Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE		2026-03-05 00:13:46	2026-03-05 00:18:18	272s
Reports	JSON

Analysis Log

2026-03-05 02:28:20,371 [root] INFO: Date set to: 20260305T00:14:02, timeout set to: 200
2026-03-05 00:14:02,051 [root] DEBUG: Starting analyzer from: C:\nk6xk99a
2026-03-05 00:14:02,051 [root] DEBUG: Storing results at: C:\kWtmEP
2026-03-05 00:14:02,051 [root] DEBUG: Pipe server name: \\.\PIPE\nIfCthB
2026-03-05 00:14:02,051 [root] DEBUG: Python path: C:\Python310
2026-03-05 00:14:02,051 [root] INFO: analysis running as an admin
2026-03-05 00:14:02,051 [root] DEBUG: no analysis package configured, picking one for you
2026-03-05 00:14:02,051 [root] INFO: analysis package selected: "dll"
2026-03-05 00:14:02,051 [root] DEBUG: importing analysis package module: "modules.packages.dll"...
2026-03-05 00:14:02,098 [root] DEBUG: imported analysis package "dll"
2026-03-05 00:14:02,098 [root] DEBUG: initializing analysis package "dll"...
2026-03-05 00:14:02,098 [lib.common.common] INFO: wrapping
2026-03-05 00:14:02,160 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-03-05 00:14:02,160 [root] DEBUG: New location of moved file: C:\Users\cape\AppData\Local\Temp\e083a7ae79b44c4fb2e9.dll
2026-03-05 00:14:02,160 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2026-03-05 00:14:02,160 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2026-03-05 00:14:02,160 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader option
2026-03-05 00:14:02,160 [root] INFO: Analyzer: Package modules.packages.dll does not specify a loader_64 option
2026-03-05 00:14:02,285 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-03-05 00:14:02,379 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-03-05 00:14:02,426 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-03-05 00:14:02,504 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-03-05 00:14:02,754 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-03-05 00:14:02,801 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-03-05 00:14:02,801 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-03-05 00:14:02,942 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2026-03-05 00:14:02,942 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-03-05 00:14:03,082 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-03-05 00:14:03,082 [root] DEBUG: Initialized auxiliary module "Browser"
2026-03-05 00:14:03,082 [root] DEBUG: attempting to configure 'Browser' from data
2026-03-05 00:14:03,082 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-03-05 00:14:03,082 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-03-05 00:14:03,098 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-03-05 00:14:03,098 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-03-05 00:14:03,098 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-03-05 00:14:03,098 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-03-05 00:14:03,098 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-03-05 00:14:03,098 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-03-05 00:14:03,676 [modules.auxiliary.digisig] DEBUG: File format not recognized
2026-03-05 00:14:03,676 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-03-05 00:14:03,692 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-03-05 00:14:03,692 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-03-05 00:14:03,692 [root] DEBUG: attempting to configure 'Disguise' from data
2026-03-05 00:14:03,692 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-03-05 00:14:03,692 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-03-05 00:14:03,723 [modules.auxiliary.disguise] INFO: Disguising GUID to ec24bf0b-09d7-4fe0-a551-9e044cf8910b
2026-03-05 00:14:03,723 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-03-05 00:14:03,723 [root] DEBUG: Initialized auxiliary module "Human"
2026-03-05 00:14:03,738 [root] DEBUG: attempting to configure 'Human' from data
2026-03-05 00:14:03,738 [root] DEBUG: module Human does not support data configuration, ignoring
2026-03-05 00:14:03,738 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-03-05 00:14:03,738 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-03-05 00:14:03,738 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-03-05 00:14:03,738 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-03-05 00:14:03,738 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-03-05 00:14:03,738 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-03-05 00:14:03,754 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-03-05 00:14:03,754 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-03-05 00:14:03,754 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-03-05 00:14:03,754 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-03-05 00:14:03,770 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-03-05 00:14:03,770 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2026-03-05 00:14:03,816 [lib.api.process] INFO: Monitor config for <Process 656 lsass.exe>: C:\nk6xk99a\dll\656.ini
