| _id | statistics | target | CAPE | info | behavior | debug | memory | network | sysmon | url_analysis | usage | tracee | procmemory | signatures | malscore | ttps | malstatus | shots | local_conf |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
69354e0290de064513d4f6e8
|
{
"processing": [
{
"name": "CAPE",
"time": 2.005
},
{
"name": "AnalysisInfo",
"time": 0.028
},
{
"name": "BehaviorAnalysis",
"time": 0.001
},
{
"name": "Debug",
"time": 0.001
},
{
"name": "Memory",
"time": 3.003
},
{
"name": "NetworkAnalysis",
"time": 0.002
},
{
"name": "Sysmon",
"time": 0
},
{
"name": "UrlAnalysis",
"time": 0
},
{
"name": "Usage",
"time": 0
},
{
"name": "script_log_processing",
"time": 0
},
{
"name": "TraceeAnalysis",
"time": 0.006
},
{
"name": "ProcessMemory",
"time": 0
}
],
"signatures": [
{
"name": "packer_themida",
"time": 0
},
{
"name": "stealth_network",
"time": 0
},
{
"name": "disable_driver_via_blocklist",
"time": 0
},
{
"name": "disable_driver_via_hvcidisallowedimages",
"time": 0
},
{
"name": "disable_hypervisor_protected_code_integrity",
"time": 0
},
{
"name": "pendingfilerenameoperations_Operations",
"time": 0
},
{
"name": "anomalous_deletefile",
"time": 0
},
{
"name": "antiav_servicestop",
"time": 0
},
{
"name": "antidebug_guardpages",
"time": 0
},
{
"name": "antidebug_outputdebugstring",
"time": 0
},
{
"name": "antidebug_windows",
"time": 0
},
{
"name": "antisandbox_cuckoocrash",
"time": 0
},
{
"name": "antisandbox_foregroundwindows",
"time": 0
},
{
"name": "mouse_movement_detect",
"time": 0
},
{
"name": "antisandbox_script_timer",
"time": 0
},
{
"name": "antisandbox_sleep",
"time": 0
},
{
"name": "antisandbox_unhook",
"time": 0
},
{
"name": "antivm_directory_objects",
"time": 0
},
{
"name": "antivm_generic_system",
"time": 0
},
{
"name": "antivm_checks_available_memory",
"time": 0
},
{
"name": "detect_virtualization_via_recent_files",
"time": 0
},
{
"name": "antivm_vmware_events",
"time": 0
},
{
"name": "api_spamming",
"time": 0
},
{
"name": "api_uuidfromstringa",
"time": 0
},
{
"name": "bcdedit_command",
"time": 0
},
{
"name": "potential_overwrite_mbr",
"time": 0
},
{
"name": "suspicious_ioctl_scsipassthough",
"time": 0
},
{
"name": "suspicious_iocontrol_codes",
"time": 0
},
{
"name": "browser_needed",
"time": 0
},
{
"name": "uac_bypass_cmstp",
"time": 0
},
{
"name": "uac_bypass_eventvwr",
"time": 0
},
{
"name": "dotnet_code_compile",
"time": 0
},
{
"name": "queries_computer_name",
"time": 0
},
{
"name": "queries_user_name",
"time": 0
},
{
"name": "creates_largekey",
"time": 0
},
{
"name": "creates_nullvalue",
"time": 0
},
{
"name": "access_windows_passwords_vault",
"time": 0
},
{
"name": "lsass_credential_dumping",
"time": 0
},
{
"name": "critical_process",
"time": 0
},
{
"name": "cryptopool_domains",
"time": 0
},
{
"name": "dead_connect",
"time": 0
},
{
"name": "dead_link",
"time": 0
},
{
"name": "decoy_document",
"time": 0
},
{
"name": "decoy_image",
"time": 0
},
{
"name": "deletes_consolehost_history",
"time": 0
},
{
"name": "dep_bypass",
"time": 0
},
{
"name": "dep_disable",
"time": 0
},
{
"name": "disables_wfp",
"time": 0
},
{
"name": "add_windows_defender_exclusions",
"time": 0
},
{
"name": "document_script_exe_drop",
"time": 0
},
{
"name": "guloader_apis",
"time": 0
},
{
"name": "driver_load",
"time": 0
},
{
"name": "dynamic_function_loading",
"time": 0
},
{
"name": "encrypted_ioc",
"time": 0
},
{
"name": "process_creation_suspicious_location",
"time": 0
},
{
"name": "exploit_getbasekerneladdress",
"time": 0
},
{
"name": "exploit_gethaldispatchtable",
"time": 0
},
{
"name": "exploit_heapspray",
"time": 0
},
{
"name": "koadic_apis",
"time": 0
},
{
"name": "koadic_network_activity",
"time": 0
},
{
"name": "downloads_from_filehosting",
"time": 0
},
{
"name": "generic_phish",
"time": 0
},
{
"name": "http_request",
"time": 0
},
{
"name": "infostealer_browser",
"time": 0
},
{
"name": "infostealer_browser_password",
"time": 0
},
{
"name": "infostealer_cookies",
"time": 0
},
{
"name": "cryptbot_network",
"time": 0
},
{
"name": "purplewave_network_activity",
"time": 0
},
{
"name": "quilclipper_behavior",
"time": 0
},
{
"name": "raccoon_behavior",
"time": 0
},
{
"name": "captures_screenshot",
"time": 0
},
{
"name": "vidar_behavior",
"time": 0
},
{
"name": "injection_network_traffic",
"time": 0
},
{
"name": "injection_themeinitapihook",
"time": 0
},
{
"name": "resumethread_remote_process",
"time": 0
},
{
"name": "injection_write_exe_process",
"time": 0
},
{
"name": "injection_write_process",
"time": 0
},
{
"name": "internet_dropper",
"time": 0
},
{
"name": "escalate_privilege_via_named_pipe",
"time": 0
},
{
"name": "ipc_namedpipe",
"time": 0
},
{
"name": "js_phish",
"time": 0
},
{
"name": "js_suspicious_redirect",
"time": 0
},
{
"name": "loader_alien",
"time": 0
},
{
"name": "execute_binary_via_internet_explorer_exporter",
