:41,864 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-12-06 18:31:41,864 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-12-06 18:31:41,864 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-12-06 18:31:41,864 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 668 2025-12-06 18:31:41,864 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:41,864 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:41,864 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:41,864 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:41,864 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:41,864 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:41,864 [lib.api.process] DEBUG: Failed getting exit code for <Process 668 ???> 2025-12-06 18:31:41,864 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:41,864 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:41,864 [lib.api.process] WARNING: failed to open process 668 2025-12-06 18:31:41,864 [lib.api.process] DEBUG: Failed getting image name for pid 668 2025-12-06 18:31:41,864 [lib.api.process] WARNING: the <Process 668 ???> is not alive, injection aborted 2025-12-06 18:31:41,864 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2025-12-06 18:31:41,864 [root] DEBUG: Initialized auxiliary module "Usage" 2025-12-06 18:31:41,864 [root] DEBUG: attempting to configure 'Usage' from data 2025-12-06 18:31:41,864 [root] DEBUG: module Usage does not support data configuration, ignoring 2025-12-06 18:31:41,864 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.usage"... 2025-12-06 18:31:41,864 [root] DEBUG: Started auxiliary module modules.auxiliary.usage 2025-12-06 18:31:41,864 [root] DEBUG: Initialized auxiliary module "During_script" 2025-12-06 18:31:41,864 [root] DEBUG: attempting to configure 'During_script' from data 2025-12-06 18:31:41,879 [root] DEBUG: module During_script does not support data configuration, ignoring 2025-12-06 18:31:41,879 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.during_script"... 2025-12-06 18:31:41,879 [root] DEBUG: Started auxiliary module modules.auxiliary.during_script 2025-12-06 18:31:41,911 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 2025-12-06 18:31:41,942 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM WindowsUpdate.exe 2025-12-06 18:31:41,958 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 2025-12-06 18:31:42,004 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable 2025-12-06 18:31:42,020 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM GoogleUpdate.exe 2025-12-06 18:31:42,051 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 2025-12-06 18:31:42,098 [modules.auxiliary.end_noisy_tasks] DEBUG: taskkill /f /IM MicrosoftEdgeUpdate.exe 2025-12-06 18:31:42,098 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 2025-12-06 18:31:42,114 [root] INFO: Restarting WMI Service 2025-12-06 18:31:42,129 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 