2026-03-05 00:14:03,816 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-03-05 00:14:03,988 [lib.api.process] INFO: 64-bit DLL to inject is C:\nk6xk99a\dll\SGTDBC.dll, loader C:\nk6xk99a\bin\LKjEOuoK.exe
2026-03-05 00:14:04,223 [root] DEBUG: 656: Python path set to 'C:\Python310'.
2026-03-05 00:14:04,238 [root] DEBUG: 656: Disabling sleep skipping.
2026-03-05 00:14:04,238 [root] DEBUG: 656: TLS secret dump mode enabled.
2026-03-05 00:14:04,285 [root] DEBUG: 656: RtlInsertInvertedFunctionTable 0x00007FF97FCC090E, LdrpInvertedFunctionTableSRWLock 0x00007FF97FE1D500
2026-03-05 00:14:04,285 [root] DEBUG: 656: Monitor initialised: 64-bit capemon loaded in process 656 at 0x00007FF95DDB0000, thread 3148, image base 0x00007FF794EB0000, stack from 0x000000A2778F2000-0x000000A277900000
2026-03-05 00:14:04,303 [root] DEBUG: 656: Commandline: C:\Windows\system32\lsass.exe
2026-03-05 00:14:04,317 [root] DEBUG: 656: Hooked 5 out of 5 functions
2026-03-05 00:14:04,332 [lib.api.process] INFO: Injected into 64-bit <Process 656 lsass.exe>
2026-03-05 00:14:04,332 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-03-05 00:14:19,192 [root] DEBUG: 656: TLS 1.2 secrets logged to: C:\kWtmEP\tlsdump\tlsdump.log
2026-03-05 00:14:21,238 [root] INFO: Restarting WMI Service
2026-03-05 00:14:23,582 [root] DEBUG: package modules.packages.dll does not support configure, ignoring
2026-03-05 00:14:23,582 [root] WARNING: configuration error for package modules.packages.dll: error importing data.packages.dll: No module named 'data.packages'
2026-03-05 00:14:23,598 [lib.core.compound] INFO: C:\Users\cape\AppData\Local\Temp already exists, skipping creation
2026-03-05 00:14:23,863 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\System32\rundll32.exe" with arguments ""C:\Users\cape\AppData\Local\Temp\e083a7ae79b44c4fb2e9.dll",#1" with pid 6032
2026-03-05 00:14:23,879 [lib.api.process] INFO: Monitor config for <Process 6032 rundll32.exe>: C:\nk6xk99a\dll\6032.ini
2026-03-05 00:14:23,879 [lib.api.process] INFO: 32-bit DLL to inject is C:\nk6xk99a\dll\kvhLKeLc.dll, loader C:\nk6xk99a\bin\ikgDEgw.exe
2026-03-05 00:14:23,988 [root] DEBUG: Loader: Injecting process 6032 (thread 5620) with C:\nk6xk99a\dll\kvhLKeLc.dll.
2026-03-05 00:14:23,988 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-05 00:14:24,004 [root] DEBUG: Successfully injected DLL C:\nk6xk99a\dll\kvhLKeLc.dll.
2026-03-05 00:14:24,004 [lib.api.process] INFO: Injected into 32-bit <Process 6032 rundll32.exe>
2026-03-05 00:14:26,020 [lib.api.process] INFO: Successfully resumed <Process 6032 rundll32.exe>
2026-03-05 00:14:26,113 [root] DEBUG: 6032: Python path set to 'C:\Python310'.
2026-03-05 00:14:26,129 [root] DEBUG: 6032: Disabling sleep skipping.
2026-03-05 00:14:26,129 [root] DEBUG: 6032: Dropped file limit defaulting to 100.
2026-03-05 00:14:26,160 [root] DEBUG: 6032: YaraInit: Compiled 44 rule files
2026-03-05 00:14:26,176 [root] DEBUG: 6032: YaraInit: Compiled rules saved to file C:\nk6xk99a\data\yara\capemon.yac
2026-03-05 00:14:26,238 [root] DEBUG: 6032: YaraScan: Scanning 0x00C10000, size 0x136e8
2026-03-05 00:14:26,285 [root] DEBUG: 6032: Monitor initialised: 32-bit capemon loaded in process 6032 at 0x736b0000, thread 5620, image base 0xc10000, stack from 0x2c62000-0x2c70000
2026-03-05 00:14:26,285 [root] DEBUG: 6032: Commandline: "C:\Windows\System32\rundll32.exe" "C:\Users\cape\AppData\Local\Temp\e083a7ae79b44c4fb2e9.dll",#1
2026-03-05 00:14:26,613 [root] DEBUG: 6032: hook_api: LdrpCallInitRoutine export address 0x779A2A40 obtained via GetFunctionAddress
2026-03-05 00:14:26,629 [root] DEBUG: 6032: hook_api: Warning - CreateProcessA export address 0x760A2D90 differs from GetProcAddress -> 0x739922A0 (AcLayers.DLL::0xfd9222a0)
2026-03-05 00:14:26,629 [root] DEBUG: 6032: hook_api: Warning - CreateProcessW export address 0x760888E0 differs from GetProcAddress -> 0x739924E0 (AcLayers.DLL::0xfd9224e0)
2026-03-05 00:14:26,629 [root] DEBUG: 6032: hook_api: Warning - WinExec export address 0x760CCF20 differs from GetProcAddress -> 0x739927A0 (AcLayers.DLL::0xfd9227a0)
2026-03-05 00:14:26,754 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-05 00:14:26,754 [root] DEBUG: 6032: set_hooks: Unable to hook GetCommandLineA