"time": 0
},
{
"name": "execute_binary_via_run_exe_helper_utility",
"time": 0
},
{
"name": "execute_ps_via_syncappvpublishingserver",
"time": 0
},
{
"name": "malicious_dynamic_function_loading",
"time": 0
},
{
"name": "encrypt_pcinfo",
"time": 0
},
{
"name": "encrypt_data_agenttesla_http",
"time": 0
},
{
"name": "encrypt_data_agentteslat2_http",
"time": 0
},
{
"name": "encrypt_data_nanocore",
"time": 0
},
{
"name": "reads_memory_remote_process",
"time": 0
},
{
"name": "mimics_filetime",
"time": 0
},
{
"name": "amsi_bypass_via_com_registry",
"time": 0
},
{
"name": "access_auto_logons_via_registry",
"time": 0
},
{
"name": "access_boot_key_via_registry",
"time": 0
},
{
"name": "create_suspicious_lnk_files",
"time": 0
},
{
"name": "credential_access_via_windows_credential_history",
"time": 0
},
{
"name": "dll_hijacking_via_microsoft_exchange",
"time": 0
},
{
"name": "dll_hijacking_via_waas_medic_svc_com_typelib",
"time": 0
},
{
"name": "execute_file_downloaded_via_openssh",
"time": 0
},
{
"name": "execute_safe_mode_from_suspicious_process",
"time": 0
},
{
"name": "execute_scripts_via_microsoft_management_console",
"time": 0
},
{
"name": "execute_suspicious_processes_via_windows_mssql_service",
"time": 0
},
{
"name": "execution_from_self_extracting_archive",
"time": 0
},
{
"name": "ip_address_discovery_via_trusted_program",
"time": 0
},
{
"name": "load_dll_via_control_panel",
"time": 0
},
{
"name": "network_connection_via_suspicious_process",
"time": 0
},
{
"name": "potential_location_discovery_via_unusual_process",
"time": 0
},
{
"name": "store_executable_registry",
"time": 0
},
{
"name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
"time": 0
},
{
"name": "suspicious_java_execution_via_win_scripts",
"time": 0
},
{
"name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
"time": 0
},
{
"name": "uses_restart_manager_for_suspicious_activities",
"time": 0
},
{
"name": "modify_desktop_wallpaper",
"time": 0
},
{
"name": "move_file_on_reboot",
"time": 0
},
{
"name": "multiple_useragents",
"time": 0
},
{
"name": "network_anomaly",
"time": 0
},
{
"name": "network_bind",
"time": 0
},
{
"name": "network_cnc_https_archive",
"time": 0
},
{
"name": "network_cnc_https_free_webhosting",
"time": 0
},
{
"name": "network_cnc_https_generic",
"time": 0
},
{
"name": "network_cnc_https_interactsh",
"time": 0
},
{
"name": "network_cnc_https_opensource",
"time": 0
},
{
"name": "network_cnc_https_pastesite",
"time": 0
},
{
"name": "network_cnc_https_payload",
"time": 0
},
{
"name": "network_cnc_https_serviceinterface",
"time": 0
},
{
"name": "network_cnc_https_socialmedia",
"time": 0
},
{
"name": "network_cnc_https_telegram",
"time": 0
},
{
"name": "network_cnc_https_tempstorage",
"time": 0
},
{
"name": "network_cnc_https_temp_urldns",
"time": 0
},
{
"name": "network_cnc_https_urlshortener",
"time": 0
},
{
"name": "network_cnc_https_useragent",
"time": 0
},
{
"name": "network_cnc_smtps_exfil",
"time": 0
},
{
"name": "network_cnc_smtps_generic",
"time": 0
},
{
"name": "network_dns_idn",
"time": 0
},
{
"name": "network_dns_suspicious_querytype",
"time": 0
},
{
"name": "network_dns_tunneling_request",
"time": 0
},
{
"name": "network_document_http",
"time": 0
},
{
"name": "explorer_http",
"time": 0
},
{
"name": "network_fake_useragent",
"time": 0
},
{
"name": "legitimate_domain_abuse",
"time": 0
},
{
"name": "suspicious_communication_trusted_site",
"time": 0
},
{
"name": "network_tor",
"time": 0
},
{
"name": "office_cve2017_11882",
"time": 0
},
{
"name": "office_cve2017_11882_network",
"time": 0
},
{
"name": "office_cve_2021_40444",
"time": 0
},
{
"name": "office_cve_2021_40444_m2",
"time": 0
},
{
"name": "office_flash_load",
"time": 0
},
{
"name": "office_postscript",
"time": 0
},
{
"name": "office_suspicious_processes",
"time": 0
},
{
"name": "office_write_exe",
"time": 0
},
{
"name": "persistence_via_autodial_dll_registry",
"time": 0
},
{
"name": "persistence_autorun",
"time": 0
},
{
"name": "persistence_autorun_tasks",
"time": 0
},
{
"name": "persistence_bootexecute",
"time": 0
},
{
"name": "persistence_registry_script",
"time": 0
},
{
"name": "powershell_network_connection",
"time": 0
},
{
"name": "powershell_download",
"time": 0
},
{
"name": "powershell_request",
"time": 0
},
{
"name": "createtoolhelp32snapshot_module_enumeration",
"time": 0
},
{
"name": "enumerates_running_processes",
"time": 0
},
{
"name": "process_interest",
"time": 0
},
{
"name": "process_needed",
"time": 0
},
{
"name": "mass_data_encryption",
"time": 0
},
{
"name": "ransomware_file_modifications",
"time": 0
},
{
"name": "nemty_network_activity",
"time": 0
},
{
"name": "nemty_note",
"time": 0
},
{
"name": "sodinokibi_behavior",
"time": 0
},
{
"name": "stop_ransomware_registry",
"time": 0
},
{
"name": "blackrat_apis",
"time": 0
},
{
"name": "blackrat_network_activity",