2025-12-06 18:31:42,160 [root] DEBUG: package modules.packages.mht does not support configure, ignoring 2025-12-06 18:31:42,160 [root] WARNING: configuration error for package modules.packages.mht: error importing data.packages.mht: No module named 'data.packages' 2025-12-06 18:31:42,160 [lib.common.common] INFO: Submitted file is missing extension, adding .mht 2025-12-06 18:31:42,160 [lib.core.compound] INFO: C:\Users\user\AppData\Local\Temp already exists, skipping creation 2025-12-06 18:31:42,176 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 2025-12-06 18:31:42,176 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" with arguments ""C:\Users\user\AppData\Local\Temp\test.eml.mht"" with pid 3336 2025-12-06 18:31:42,176 [lib.api.process] INFO: Monitor config for <Process 3336 iexplore.exe>: C:\tmpet5am7x7\dll\3336.ini 2025-12-06 18:31:42,176 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpet5am7x7\dll\hzgltx.dll, loader C:\tmpet5am7x7\bin\sRcluWB.exe 2025-12-06 18:31:42,192 [root] DEBUG: Loader: Injecting process 3336 (thread 4076) with C:\tmpet5am7x7\dll\hzgltx.dll. 2025-12-06 18:31:42,192 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-12-06 18:31:42,192 [root] DEBUG: Successfully injected DLL C:\tmpet5am7x7\dll\hzgltx.dll. 2025-12-06 18:31:42,192 [lib.api.process] INFO: Injected into 32-bit <Process 3336 iexplore.exe> 2025-12-06 18:31:42,207 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v DisableWindowsUpdateAccess /t REG_DWORD /d 1 /f 2025-12-06 18:31:42,207 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 2025-12-06 18:31:42,239 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f 2025-12-06 18:31:42,239 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 2025-12-06 18:31:42,286 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 2025-12-06 18:31:42,286 [modules.auxiliary.end_noisy_tasks] DEBUG: Command executed with exit code 1: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect /t REG_DWORD /d 0 /f 2025-12-06 18:31:42,317 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 2025-12-06 18:31:42,348 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable 2025-12-06 18:31:42,379 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable 2025-12-06 18:31:42,395 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 2025-12-06 18:31:42,426 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable 2025-12-06 18:31:42,457 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 2025-12-06 18:31:42,488 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 2025-12-06 18:31:42,535 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 2025-12-06 18:31:42,551 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable 2025-12-06 18:31:42,582 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 2025-12-06 18:31:42,613 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 2025-12-06 18:31:42,645 