2026-03-05 00:14:26,754 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-05 00:14:26,754 [root] DEBUG: 6032: set_hooks: Unable to hook GetCommandLineW
2026-03-05 00:14:26,770 [root] DEBUG: 6032: Hooked 630 out of 632 functions
2026-03-05 00:14:26,770 [root] DEBUG: 6032: Syscall hook installed, syscall logging level 1
2026-03-05 00:14:26,785 [root] DEBUG: 6032: RestoreHeaders: Restored original import table.
2026-03-05 00:14:26,785 [root] INFO: Loaded monitor into process with pid 6032
2026-03-05 00:14:26,785 [root] DEBUG: 6032: caller_dispatch: Added region at 0x00C10000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00C15F1A, thread 5620).
2026-03-05 00:14:26,801 [root] DEBUG: 6032: YaraScan: Scanning 0x00C10000, size 0x136e8
2026-03-05 00:14:26,801 [root] DEBUG: 6032: ProcessImageBase: Main module image at 0x00C10000 unmodified (entropy change 0.000000e+00)
2026-03-05 00:14:26,863 [root] DEBUG: 6032: InstrumentationCallback: Added region at 0x760924AC (base 0x76070000) to tracked regions list (thread 5620).
2026-03-05 00:14:26,863 [root] DEBUG: 6032: ProcessTrackedRegion: Region at 0x76070000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\kernel32.dll is in known range, skipping
2026-03-05 00:14:27,067 [root] DEBUG: 6032: InstrumentationCallback: Added region at 0x75C633EC (base 0x75B30000) to tracked regions list (thread 5620).
2026-03-05 00:14:27,098 [root] DEBUG: 6032: ProcessTrackedRegion: Region at 0x75B30000 mapped as \Device\HarddiskVolume1\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-05 00:14:27,223 [root] DEBUG: 6032: DLL loaded at 0x73610000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes).
2026-03-05 00:14:27,504 [root] DEBUG: 6032: DLL loaded at 0x740C0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2026-03-05 00:14:27,551 [root] DEBUG: 6032: DLL loaded at 0x75D50000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2026-03-05 00:14:27,676 [root] DEBUG: 6032: set_hooks_by_export_directory: Hooked 0 out of 632 functions
2026-03-05 00:14:27,691 [root] DEBUG: 6032: DLL loaded at 0x74D40000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2026-03-05 00:14:27,691 [root] DEBUG: 6032: DLL loaded at 0x76C00000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2026-03-05 00:14:27,801 [root] DEBUG: 6032: DLL loaded at 0x73200000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2026-03-05 00:14:27,817 [root] DEBUG: 6032: DLL loaded at 0x73230000: C:\Windows\System32\CoreMessaging (0x9b000 bytes).
2026-03-05 00:14:27,817 [root] DEBUG: 6032: DLL loaded at 0x73120000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes).
2026-03-05 00:14:27,817 [root] DEBUG: 6032: DLL loaded at 0x732D0000: C:\Windows\System32\CoreUIComponents (0x27e000 bytes).
2026-03-05 00:14:27,817 [root] DEBUG: 6032: DLL loaded at 0x73550000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2026-03-05 00:17:46,379 [root] INFO: Analysis timeout hit, terminating analysis
2026-03-05 00:17:46,379 [lib.api.process] INFO: Terminate event set for <Process 6032 rundll32.exe>
2026-03-05 00:17:46,379 [root] DEBUG: 6032: Terminate Event: Attempting to dump process 6032
2026-03-05 00:17:46,395 [root] DEBUG: 6032: DoProcessDump: Skipping process dump as code is identical on disk.
2026-03-05 00:17:46,395 [lib.api.process] INFO: Termination confirmed for <Process 6032 rundll32.exe>
2026-03-05 00:17:46,395 [root] INFO: Terminate event set for process 6032
2026-03-05 00:17:46,395 [root] DEBUG: 6032: Terminate Event: monitor shutdown complete for process 6032
2026-03-05 00:17:46,395 [root] INFO: Created shutdown mutex
2026-03-05 00:17:47,426 [root] INFO: Shutting down package
2026-03-05 00:17:47,426 [root] INFO: Stopping auxiliary modules
2026-03-05 00:17:47,426 [root] INFO: Stopping auxiliary module: Browser
2026-03-05 00:17:47,426 [root] INFO: Stopping auxiliary module: Human
2026-03-05 00:17:53,504 [root] INFO: Stopping auxiliary module: Screenshots
2026-03-05 00:17:54,598 [root] INFO: Finishing auxiliary modules
2026-03-05 00:17:54,598 [root] INFO: Shutting down pipe server and dumping dropped files
2026-03-05 00:17:54,598 [root] WARNING: Folder at path "C:\kWtmEP\debugger" does not exist, skipping
2026-03-05 00:17:54,598 [root] INFO: Uploading files at path "C:\kWtmEP\tlsdump"
2026-03-05 00:17:54,613 [lib.common.results] INFO: Uploading file C:\kWtmEP\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 4384; Max size: 100000000
2026-03-05 00:17:54,613 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10x64	win10x64	KVM	2026-03-05 00:13:46	2026-03-05 00:18:18