"time": 0
},
{
"name": "blackrat_registry_keys",
"time": 0
},
{
"name": "dcrat_behavior",
"time": 0
},
{
"name": "karagany_system_event_objects",
"time": 0
},
{
"name": "rat_luminosity",
"time": 0
},
{
"name": "rat_nanocore",
"time": 0
},
{
"name": "netwire_behavior",
"time": 0
},
{
"name": "obliquerat_network_activity",
"time": 0
},
{
"name": "orcusrat_behavior",
"time": 0
},
{
"name": "trochilusrat_apis",
"time": 0
},
{
"name": "reads_self",
"time": 0
},
{
"name": "recon_beacon",
"time": 0
},
{
"name": "recon_programs",
"time": 0
},
{
"name": "accesses_recyclebin",
"time": 0
},
{
"name": "remcos_shell_code_dynamic_wrapper_x",
"time": 0
},
{
"name": "script_created_process",
"time": 0
},
{
"name": "script_network_activity",
"time": 0
},
{
"name": "suspicious_js_script",
"time": 0
},
{
"name": "javascript_timer",
"time": 0
},
{
"name": "secure_login_phishing",
"time": 0
},
{
"name": "securityxploded_modules",
"time": 0
},
{
"name": "get_clipboard_data",
"time": 0
},
{
"name": "sets_autoconfig_url",
"time": 0
},
{
"name": "spoofs_procname",
"time": 0
},
{
"name": "stack_pivot",
"time": 0
},
{
"name": "stack_pivot_file_created",
"time": 0
},
{
"name": "stack_pivot_process_create",
"time": 0
},
{
"name": "set_clipboard_data",
"time": 0
},
{
"name": "stealth_childproc",
"time": 0
},
{
"name": "stealth_file",
"time": 0
},
{
"name": "stealth_window",
"time": 0
},
{
"name": "queries_keyboard_layout",
"time": 0
},
{
"name": "queries_locale_api",
"time": 0
},
{
"name": "terminates_remote_process",
"time": 0
},
{
"name": "user_enum",
"time": 0
},
{
"name": "virus",
"time": 0
},
{
"name": "neshta_files",
"time": 0
},
{
"name": "neshta_regkeys",
"time": 0
},
{
"name": "webmail_phish",
"time": 0
},
{
"name": "persists_dev_util",
"time": 0
},
{
"name": "spawns_dev_util",
"time": 0
},
{
"name": "alters_windows_utility",
"time": 0
},
{
"name": "overwrites_accessibility_utility",
"time": 0
},
{
"name": "Potential_Lateral_Movement_Via_SMBEXEC",
"time": 0
},
{
"name": "potential_WebShell_Via_ScreenConnectServer",
"time": 0
},
{
"name": "uses_Microsoft_HTML_Help_Executable",
"time": 0
},
{
"name": "wiper_zeroedbytes",
"time": 0
},
{
"name": "wmi_create_process",
"time": 0
},
{
"name": "wmi_script_process",
"time": 0
},
{
"name": "deletes_files",
"time": 0
},
{
"name": "drops_files",
"time": 0
},
{
"name": "reads_files",
"time": 0
},
{
"name": "writes_files",
"time": 0
},
{
"name": "antianalysis_tls_section",
"time": 0
},
{
"name": "antivirus_clamav",
"time": 0
},
{
"name": "antivirus_virustotal",
"time": 0
},
{
"name": "bad_certs",
"time": 0
},
{
"name": "bad_ssl_certs",
"time": 0
},
{
"name": "banker_zeus_p2p",
"time": 0
},
{
"name": "banker_zeus_url",
"time": 0
},
{
"name": "binary_yara",
"time": 0
},
{
"name": "bot_athenahttp",
"time": 0
},
{
"name": "bot_dirtjumper",
"time": 0
},
{
"name": "bot_drive",
"time": 0
},
{
"name": "bot_drive2",
"time": 0
},
{
"name": "bot_madness",
"time": 0
},
{
"name": "phishing_kit_detected",
"time": 0
},
{
"name": "family_proxyback",
"time": 0
},
{
"name": "flare_capa_antianalysis",
"time": 0
},
{
"name": "flare_capa_collection",
"time": 0
},
{
"name": "flare_capa_communication",
"time": 0
},
{
"name": "flare_capa_compiler",
"time": 0
},
{
"name": "flare_capa_datamanipulation",
"time": 0
},
{
"name": "flare_capa_executable",
"time": 0
},
{
"name": "flare_capa_hostinteraction",
"time": 0
},
{
"name": "flare_capa_impact",
"time": 0
},
{
"name": "flare_capa_lib",
"time": 0
},
{
"name": "flare_capa_linking",
"time": 0
},
{
"name": "flare_capa_loadcode",
"time": 0
},
{
"name": "flare_capa_malwarefamily",
"time": 0
},
{
"name": "flare_capa_nursery",
"time": 0
},
{
"name": "flare_capa_persistence",
"time": 0
},
{
"name": "flare_capa_runtime",
"time": 0
},
{
"name": "flare_capa_targeting",
"time": 0
},
{
"name": "threatfox",
"time": 0
},
{
"name": "log4shell",
"time": 0
},
{
"name": "mimics_extension",
"time": 0
},
{
"name": "network_country_distribution",
"time": 0
},
{
"name": "network_cnc_http",
"time": 0
},
{
"name": "network_ip_exe",
"time": 0
},
{
"name": "network_dga",
"time": 0
},
{
"name": "network_dga_fraunhofer",
"time": 0
},
{
"name": "network_dyndns",
"time": 0
},
{
"name": "network_excessive_udp",
"time": 0
},
{
"name": "network_http",
"time": 0
},
{
"name": "network_icmp",
"time": 0
},
{
"name": "network_irc",
"time": 0
},
{
"name": "network_open_proxy",
"time": 0
},
{
"name": "network_questionable_http_path",
"time": 0
},
{
"name": "network_questionable_https_path",
"time": 0
},
{
"name": "network_smtp",
"time": 0
},
{
"name": "network_torgateway",
"time": 0
},
{
"name": "origin_langid",
"time": 0
},
{
"name": "origin_resource_langid",
"time": 0
},
{
"name": "overlay",
"time": 0
},
{
"name": "packer_unknown_pe_section_name",
"time": 0
},
{
"name": "packer_aspack",
"time": 0
},
{
"name": "packer_aspirecrypt",
"time": 0
},
{
"name": "packer_bedsprotector",
"time": 0
},
{
"name": "packer_confuser",
"time": 0
},
{
"name": "packer_enigma",
"time": 0
},
{
"name": "packer_entropy",
"time": 0
},
{
"name": "packer_mpress",
"time": 0
},
{
"name": "packer_nate",
"time": 0
},
{
"name": "packer_nspack",
"time": 0
},
{
"name": "packer_smartassembly",
"time": 0
},
{
"name": "packer_spices",
"time": 0
},
{
"name": "packer_themida",
"time": 0
},
{
"name": "packer_titan",
"time": 0
},
{
"name": "packer_upx",
"time": 0
},
{
"name": "packer_vmprotect",
"time": 0
},
{
"name": "packer_yoda",
"time": 0
},
{
"name": "pdf_annot_urls_checker",
"time": 0
},
{
"name": "polymorphic",
"time": 0
},
{
"name": "punch_plus_plus_pcres",
"time": 0
},
{
"name": "procmem_yara",
"time": 0
},
{
"name": "recon_checkip",
"time": 0
},
{
"name": "static_authenticode",
"time": 0
},
{
"name": "invalid_authenticode_signature",
"time": 0
},
{
"name": "static_dotnet_anomaly",
"time": 0
},
{
"name": "static_java",
"time": 0
},
{
"name": "static_pdf",
"time": 0
},
{
"name": "contains_pe_overlay",
"time": 0
},
{
"name": "static_pe_anomaly",
"time": 0
},
{
"name": "pe_compile_timestomping",
"time": 0
},
{
"name": "static_pe_pdbpath",
"time": 0
},
{
"name": "static_rat_config",
"time": 0
},
{
"name": "static_versioninfo_anomaly",
"time": 0
},
{
"name": "suricata_alert",
"time": 0
},
{
"name": "suspicious_html_body",
"time": 0
},
{
"name": "suspicious_html_name",
"time": 0
},
{
"name": "suspicious_html_title",
"time": 0
},
{
"name": "volatility_devicetree_1",
"time": 0
},
{
"name": "volatility_handles_1",
"time": 0
},
{
"name": "volatility_ldrmodules_1",
"time": 0
},
{
"name": "volatility_ldrmodules_2",
"time": 0
},
{
"name": "volatility_malfind_1",
"time": 0
},
{
"name": "volatility_malfind_2",
"time": 0
},
{
"name": "volatility_modscan_1",
"time": 0
},
{
"name": "volatility_svcscan_1",
"time": 0
},
{
"name": "volatility_svcscan_2",
"time": 0
},
{
"name": "volatility_svcscan_3",
"time": 0
},
{
"name": "whois_create",
"time": 0
},
{
"name": "accesses_mailslot",
"time": 0
},
{
"name": "accesses_netlogon_regkey",
"time": 0
},
{
"name": "accesses_public_folder",
"time": 0
},
{
"name": "accesses_sysvol",
"time": 0
},
{
"name": "writes_sysvol",
"time": 0
},
{
"name": "adds_admin_user",
"time": 0
},
{
"name": "adds_user",
"time": 0
},
{
"name": "overwrites_admin_password",
"time": 0
},
{
"name": "antianalysis_detectfile",
"time": 0
},
{
"name": "antianalysis_detectreg",
"time": 0
},
{
"name": "modify_attachment_manager",
"time": 0
},
{
"name": "antiav_detectfile",
"time": 0.001
},
{
"name": "antiav_detectreg",
"time": 0.001
},
{
"name": "antiav_srp",
"time": 0
},
{
"name": "antiav_whitespace",
"time": 0
},
{
"name": "antidebug_devices",
"time": 0
},
{
"name": "antiemu_windefend",
"time": 0
},
{
"name": "antiemu_wine_reg",
"time": 0
},
{
"name": "antisandbox_cuckoo_files",
"time": 0
},
{
"name": "antisandbox_fortinet_files",
"time": 0
},
{
"name": "antisandbox_joe_anubis_files",
"time": 0
},
{
"name": "antisandbox_sboxie_mutex",
"time": 0
},
{
"name": "antisandbox_sunbelt_files",
"time": 0
},
{
"name": "antisandbox_threattrack_files",
"time": 0
},
{
"name": "antivm_bochs_keys",
"time": 0
},
{
"name": "antivm_generic_bios",
"time": 0
},
{
"name": "antivm_generic_diskreg",
"time": 0
},
{
"name": "antivm_hyperv_keys",
"time": 0
},
{
"name": "antivm_parallels_keys",
"time": 0
},
{
"name": "antivm_recentdocs",
"time": 0
},
{
"name": "antivm_vbox_devices",
"time": 0
},
{
"name": "antivm_vbox_files",
"time": 0
},
{
"name": "antivm_vbox_keys",
"time": 0
},
{
"name": "antivm_vmware_devices",
"time": 0
},
{
"name": "antivm_vmware_files",
"time": 0
},
{
"name": "antivm_vmware_keys",
"time": 0
},
{
"name": "antivm_vmware_mutexes",
"time": 0
},
{
"name": "antivm_vpc_files",
"time": 0
},
{
"name": "antivm_vpc_keys",
"time": 0
},
{
"name": "antivm_vpc_mutex",
"time": 0
},
{
"name": "antivm_xen_keys",
"time": 0
},
{
"name": "asyncrat_mutex",
"time": 0
},
{
"name": "gulpix_behavior",
"time": 0
},
{
"name": "ketrican_regkeys",
"time": 0
},
{
"name": "okrum_mutexes",
"time": 0
},
{
"name": "banker_cridex",
"time": 0
},
{
"name": "geodo_banking_trojan",
"time": 0
},
{
"name": "banker_spyeye_mutexes",
"time": 0
},
{
"name": "banker_zeus_mutex",
"time": 0
},
{
"name": "bitcoin_opencl",
"time": 0
},
{
"name": "accesses_primary_patition",
"time": 0
},
{
"name": "direct_hdd_access",
"time": 0
},
{
"name": "enumerates_physical_drives",
"time": 0
},
{
"name": "physical_drive_access",
"time": 0
},
{
"name": "bot_russkill",
"time": 0
},
{
"name": "browser_addon",
"time": 0
},
{
"name": "chromium_browser_extension_directory",
"time": 0
},
{
"name": "browser_helper_object",
"time": 0
},
{
"name": "browser_security",
"time": 0
},
{
"name": "browser_startpage",
"time": 0
},
{
"name": "ie_disables_process_tab",
"time": 0
},
{
"name": "odbcconf_bypass",
"time": 0
},
{
"name": "squiblydoo_bypass",
"time": 0
},
{
"name": "squiblytwo_bypass",
"time": 0
},
{
"name": "bypass_chromium_protection",
"time": 0
},
{
"name": "bypass_firewall",
"time": 0
},
{
"name": "checks_uac_status",
"time": 0
},
{
"name": "uac_bypass_cmstpcom",
"time": 0
},
{
"name": "uac_bypass_delegateexecute_sdclt",
"time": 0
},
{
"name": "uac_bypass_fodhelper",
"time": 0
},
{
"name": "cape_extracted_content",
"time": 0
},
{
"name": "carberp_mutex",
"time": 0
},
{
"name": "clears_logs",
"time": 0
},
{
"name": "cmdline_obfuscation",
"time": 0
},
{
"name": "cmdline_switches",
"time": 0
},
{
"name": "cmdline_terminate",
"time": 0
},
{
"name": "cmdline_forfiles_wildcard",
"time": 0
},
{
"name": "cmdline_http_link",
"time": 0
},
{
"name": "cmdline_long_string",
"time": 0
},
{
"name": "cmdline_reversed_http_link",
"time": 0
},
{
"name": "long_commandline",
"time": 0
},
{
"name": "powershell_renamed_commandline",
"time": 0
},
{
"name": "copies_self",
"time": 0
},
{
"name": "credwiz_credentialaccess",
"time": 0
},
{
"name": "enables_wdigest",
"time": 0
},
{
"name": "vaultcmd_credentialaccess",
"time": 0
},
{
"name": "file_credential_store_access",
"time": 0
},
{
"name": "file_credential_store_write",
"time": 0
},
{
"name": "kerberos_credential_access_via_rubeus",
"time": 0
},
{
"name": "registry_credential_dumping",
"time": 0
},
{
"name": "registry_credential_store_access",
"time": 0
},
{
"name": "registry_lsa_secrets_access",
"time": 0
},
{
"name": "comsvcs_credentialdump",
"time": 0
},
{
"name": "cryptomining_stratum_command",
"time": 0
},
{
"name": "cypherit_mutexes",
"time": 0
},
{
"name": "darkcomet_regkeys",
"time": 0
},
{
"name": "datop_loader",
"time": 0
},
{
"name": "deepfreeze_mutex",
"time": 0
},
{
"name": "deletes_executed_files",
"time": 0
},
{
"name": "disables_app_launch",
"time": 0
},
{
"name": "disables_auto_app_termination",
"time": 0
},
{
"name": "disables_appv_virtualization",
"time": 0
},
{
"name": "disables_backups",
"time": 0
},
{
"name": "disables_browser_warn",
"time": 0
},
{
"name": "disables_context_menus",
"time": 0
},
{
"name": "disables_cpl_disable",
"time": 0
},
{
"name": "disables_crashdumps",
"time": 0
},
{
"name": "disables_event_logging",
"time": 0
},
{
"name": "disables_folder_options",
"time": 0
},
{
"name": "disables_notificationcenter",
"time": 0
},
{
"name": "disables_power_options",
"time": 0
},
{
"name": "disables_restore_default_state",
"time": 0
},
{
"name": "disables_run_command",
"time": 0
},
{
"name": "disables_smartscreen",
"time": 0
},
{
"name": "disables_startmenu_search",
"time": 0
},
{
"name": "disables_system_restore",
"time": 0
},
{
"name": "disables_uac",
"time": 0
},
{
"name": "disables_wer",
"time": 0
},
{
"name": "disables_windows_defender",
"time": 0
},
{
"name": "disables_windows_defender_logging",
"time": 0
},
{
"name": "removes_windows_defender_contextmenu",
"time": 0
},
{
"name": "removes_windows_defender_updates",
"time": 0
},
{
"name": "windows_defender_powershell",
"time": 0
},
{
"name": "disables_windows_file_protection",
"time": 0
},
{
"name": "disables_windowsupdate",
"time": 0
},
{
"name": "disables_winfirewall",
"time": 0
},
{
"name": "adfind_domain_enumeration",
"time": 0
},
{
"name": "domain_enumeration_commands",
"time": 0
},
{
"name": "andromut_mutexes",
"time": 0
},
{
"name": "downloader_cabby",
"time": 0
},
{
"name": "phorpiex_mutexes",
"time": 0
},
{
"name": "protonbot_mutexes",
"time": 0
},
{
"name": "driver_filtermanager",
"time": 0
},
{
"name": "dropper",
"time": 0
},
{
"name": "dll_archive_execution",
"time": 0
},
{
"name": "lnk_archive_execution",
"time": 0
},
{
"name": "script_archive_execution",
"time": 0
},
{
"name": "excel4_macro_urls",
"time": 0
},
{
"name": "escalate_privilege_via_ntlm_relay",
"time": 0
},
{
"name": "spooler_access",
"time": 0
},
{
"name": "spooler_svc_start",
"time": 0
},
{
"name": "mapped_drives_uac",
"time": 0
},
{
"name": "hides_recycle_bin_icon",
"time": 0
},
{
"name": "apocalypse_stealer_file_behavior",
"time": 0
},
{
"name": "arkei_files",
"time": 0
},
{
"name": "azorult_mutexes",
"time": 0
},
{
"name": "infostealer_bitcoin",
"time": 0
},
{
"name": "cryptbot_files",
"time": 0
},
{
"name": "echelon_files",
"time": 0
},
{
"name": "infostealer_ftp",
"time": 0.001
},
{
"name": "infostealer_im",
"time": 0
},
{
"name": "infostealer_mail",
"time": 0
},
{
"name": "masslogger_files",
"time": 0
},
{
"name": "poullight_files",
"time": 0
},
{
"name": "purplewave_mutexes",
"time": 0
},
{
"name": "quilclipper_mutexes",
"time": 0
},
{
"name": "qulab_files",
"time": 0
},
{
"name": "qulab_mutexes",
"time": 0
},
{
"name": "asyncrat_mutex",
"time": 0
},
{
"name": "Evade_Execution_Via_ASPNet_Compiler",
"time": 0
},
{
"name": "Evade_Execute_Via_DeviceCredentialDeployment",
"time": 0
},
{
"name": "Evade_Execution_Via_Filter_Manager_Control",
"time": 0
},
{
"name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
"time": 0
},
{
"name": "execute_binary_via_appvlp",
"time": 0
},
{
"name": "execute_binary_via_pcalua",
"time": 0
},
{
"name": "Execute_Binary_Via_OpenSSH",
"time": 0
},
{
"name": "execute_binary_via_pcalua",
"time": 0
},
{
"name": "Execute_Binary_Via_PesterPSModule",
"time": 0
},
{
"name": "Execute_Binary_Via_ScriptRunner",
"time": 0
},
{
"name": "execute_binary_via_ttdinject",
"time": 0
},
{
"name": "Execute_Binary_Via_VisualStudioLiveShare",
"time": 0
},
{
"name": "Execute_Msiexec_Via_Explorer",
"time": 0
},
{
"name": "execute_remote_msi",
"time": 0
},
{
"name": "execute_suspicious_powershell_via_runscripthelper",
"time": 0
},
{
"name": "execute_suspicious_powershell_via_sqlps",
"time": 0
},
{
"name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
"time": 0
},
{
"name": "Perform_Malicious_Activities_Via_Headless_Browser",
"time": 0
},
{
"name": "Register_DLL_Via_CertOC",
"time": 0
},
{
"name": "Register_DLL_Via_MSIEXEC",
"time": 0
},
{
"name": "Register_DLL_Via_Odbcconf",
"time": 0
},
{
"name": "Scriptlet_Proxy_Execution_Via_Pubprn",
"time": 0
},
{
"name": "ie_martian_children",
"time": 0
},
{
"name": "office_martian_children",
"time": 0
},
{
"name": "mimics_icon",
"time": 0
},
{
"name": "masquerade_process_name",
"time": 0
},
{
"name": "mimikatz_modules",
"time": 0
},
{
"name": "ms_office_cmd_rce",
"time": 0
},
{
"name": "mount_copy_to_webdav_share",
"time": 0
},
{
"name": "potential_protocol_tunneling_via_legit_utilities",
"time": 0
},
{
"name": "potential_protocol_tunneling_via_qemu",
"time": 0
},
{
"name": "suspicious_execution_via_dotnet_remoting",
"time": 0
},
{
"name": "modify_certs",
"time": 0
},
{
"name": "dotnet_clr_usagelog_regkeys",
"time": 0
},
{
"name": "modify_hostfile",
"time": 0
},
{
"name": "modify_oem_information",
"time": 0
},
{
"name": "modify_security_center_warnings",
"time": 0
},
{
"name": "modify_uac_prompt",
"time": 0
},
{
"name": "network_dns_blockchain",
"time": 0
},
{
"name": "network_dns_opennic",
"time": 0
},
{
"name": "network_dns_paste_site",
"time": 0
},
{
"name": "network_dns_reverse_proxy",
"time": 0
},
{
"name": "network_dns_temp_file_storage",
"time": 0
},
{
"name": "network_dns_temp_urldns",
"time": 0
},
{
"name": "network_dns_url_shortener",
"time": 0
},
{
"name": "network_dns_doh_tls",
"time": 0
},
{
"name": "suspicious_tld",
"time": 0
},
{
"name": "network_tor_service",
"time": 0
},
{
"name": "office_code_page",
"time": 0
},
{
"name": "office_addinloading",
"time": 0
},
{
"name": "office_perfkey",
"time": 0
},
{
"name": "office_macro",
"time": 0
},
{
"name": "changes_trust_center_settings",
"time": 0
},
{
"name": "disables_vba_trust_access",
"time": 0
},
{
"name": "office_macro_autoexecution",
"time": 0
},
{
"name": "office_macro_ioc",
"time": 0
},
{
"name": "office_macro_malicious_prediction",
"time": 0
},
{
"name": "office_macro_suspicious",
"time": 0
},
{
"name": "rtf_aslr_bypass",
"time": 0
},
{
"name": "rtf_anomaly_characterset",
"time": 0
},
{
"name": "rtf_anomaly_version",
"time": 0
},
{
"name": "rtf_embedded_content",
"time": 0
},
{
"name": "rtf_embedded_office_file",
"time": 0
},
{
"name": "rtf_exploit_static",
"time": 0
},
{
"name": "office_security",
"time": 0
},
{
"name": "accesses_office_username",
"time": 0
},
{
"name": "office_anomalous_feature",
"time": 0
},
{
"name": "office_dde_command",
"time": 0
},
{
"name": "packer_armadillo_mutex",
"time": 0
},
{
"name": "packer_armadillo_regkey",
"time": 0
},
{
"name": "persistence_safeboot",
"time": 0
},
{
"name": "persistence_ifeo",
"time": 0
},
{
"name": "persistence_silent_process_exit",
"time": 0
},
{
"name": "persistence_rdp_registry",
"time": 0
},
{
"name": "persistence_rdp_shadowing",
"time": 0
},
{
"name": "persistence_shim_database",
"time": 0
},
{
"name": "powerpool_mutexes",
"time": 0
},
{
"name": "powershell_scriptblock_logging",
"time": 0
},
{
"name": "powershell_command_suspicious",
"time": 0
},
{
"name": "powershell_history_save_mod",
"time": 0
},
{
"name": "powershell_renamed",
"time": 0
},
{
"name": "powershell_reversed",
"time": 0
},
{
"name": "powershell_variable_obfuscation",
"time": 0
},
{
"name": "prevents_safeboot",
"time": 0
},
{
"name": "cmdline_process_discovery",
"time": 0
},
{
"name": "cryptomix_mutexes",
"time": 0
},
{
"name": "dharma_mutexes",
"time": 0
},
{
"name": "ransomware_extensions",
"time": 0.001
},
{
"name": "ransomware_files",
"time": 0.002
},
{
"name": "fonix_mutexes",
"time": 0
},
{
"name": "gandcrab_mutexes",
"time": 0
},
{
"name": "germanwiper_mutexes",
"time": 0
},
{
"name": "medusalocker_mutexes",
"time": 0
},
{
"name": "medusalocker_regkeys",
"time": 0
},
{
"name": "nemty_mutexes",
"time": 0
},
{
"name": "nemty_regkeys",
"time": 0
},
{
"name": "pysa_mutexes",
"time": 0
},
{
"name": "ransomware_radamant",
"time": 0
},
{
"name": "ransomware_recyclebin",
"time": 0
},
{
"name": "revil_mutexes",
"time": 0
},
{
"name": "ransomware_revil_regkey",
"time": 0
},
{
"name": "satan_mutexes",
"time": 0
},
{
"name": "snake_ransom_mutexes",
"time": 0
},
{
"name": "stop_ransom_mutexes",
"time": 0
},
{
"name": "stop_ransomware_cmd",
"time": 0
},
{
"name": "rat_beebus_mutexes",
"time": 0
},
{
"name": "blacknet_mutexes",
"time": 0
},
{
"name": "blackrat_mutexes",
"time": 0
},
{
"name": "crat_mutexes",
"time": 0
},
{
"name": "dcrat_files",
"time": 0
},
{
"name": "dcrat_mutexes",
"time": 0
},
{
"name": "rat_fynloski_mutexes",
"time": 0
},
{
"name": "limerat_mutexes",
"time": 0
},
{
"name": "limerat_regkeys",
"time": 0
},
{
"name": "lodarat_file_behavior",
"time": 0
},
{
"name": "modirat_behavior",
"time": 0
},
{
"name": "njrat_regkeys",
"time": 0
},
{
"name": "obliquerat_files",
"time": 0
},
{
"name": "obliquerat_mutexes",
"time": 0
},
{
"name": "parallax_mutexes",
"time": 0
},
{
"name": "rat_pcclient",
"time": 0
},
{
"name": "rat_plugx_mutexes",
"time": 0
},
{
"name": "rat_poisonivy_mutexes",
"time": 0
},
{
"name": "rat_quasar_mutexes",
"time": 0
},
{
"name": "ratsnif_mutexes",
"time": 0
},
{
"name": "rat_spynet",
"time": 0
},
{
"name": "venomrat_mutexes",
"time": 0
},
{
"name": "warzonerat_files",
"time": 0
},
{
"name": "warzonerat_regkeys",
"time": 0
},
{
"name": "xpertrat_files",
"time": 0
},
{
"name": "xpertrat_mutexes",
"time": 0
},
{
"name": "rat_xtreme_mutexes",
"time": 0
},
{
"name": "reads_password_database",
"time": 0
},
{
"name": "recon_fingerprint",
"time": 0
},
{
"name": "remcos_files",
"time": 0
},
{
"name": "remcos_mutexes",
"time": 0
},
{
"name": "remcos_regkeys",
"time": 0
},
{
"name": "rdptcp_key",
"time": 0
},
{
"name": "uses_rdp_clip",
"time": 0
},
{
"name": "uses_remote_desktop_session",
"time": 0
},
{
"name": "removes_networking_icon",
"time": 0
},
{
"name": "removes_pinned_programs",
"time": 0
},
{
"name": "removes_security_maintenance_icon",
"time": 0
},
{
"name": "removes_startmenu_defaults",
"time": 0
},
{
"name": "removes_username_startmenu",
"time": 0
},
{
"name": "spicyhotpot_behavior",
"time": 0
},
{
"name": "sniffer_winpcap",
"time": 0
},
{
"name": "spreading_autoruninf",
"time": 0
},
{
"name": "stealth_hidden_extension",
"time": 0
},
{
"name": "stealth_hiddenreg",
"time": 0
},
{
"name": "stealth_hide_notifications",
"time": 0
},
{
"name": "stealth_webhistory",
"time": 0
},
{
"name": "sysinternals_psexec",
"time": 0
},
{
"name": "sysinternals_tools",
"time": 0
},
{
"name": "language_check_registry",
"time": 0
},
{
"name": "tampers_etw",
"time": 0
},
{
"name": "lsa_tampering",
"time": 0
},
{
"name": "tampers_powershell_logging",
"time": 0
},
{
"name": "targeted_flame",
"time": 0
},
{
"name": "territorial_disputes_sigs",
"time": 0.001
},
{
"name": "trickbot_mutex",
"time": 0
},
{
"name": "fleercivet_mutex",
"time": 0
},
{
"name": "lokibot_mutexes",
"time": 0
},
{
"name": "ursnif_behavior",
"time": 0
},
{
"name": "uses_adfind",
"time": 0
},
{
"name": "uses_ms_protocol",
"time": 0
},
{
"name": "neshta_mutexes",
"time": 0
},
{
"name": "renamer_mutexes",
"time": 0
},
{
"name": "owa_web_shell_files",
"time": 0
},
{
"name": "web_shell_files",
"time": 0
},
{
"name": "web_shell_processes",
"time": 0
},
{
"name": "dotnet_csc_build",
"time": 0
},
{
"name": "mavinject_lolbin",
"time": 0
},
{
"name": "multiple_explorer_instances",
"time": 0
},
{
"name": "script_tool_executed",
"time": 0
},
{
"name": "suspicious_certutil_use",
"time": 0
},
{
"name": "suspicious_command_tools",
"time": 0
},
{
"name": "suspicious_mpcmdrun_use",
"time": 0
},
{
"name": "suspicious_ping_use",
"time": 0
},
{
"name": "uses_powershell_copyitem",
"time": 0
},
{
"name": "uses_windows_utilities",
"time": 0
},
{
"name": "uses_windows_utilities_appcmd",
"time": 0
},
{
"name": "uses_windows_utilities_csvde_ldifde",
"time": 0
},
{
"name": "uses_windows_utilities_cipher",
"time": 0
},
{
"name": "uses_windows_utilities_clickonce",
"time": 0
},
{
"name": "uses_windows_utilities_curl",
"time": 0
},
{
"name": "uses_windows_utilities_dsquery",
"time": 0
},
{
"name": "uses_windows_utilities_esentutl",
"time": 0
},
{
"name": "uses_windows_utilities_finger",
"time": 0
},
{
"name": "uses_windows_utilities_mode",
"time": 0
},
{
"name": "uses_windows_utilities_ntdsutil",
"time": 0
},
{
"name": "uses_windows_utilities_nltest",
"time": 0
},
{
"name": "uses_windows_utilities_xcopy",
"time": 0
},
{
"name": "wmic_command_suspicious",
"time": 0
},
{
"name": "scrcons_wmi_script_consumer",
"time": 0
},
{
"name": "allaple_mutexes",
"time": 0
}
],
"reporting": [
{
"name": "BinGraph",
"time": 0
},
{
"name": "MITRE_TTPS",
"time": 0
},
{
"name": "ReportHTML",
"time": 0.056
},
{
"name": "ReportHTMLSummary",
"time": 0.053
}
]
}
|
*** LARGE PROPERTY ***
~154 KB Preview:{"category":"file","file" Click to fetch this property |
{
"payloads": [],
"configs": []
}
|
{
"version": "2.4-CAPE",
"started": "2025-12-07 09:50:28",
"ended": "2025-12-07 09:50:45",
"duration": 17,
"id": 26,
"category": "file",
"custom": "",
"machine": {
"id": 26,
"status": "stopping",
"name": "ubuntu22",
"label": "ubuntu22",
"platform": "linux",
"manager": "KVM",
"started_on": "2025-12-07 09:50:28",
"shutdown_on": "2025-12-07 09:50:38"
},
"package": "exe",
"timeout": false,
"tlp": null,
"parent_sample": null,
"options": {},
"source_url": null,
"route": "false",
"user_id": 0,
"CAPE_current_commit": "9cf8bf5a0ee601c0afc7068413c59a1049674c64"
}
|
{
"processes": []
}
|
{
"log": "2025-12-07 09:50:37,001 [root] DEBUG: Starting analyzer from: /l82_nda2\n2025-12-07 09:50:37,001 [root] DEBUG: Storing results at: /tmp/XABTxZOGG\n2025-12-07 09:50:37,002 [root] ERROR: Traceback (most recent call last):\n File \"/l82_nda2/lib/core/packages.py\", line 39, in choose_package_class\n module = __import__(full_name, globals(), locals(), [\"*\"])\nModuleNotFoundError: No module named 'modules.packages.exe'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/l82_nda2/analyzer.py\", line 453, in <module>\n success = analyzer.run()\n File \"/l82_nda2/analyzer.py\", line 244, in run\n package_class = choose_package_class(self.config.file_type, self.config.file_name, **kwargs)\n File \"/l82_nda2/lib/core/packages.py\", line 41, in choose_package_class\n raise Exception(f'Unable to import package \"{name}\": it does not exist')\nException: Unable to import package \"exe\": it does not exist\nTraceback (most recent call last):\n File \"/l82_nda2/lib/core/packages.py\", line 39, in choose_package_class\n module = __import__(full_name, globals(), locals(), [\"*\"])\nModuleNotFoundError: No module named 'modules.packages.exe'\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/l82_nda2/analyzer.py\", line 453, in <module>\n success = analyzer.run()\n File \"/l82_nda2/analyzer.py\", line 244, in run\n package_class = choose_package_class(self.config.file_type, self.config.file_name, **kwargs)\n File \"/l82_nda2/lib/core/packages.py\", line 41, in choose_package_class\n raise Exception(f'Unable to import package \"{name}\": it does not exist')\nException: Unable to import package \"exe\": it does not exist\n",
"errors": []
}
|
{
"memory_path": "/opt/CAPEv2/storage/analyses/26/memory.dmp",
"memory_strings_path": "/opt/CAPEv2/storage/analyses/26/memory.dmp.strings"
}
|
{
"pcap_sha256": "2d7f3afc91361e0b9d0176e4debe70c09e4b4e953cfd078c76b4491e75a08145",
"hosts": [],
"domains": [],
"tcp": [],
"udp": [
{
"src": "192.168.122.133",
"sport": 5353,
"dst": "224.0.0.251",
"dport": 5353,
"offset": 234,
"time": 0.5013740062713623
}
],
"icmp": [],
"http": [],
"dns": [],
"smtp": [],
"irc": [],
"dead_hosts": []
}
|
{}
|
{}
|
eJwljcEKwkAMRH9lyUnBg2dv1ZMXBe1NRJYk4MLaLUkqlLL/b…
|
[
{
"name": "static_pe_pdbpath",
"description": "The PE file contains a suspicious PDB path",
"categories": [
"static"
],
"severity": 2,
"weight": 1,
"confidence": 80,
"references": [
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
],
"data": [
{
"anomaly": "the pdb path contains a reference to a development path or term that may suggest a non-enterprise environment development/compilation"
},
{
"pdbpath": "C:\\Users\\sulum\\OneDrive\\Desktop\\datacenter\\stubCsharp\\obj\\Release\\Client.pdb"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "binary_yara",
"description": "Binary file triggered multiple YARA rules",
"categories": [
"static"
],
"severity": 3,
"weight": 1,
"confidence": 80,
"references": [],
"data": [
{
"Binary triggered YARA rule": "INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore"
},
{
"Binary triggered YARA rule": "INDICATOR_Binary_Embedded_Cryptocurrency_Wallet_Browser_Extension_IDs"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "pe_compile_timestomping",
"description": "Binary compilation timestomping detected",
"categories": [
"generic"
],
"severity": 3,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"anomaly": "Compilation timestamp is in the future"
}
],
"new_data": [],
"alert": false,
"families": []
}
]
|
2
|
[
{
"signature": "pe_compile_timestomping",
"ttps": [
"T1070.006",
"T1070"
],
"mbcs": [
"OB0006",
"F0005",
"F0005.004"
]
},
{
"signature": "static_pe_pdbpath",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002"
]
}
]
|
Clean
|
{
"enabled": true,
"screenshots": false,
"apicalls": false
}
|
| Documents | 1 |
| Total doc size | 138.71 KB |
| Average doc size | 138.71 KB |
| Pre-allocated size | 92 KB |
| Indexes | 1 |
| Total index size | 20 KB |
| Padding factor | |
| Extents |
| Name | Columns | Size | Attributes | Actions |
|---|---|---|---|---|
| _id_ |
_id ASC
|
20 KB | DEL |