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 2025-12-06 18:31:42,676 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable 2025-12-06 18:31:42,707 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 2025-12-06 18:31:42,739 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 2025-12-06 18:31:42,770 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 2025-12-06 18:31:42,801 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 2025-12-06 18:31:42,832 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 2025-12-06 18:31:42,864 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable 2025-12-06 18:31:42,895 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 2025-12-06 18:31:42,926 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 2025-12-06 18:31:42,958 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 2025-12-06 18:31:42,989 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 2025-12-06 18:31:43,020 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 2025-12-06 18:31:43,051 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 2025-12-06 18:31:43,083 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 2025-12-06 18:31:43,113 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 2025-12-06 18:31:43,145 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 2025-12-06 18:31:43,176 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 2025-12-06 18:31:43,207 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable 2025-12-06 18:31:43,238 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 2025-12-06 18:31:43,270 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 2025-12-06 18:31:43,285 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 2025-12-06 18:31:43,317 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 2025-12-06 18:31:43,348 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable 2025-12-06 18:31:43,379 [modules.auxiliary.evtx] DEBUG: Wiping Application 2025-12-06 18:31:43,410 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents 2025-12-06 18:31:43,442 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer 2025-12-06 18:31:43,473 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service 2025-12-06 18:31:43,504 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts 2025-12-06 18:31:43,535 [modules.auxiliary.evtx] DEBUG: Wiping Security 2025-12-06 18:31:43,567 [modules.auxiliary.evtx] DEBUG: Wiping Setup 2025-12-06 18:31:43,598 [modules.auxiliary.evtx] DEBUG: Wiping System 2025-12-06 18:31:43,629 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell 2025-12-06 18:31:43,660 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational 2025-12-06 18:31:44,207 [lib.api.process] INFO: Successfully resumed <Process 3336 iexplore.exe> 2025-12-06 18:31:44,223 [root] DEBUG: 3336: Python path set to 'C:\Python38'. 2025-12-06 18:31:44,223 [root] INFO: Disabling sleep skipping. 2025-12-06 18:31:44,223 [root] DEBUG: 3336: Dropped file limit defaulting to 100. 2025-12-06 18:31:44,223 [root] DEBUG: 3336: Internet Explorer-specific hook-set enabled. 2025-12-06 18:31:44,239 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied. 2025-12-06 18:31:44,239 [root] DEBUG: 3336: Monitor initialised: 32-bit capemon loaded in process 3336 at 0x73630000, thread 4076, image base 0x160000, stack from 0x30f2000-0x3100000 2025-12-06 18:31:44,239 [root] DEBUG: 3336: Commandline: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "C:\Users\user\AppData\Local\Temp\test.eml.mht" 2025-12-06 18:31:44,239 [root] DEBUG: 3336: hook_api: Warning - CoCreateInstance export address 0x762B569D differs from GetProcAddress -> 0x769995D0 (combase.dll::0xd95d0) 2025-12-06 18:31:44,239 [root] DEBUG: 3336: hook_api: Warning - CoCreateInstanceEx export address 0x762B56DC differs from GetProcAddress -> 0x7697C540 (combase.dll::0xbc540) 2025-12-06 18:31:44,239 [root] DEBUG: 3336: hook_api: Warning - CoGetClassObject export address 0x762B5C6C differs from GetProcAddress -> 0x769651A0 (combase.dll::0xa51a0) 2025-12-06 18:31:44,239 [root] DEBUG: 3336: hook_api: Warning - CLSIDFromProgID export address 0x762B4ED6 differs from GetProcAddress -> 0x769316A0 (combase.dll::0x716a0) 2025-12-06 18:31:44,239 [root] DEBUG: 3336: Hooked 64 out of 64 functions 2025-12-06 18:31:44,239 [root] DEBUG: 3336: Syscall hook installed, syscall logging level 1 2025-12-06 18:31:44,239 [root] DEBUG: 3336: WoW64fix: Windows version 10.0 not supported. 2025-12-06 18:31:44,239 [root] INFO: Loaded monitor into process with pid 3336 2025-12-06 18:31:44,254 [root] DEBUG: 3336: caller_dispatch: Added region at 0x00160000 to tracked regions list (ntdll::NtClose returns to 0x00162A68, thread 4076). 2025-12-06 18:31:44,254 [root] DEBUG: 3336: ProcessImageBase: Main module image at 0x00160000 unmodified (entropy change 0.000000e+00) 2025-12-06 18:31:44,254 [root] DEBUG: 3336: DLL loaded at 0x75CF0000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes). 2025-12-06 18:31:44,254 [root] DEBUG: 3336: DLL loaded at 0x73F60000: C:\Windows\SYSTEM32\msIso (0x46000 bytes). 2025-12-06 18:31:44,254 [root] DEBUG: 3336: InstrumentationCallback: Added region at 0x76FC0000 to tracked regions list (thread 4076). 2025-12-06 18:31:44,254 [root] DEBUG: 3336: set_hooks_by_export_directory: Hooked 0 out of 64 functions 2025-12-06 18:31:44,254 [root] DEBUG: 3336: DLL loaded at 0x74EC0000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes). 2025-12-06 18:31:44,270 [root] DEBUG: 3336: NtTerminateProcess hook: Attempting to dump process 3336 2025-12-06 18:31:44,270 [root] DEBUG: 3336: DoProcessDump: Skipping process dump as code is identical on disk. 2025-12-06 18:31:44,270 [root] INFO: Process with pid 3336 has terminated 2025-12-06 18:31:50,286 [root] INFO: Process list is empty, terminating analysis 2025-12-06 18:31:51,301 [root] INFO: Created shutdown mutex 2025-12-06 18:31:52,316 [root] INFO: Shutting down package 2025-12-06 18:31:52,316 [root] INFO: Stopping auxiliary modules 2025-12-06 18:31:52,316 [root] INFO: Stopping auxiliary module: Browser 2025-12-06 18:31:52,316 [root] INFO: Stopping auxiliary module: Curtain 2025-12-06 18:31:52,316 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [Errno 13] Permission denied: 'C:\\curtain.log' 2025-12-06 18:31:52,316 [modules.auxiliary.curtain] ERROR: Curtain log file not found! 2025-12-06 18:31:52,316 [root] INFO: Stopping auxiliary module: End_noisy_tasks 2025-12-06 18:31:52,316 [root] INFO: Stopping auxiliary module: Evtx 2025-12-06 18:31:52,316 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump 2025-12-06 18:31:52,316 [root] WARNING: Cannot terminate auxiliary module Evtx: [Errno 13] Permission denied: 'C:/windows/Sysnative/winevt/Logs\\Application.evtx' 2025-12-06 18:31:52,316 [root] INFO: Stopping auxiliary module: Human 2025-12-06 18:31:52,426 [root] INFO: Stopping auxiliary module: Pre_script 2025-12-06 18:31:52,426 [root] INFO: Stopping auxiliary module: Screenshots 2025-12-06 18:31:56,863 [root] INFO: Stopping auxiliary module: Usage 2025-12-06 18:31:57,988 [root] INFO: Stopping auxiliary module: During_script 2025-12-06 18:31:57,988 [root] INFO: Finishing auxiliary modules 2025-12-06 18:31:57,988 [root] INFO: Shutting down pipe server and dumping dropped files 2025-12-06 18:31:57,988 [root] WARNING: Folder at path "C:\UxUSjBSea\debugger" does not exist, skipping 2025-12-06 18:31:57,988 [root] WARNING: Folder at path "C:\UxUSjBSea\tlsdump" does not exist, skipping 2025-12-06 18:31:57,988 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| win10-64bit-tiny-2 | win10-64bit-tiny-2 | KVM | 2025-12-08 13:58:21 | 2025-12-08 13:58:44 |
File Details
| File Name |
test.eml
|
|---|---|
| File Type | MIME entity, ASCII text, with CRLF line terminators |
| File Size | 105573 bytes |
| MD5 | d89dcddfb4f398587911dbcd51a1d347 |
| SHA1 | ab0d884ab1c7d5c390be00c64de98298e949397a |
| SHA256 | 71ebc70af93f42fed92dcfbf9b387a32dd17e02fb5ff9c547f7f8bf6bccee8c9 [VT] [MWDB] [Bazaar] |
| SHA3-384 | cb14fd6c5f0caac8618ba28ec9eda40c680f962e233c5f806c0d0ca311175d39897356fc871a16062a0da5e5702302a7 |
| CRC32 | E3E08458 |
| TLSH | T120A31239324CE59E8675A092DBD270803BAEBB5B12C9A51F0A379875817FF1D8ED0442 |
| Ssdeep | 1536:uBzI5iRaxSwbDl7t7sNBcYnoGpFzG737AjtwwAGFmD1K521lA+m4FI0bGTGBhR44:hiExSAzA9nnrG738qJYAwKdIyGmhR4Ju |
| File BinGraph Vba2Graph Text |
MIME-Version: 1.0 Date: Thu, 4 Jul 2024 15:36:37 +0800 Message-ID: <CAM60JEjo2YOSyM3R1hX9eW0MgWWziekZL1aD8DLSctFab-ahag@mail.gmail.com> Subject: test From: Kobin Fong <baconpotatocat@gmail.com> To: Kobin Fong <baconpotatocat@gmail.com> Content-Type: multipart/mixed; boundary="000000000000255979061c66fd9a" --000000000000255979061c66fd9a Content-Type: multipart/alternative; boundary="000000000000255977061c66fd98" --000000000000255977061c66fd98 Content-Type: text/plain; charset="UTF-8" cat test is a cat --000000000000255977061c66fd98 Content-Type: text/html; charset="UTF-8" <div dir="ltr">cat test is a cat</div> --000000000000255977061c66fd98-- --000000000000255979061c66fd9a Content-Type: application/x-zip-compressed; name="156bc7f8737e9e7a62bfbe0c8f29a14a5cc5367af4e759c63905dd029c278293.zip" Content-Disposition: attachment; filename="156bc7f8737e9e7a62bfbe0c8f29a14a5cc5367af4e759c63905dd029c278293.zip" Content-Transfer-Encoding: base64 X-Attachment-Id: f_ly6ydsrm0 Content-ID: <f_ly6ydsrm0> UEsDBBQAAQAIALxqilYBEh/BQikBAABCAgBAAAAAMTU2YmM3Zjg3MzdlOWU3YTYyYmZiZTBjOGYy OWExNGE1Y2M1MzY3YWY0ZTc1OWM2MzkwNWRkMDI5YzI3ODI5M962njebpaQGvP8+2ZPBhq0miGOr df/QUNvK48mGi4KOSD+a9Fy3eD0vpaXEc5K3Z10ePmwBC4K9/54dSkCvbQRSk4hmVM5szjT4GxbC WqH7uVkm0OFcNX2+44a/99zICPoTxHPkwj0kw3ZNb6sYPwwD7eBqFEgq/UwLAcueP2k66nZ4kTZW AFCim4RhP64b7Cim7N7rrzUoBo61K7W3ZLVhsCYO2cDAD13UtWS8jKjs0JsdhNEfO1t1JvjSveGo d+OoLWHZLna6i81kuzbXxS4y9abVpYy3wKbJ7f2GSZZ+s75nt5o9x2ETFX96gAVBOnNIAtEVW15p jyIZPLhXVVqWmIZW3Dt3dXfR0Hp2sVXZ0mwsI35qHOmKeyz1BKNP/yGVyiRvSOpGYO32Lo6eB7BC wq1MNczcYOp8Q0bVABEs0EIaK4MpgCY1vZ79X6pz4EggiqvFWQ5gnA1ug8wgaNwQZRljTmBpt+43 IDj8Hl80lRIHmIMmsEGVg7rybPv72ctDJ0QqE/Wi/fDC8fNUF2Tmg9k9v3dYKepAPrlglgQ8YqrI fpVlHlltghKMCFBkWCopfDL9kTY/YG7BLyyhS8jx2URPbBoo/4ZVX8HvMViAUC7YvGNdmMO4jD8v Sf7GEg52noP/P4U1HSbpjTOmsuWylSUUbO+6enSo7bG6Rgz4BG0gw8ANjbkdeAtB9ovWzUSxs+3Q QJoInKp3ZdXnVVakGSfF47PmHrGrIu4RQGpPmUw08RNkrksxE9osteVJPXopBq+EmlWQs8tx2sOE LG0pSkvYYOrj4P7mJ7w7YhT56W2dgS3yk8QuqhC8elUSoAEJpCRhGEE6GgVSS6mipYVGOeHTmglB AMT/UdgWWRq0pfJZI7SmZGnPKV52bJz9P9SsnuGuA490L2APJNBVBiEtE1cMxyxTPA6Y5p4FyD9T 3g23XfbRdqADr1eOlADd9GCa9UfM9D5JctaHJ4CFhYCGqcvufxnMsngi0H1jIcyYyi9eBNWGLrAi DsGcjs4I5jeg9Vhn41IByOg1s5kVb59HGdnPGsXkv2gHvC34r6GxNreWay/MR2EdAEla0qqeLF9Y 3igbjbDlM/z4zRzWx8gb5XEBlY+hkOzi1n8DANFYmd5wscJQq+K7IVTInEYsPc6hPL0P1AV9YjRA yB/9N8S1uy238DCkXQf4gzi63DhDK6OcoRcIjf7P0a5t33YmqAeYTlmfwpujp/7J2zTMce91ClAC 761Qpou5QhyXc1RRNM3C6jOPQO0iX2xY8jo7t5lnzldN4NiR+V6ddzOaq62TeRpPt4Eu5RzTT1a+ 5zSHKmbAedyzh3xOz9IPfbdsX4Je1V4UEjwWZ33H4gDm7uZo4iAUOSn3jxJSJ2412ZSys8uG1Rsx R0UAT75mG+pt3O7x5mXiCAs/xiHdMYu4axI6cZZH1eb6A2zpdb0W67Mk/yZwMgG7IdY+s2AuHsid szdy0XhTGNPMc2cj3ztFhZUokRcoxPUHckeoq8ICdcsJ2qsxftrpNRcQvtVMRD5DyoPRj1dBdC1i JfykLUBBRQ2S6iVa0iCv3LySbScTnlQaIT13Npl1DNqW/iku0Rpg9395YUdUGbL4No0xJYbnHdqc Blr3hOhHNr3TWcv1sklbAouro91kVLF0p7IDKhdgyAjOOMvPdN+6kaQyRtJghaj4DUp68AO+4req qFLMRtUsKRcgds+Cdp9oKvthlRgxeKkSR5sIN5oGCUn0ccbjTZxsBfCL+DIeFGIu4s2UoOf0yCfR lTQPJ4P3NTuksS497QkClnCuOEEcLiy8BwSYiT0AXJxKUfFG96qP17mcQoVcw/M0oF8tF5enCtmh mNfXrjVFxhly8hpnyeEfIyHFBAm9HWhJeUbVTXq1p66Ikys5Z+kl0SYEmvIEyYKL2Qxao8fUS/Uz IS8FopFkOwYlb1+J3BGVMSMJ+S20+kCH58QvQ3HBe2M3xa5pauhB0jUK1z53A6nmozGjAbwrtrMj iJjx7ip4Fq3kI6KO3ZTuNVMij8me8x4uS1fQDb/FGqPVKhL4pK1tuj/xZEf69j9K0S/U82W0H6tn DolBgUgSAX04y2jCTx6bUmD79qqNDhUVJcxaP905vAYS/jFK6D90y8n83CClnMksyVva1ocort/e U2pm2NUxlDmMdGVyKZj2SRdjjlCNX8t7JwfcBi0wIzkDTQkb0kKKKs41QpuGaWbrzQWTKznfUl0/ QQlCcXCo+uKu3UIlNBeGGuo5aZR/7Ulc2SDzCyJjoeBTNjX18x1Esru9xCRcErspw+kU9Flx0nHr zegVKeLw+bURjyAT5puEdoyGA8MXfKWrcOChcXjMePBUgF3gho+QyqpkNybifQedYZXDMIqXQOLM 7YALuu5FNHQpZBWzz/8ri92G9Aftv9wBEyzcgaCM4wi3WW6C+9Ojy/DmZ6UcEWw2s3PQNqEHd1cs +uyjbCybwCMadfrJ7bQFvc1x63U9LRZ81YYFoYOwRohr3xTnoBu5/MpDZk2M57VnlsUA9jZ6473E S99IQWk3f5PH7z502h0Vbc2l+Rab0MZStwSu+EarDL6SkimmluVxKtqMpOPkN+9fJsrPhI63fdBH YwLPZvk5uSuilkby728OWG0RaXGOr+J5Ffnd98xVVLtK503OBZcwT31lIZhI/VI66UyLmKWXTysP sJJyJmKrYpg0MRaJwNJGqezOEx2PfyCeX9L9OepSXFpCpMP/W+Vqs9ClPuTmZTaZ+VR+5kbqP+Xv hotpo0w6yY5D+zbFzy585cb2uSttq87+DqUxzgfNNqIkpYaN2Ude/09EXuFgVYC6BA5mzvji3kF8 XPWOCk2ngzZP0lc9TE9O+vaNnpHJw6P4RXcCf3RaP0lH4fjFPtet0m6oQJVuFuZyvzUTaSjzzKJK 9XJPFwzkyx7nVdJmKSpMgIlYqTp6T9ouSOz3kFUEAHfwwoCEqR/qQ9gprGGIk39oBY2oNXNeAclB mVonSXv7ZDs7uPe4/2+duP6MXxvOhnR0Mj30eMpgqYes4vHhaApgiRT/ixJKbIDgkJpxCacY98Xe x6NNOsoLMtYHi3Mjou72tjINTMEMp+GWu8h/+8MDmayhbem/PHnBahaztpo+fbEW1RH0deGyPkFB o1uq3mflwh+nzxQ56mz2B9gDB0ScQz6KwS54O28olWyFbTpgVJVFJ2HSIPd9YD209MA4nhUS9buz ocb3N+bIKc+vP5meSJYZKC6fO/85ijl58LdQAdN3mdHw8IAgDP6+nsM/EqAtELD/mFS7La0ocqva xROsxjsFyzQUcZjrKWMwBw08X95f+teyuF+6WLgeC6pD5iQmDvo8W1NwIX6784lDw+Gr4LZq5tq2 MwUwtfecDpQZEhluoKmVbA50hKvdkwPfArY3UJTrq0uSncLCnlL75/okCIvp0aqZqyGk99+/37ZQ l1i/aThfv6APJ5psXXuaC+89Ch8QxjGNhBT9QPS721axXP4bRDRFl6KFoyE4Rd+VKtN5WXi84+yv scTjMZnQzZXgjGAfh0BYHfHtK4raqgAccFUOnPG5lBvfbeDzyQ664WMpctqEyvx7HbolO3jdrg48 wzVbqJGw99c9Ib4HA4Kd/sb/WR5gnBp1c83b+zMZY4gffC9bu2FL1aYJ2HSp8G86cGkVvs/rZ1Cu ExrSLbYxn3iQ36mSuB/tlpdYeYIFLrrDKw1dS+0XJZ/ZxvVOMukswBDNZaZ1XU91ae6fD0Tw8thw m0NRkkSnFCm3KbOnFVJQA57VoDQrYarwKbBfnWK1442vrlSpgjP/n38oxr7640PofP57slMq0jyo u/Ml1UW2DMioyB+I91/J1xrmTL5Q5qSUkRt/TVdY6FRXVJ9qVUjIXGeJVWr7RwucPF0fNu+m7EAw KuGPQ20cxhPYg7KkoC3Dah0aS3ilbMxgOMMzbQVyU0WBRwiZqW9O86mu/iZsYouxPx+Ty3hc2i6N 3PmZLGqDPtoqkdQekw/5OYCXsApI2WssO6gr6AR8bS1vUXNcBXurN9/RDOCYyrA3v4XwGiJO9tXV NtHhhQxSnkPOMAe2UISe36vaRlbXDwJ9uamX+TBWkQJrwsbzx/nVpjI/RPpqmc9SW6Feb1CBfilt I8IHwuv3CcZmUc2lOFEvL8CwbWUfqPs5WyfNVpGUCkQcmWY84seTAUbecrE4f4c8qDiMCnQ/Lih1 HnidUi56eZ2TvmJSMp4IgVgXSC9Hmmo4CPop0gBKr822bm+WW3fdtg36n6TvHT4FCABYXZWhfR3/ 7wWbWQGpdccIREuWhgv4JMwguhcCcmNRSC9tWJPMBEixvR+E5TlIN+32wwbkkcvvAMSgFt859cv6 qLTKiVzxTQWXjofWIxYBj6etcWpf7vITemSntyvJcf7Jfchnumwao02gn+nK3fqR1lsEjWfDDB6T jaJfI6wDlSwpQ++m5FnxOn6TEck3gtmkrZLgBiJATxx15fjpek/8MuH3c2atOWywmscWUAtGsmEh mnV6Vp8zzKEBIABVdvGyRiEGBRsrx0GCh/NuvH1EqcKAqzM7jM7IzbLLghnn08/xpaqXxnlrufXz QpX+EOIPZeEqm2CHBgVqqUIP8jX+nyoihOBs9VOKGAzHs1+XF76enoUQg6SDWFve/4e2CqqAOrjG Bus5BhA7HbM/eCNOh+52A0xIfhchgCeETEgFyazy9OAMggPXmSsJOqdbeMzORJjIPZKMlTXAeHEI sx9d5dsnjn2nD+EJ+bruDxd1pcYbvaznRWT1qjKD6RUjjGW7TvQyJ/HyRqLOgIUcTvZp50H638mv WhU0vgGuWABJz1jMC2xJs4yRRqBWdNn7Nu3BCqjY5q/pWibfOdhiPsyqnLY+S1wvq0jsqd0r+u87 ZiUwpQaaCGSzXdVitNxqKAsRKmBoNTwb8Lwy+3GOmXuP0IXu+XYA7SNGIXVHcm6owC3tyiJKCUMJ 09VgV+mpmSpuKpd2U93krjKblZqBwUIWWuU78Oae4GpstkgVFC3cK5nZIoVRKMgtIeYLCM9BwBws LCKZIEGa2BlHB5t7zLG6fab8nq8gQrZ0uR4ZaAolXKwpPLe6dCkcRFclxoBZCkaSYwk+0cqDa1ph oJcEq7xa2niabJVU02I/xDS/joIo6O358uzy4JudBRT1NbU27xb6FM7ngmLEpSNn50VkKAoqsOtA CI2iT4KOrzUbUQhuzqNXPZQ8ZLoE5tY6vylDOeqy0DGSM+06ovl7CdOVghec37K9eQ7DLHP1BsXR gqAmb7A5R4dik7cnugeM/o5QcP09N3S+QQvAXq4I8O6dMuz7UdAD5Ah7GPHYBaDBKscNhswXdq9Q t1WZ9TH13biJuKz+syO9dPnqFOa1wuTXfSZSiRgnCfLS24gJ1WqoTLU7XpJsQzdK35G1Ev/y9sCe YfOnW3gQA/yUSqlEdU3ZlFEl4CBZG5Zs6pJTXqibcW9pAV0UH33Qg2B553xC9pfqaPwwht93k1fC 0UBZEn7zTXJ/wYdbca2d08iMZFM/Fvy1sf2qgh0nYZY7htJEBGpAWPZ+Zo0/moipUqKN9R+TQoyA TbHrGokAF37y2C4amI9SlyQJx1bZZChHW9o3EbMhFFQ23yQpHvmWjsZ2ocYWDxc+zIg276RkOEJ1 u5eL1PgDtL2BHhu/SL+Rb5sGtkCdDeK2U1s3dOvgWx+cvPouV1GhWDuoqBfLsT4XZgmv+jtPcN6c TmXaVYUWWmUeEERe9RNBOAqV0E8GW0XB7yBxU1I46ij3wHoXsWc5F3d89OzXkxgcSgL3kpy9CAE/ tTsD+g7VMOvKb3jmrMokMyt1oTaNY8C2ZvxomIOcGzvMEJp2lLUhtSc6VHwEHqKE3+M8l3WikUVu fN7riqgXyyUmm+aTH03040Rk0QqF2VtVjbj3vIYE2MV9TTE6aoZL+50hTsvdXTU8OpG/69TBS3BR JZ57UqGwXZ4SEehSz7BxiMhqqrwJSzYLTf3tEAdIbARymyahdaynUmMndATh/kz3GNUB+mFkK7mv xmQlPt/3T2VbMSOaddEpG9mEj9YEWTN6QTFLAGgvz14aOY2TLLBWq0HgcfMvI8bHDqSfuSf2yROY 5Ffgx6WpGGWBD6PO8cqkXbNLObn2oxLf5B6O3L/gEymlr+bp9a+Mk4WN7WgphelmO2/aLqhbQ7YB v6s4RDJQMU/oidFUSLg7W5RenQXswsY9O5iKDSQmemjIUWFTC8Nf9SSlSW6ocV9ix+hdFRzkyH26 uBoCEaZaQFs1hUwNuMTGwP6+eEhTGDSy+HuABMyoiuUzF03nuvd4H+jhpui6oxWPtE28EE1/H039 3eORBOaAoLfxnCKutlHStFPMymA4oC9wwD5PRD1QmmLcAl69fTZLKDC4QgvgM35HrSv2AaSNXajY 8ts4VhkUti8UWdJpbxg0yx/6eq7d45T1rymVLFMahnenRVrO0t0rKSz7Q3wbbWxLAJJuv7aucya7 2fntiuXriGWBzhFNuYeRqIPYGQJH2FHe0qWcsEDSfE7n6RY2FBR82OhaxuR04mw2w3cUn5HGr9XM XEVXzU3dBpfKmj8UU/yYXSGKx/oDIqu85xWMCIhdRuEKw4UR2Omtj37YZLt2/yT7UyjOBvQI3E4e Zt/MimjbY86wq8brKeuXi1DNN9WRtbuYDjM/HJslKq44V4hrOzIQy5EDzdpaeUK7ztoQVEjFX7r6 CbEZ2C+ojtTH04FoTnsboENWGbJpR8QIh2VtKN3Kkcx7fzz0EAYw2uD1KGG6y0JkoSPy22ANOsuB E7yK1PlQAV3mmj+ivWiQoDCn43pHgpU1geVffCWOhGNufpf6B <truncated>
Usage
Processing ( 0.70 seconds )
- 0.352 Heatmap
- 0.331 CAPE
- 0.014 AnalysisInfo
- 0.002 BehaviorAnalysis
- 0.001 Debug
Signatures ( 0.02 seconds )
- 0.003 ransomware_files
- 0.002 antianalysis_detectfile
- 0.002 antiav_detectreg
- 0.002 ransomware_extensions
- 0.001 antianalysis_detectreg
- 0.001 antiav_detectfile
- 0.001 antivm_vbox_files
- 0.001 infostealer_bitcoin
- 0.001 infostealer_ftp
- 0.001 infostealer_im
- 0.001 poullight_files
- 0.001 territorial_disputes_sigs
- 0.001 ursnif_behavior
Reporting ( 0.04 seconds )
- 0.042 ReportHTML
Signatures
No signatures
Screenshots
Session Playback
No playback available.
Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Program Files (x86)\Internet Explorer\msIso.dll
C:\Windows\System32\msIso.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\msIso.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\kernel.appcore.dll
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESAFESEARCHPATH_KB963027
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\user\AppData\Local\Temp\test.eml.mht"
Sorry! No behavior.
Sorry! No tracee.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.