File Details

File Information

File Name	e083a7ae79b44c4fb2e9.dll
File Type	JPEG XL codestream
File Size	15 bytes
MD5	6f0a726120761caaeca7103ba199ed78
SHA1	b8d6cdef821ed52cb47918543de8eb4af3cbd304
SHA256	34d848f8fbb0085717a43dadaffe74ea4e1fb5506bd8f3aab5cafa98ee472cfb VT MWDB Bazaar
SHA3-384	37df8fe2ff4082b546aae4c69d280165d7009afac958f4e47c7c09784a3e797820a845ac7a7377b26e7d11b47dec41d9
CRC32	CB3539D8
Ssdeep	3:k+:k+

Tools: Gen BinGraph

Signatures

Network activity detected but not expressed in monitor API logs

ip: 72.154.7.109

ip: 72.154.7.16

ip: 176.99.136.153

HTTP traffic contains suspicious features which may be indicative of malware related traffic

ip_hostname: HTTP connection was made to an IP address rather than domain name

suspicious_request: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

suspicious_request: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

Performs some HTTP requests

url: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

Makes a suspicious HTTP request to a commonly exploitable directory with questionable file ext

url: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/04321851-7dec-4cfd-8c57-da0b4ae64040?P1=1772667035&P2=404&P3=2&P4=Dxm0MQ0r8wJBywFPdaaix9tzgCbtb6TMyf15OeUQLxdKnb0skxr4k68jPjJjUkyljucNAWn7tAjopIgFHNemjA%3d%3d&cacheHostOrigin=tlu.dl.delivery.mp.microsoft.com

url: http://176.99.136.153/filestreamingservice/files/080ef4a0-be38-451d-bc0c-6f002879786f?P1=1772675240&P2=404&P3=2&P4=XulOwRGtMZzcNKQGALMkMyn4znaN%2bw51OI%2bu68BMlQC68jblctprOUDXdVXREvmHnKMSEyyKhlEqi0s4sVMbYw%3d%3d&cacheHostOrigin=4.tlu.dl.delivery.mp.microsoft.com

Screenshots

Hosts

Direct	IP	Country Name
Y	72.154.7.109 [VT]	unknown
Y	72.154.7.16 [VT]	unknown
Y	176.99.136.153 [VT]	unknown

Summary

Accessed Files Registry Keys Read Registry Keys

C:\Users\cape\AppData\Local\Temp\e083a7ae79b44c4fb2e9.dll.manifest
C:\Users\cape\AppData\Local\Temp\e083a7ae79b44c4fb2e9.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\KERNELBASE.dll.mui
C:\Windows\System32\ru-RU\KERNELBASE.dll.mui
C:\Windows\sysnative\ru-RU\KERNELBASE.dll.mui
C:\Program Files\WindowsApps\Microsoft.LanguageExperiencePackru-RU_19041.80.272.0_neutral__8wekyb3d8bbwe\Windows\System32\ru-RU\rundll32.exe.mui

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\LanguageOverlay\OverlayPackages\ru-RU\Latest

No results found.

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

Signatures

Screenshots

Hosts

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

Statistics 24.06s

Signatures

Screenshots

Hosts

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP