{ "statistics": { "processing": [ { "name": "CAPE", "time": 5.426 }, { "name": "AnalysisInfo", "time": 0.061 }, { "name": "BehaviorAnalysis", "time": 0.01 }, { "name": "Debug", "time": 0.002 }, { "name": "NetworkAnalysis", "time": 0.083 }, { "name": "Suricata", "time": 1.185 }, { "name": "UrlAnalysis", "time": 0.0 }, { "name": "script_log_processing", "time": 0.0 }, { "name": "ProcessMemory", "time": 0.0 } ], "signatures": [ { "name": "packer_themida", "time": 0.0 }, { "name": "stealth_network", "time": 0.0 }, { "name": "disable_driver_via_blocklist", "time": 0.0 }, { "name": "disable_driver_via_hvcidisallowedimages", "time": 0.0 }, { "name": "disable_hypervisor_protected_code_integrity", "time": 0.0 }, { "name": "pendingfilerenameoperations_Operations", "time": 0.0 }, { "name": "anomalous_deletefile", "time": 0.0 }, { "name": "antiav_360_libs", "time": 0.0 }, { "name": "antiav_ahnlab_libs", "time": 0.0 }, { "name": "antiav_avast_libs", "time": 0.0 }, { "name": "antiav_bitdefender_libs", "time": 0.0 }, { "name": "antiav_bullguard_libs", "time": 0.0 }, { "name": "antiav_emsisoft_libs", "time": 0.0 }, { "name": "antiav_qurb_libs", "time": 0.0 }, { "name": "antiav_servicestop", "time": 0.0 }, { "name": "antiav_apioverride_libs", "time": 0.0 }, { "name": "antidebug_guardpages", "time": 0.0 }, { "name": "antiav_nthookengine_libs", "time": 0.0 }, { "name": "antidebug_outputdebugstring", "time": 0.0 }, { "name": "antidebug_setunhandledexceptionfilter", "time": 0.0 }, { "name": "antidebug_windows", "time": 0.0 }, { "name": "antisandbox_cuckoocrash", "time": 0.0 }, { "name": "antisandbox_foregroundwindows", "time": 0.0 }, { "name": "mouse_movement_detect", "time": 0.0 }, { "name": "antisandbox_sboxie_libs", "time": 0.0 }, { "name": "antisandbox_script_timer", "time": 0.0 }, { "name": "antisandbox_sleep", "time": 0.0 }, { "name": "antisandbox_sunbelt_libs", "time": 0.0 }, { "name": "antisandbox_unhook", "time": 0.0 }, { "name": "antivm_directory_objects", "time": 0.0 }, { "name": "antivm_display", "time": 0.0 }, { "name": "antivm_generic_disk", "time": 0.0 }, { "name": "antivm_generic_system", "time": 0.0 }, { "name": "antivm_checks_available_memory", "time": 0.0 }, { "name": "detect_virtualization_via_recent_files", "time": 0.0 }, { "name": "antivm_vbox_libs", "time": 0.0 }, { "name": "antivm_vmware_events", "time": 0.0 }, { "name": "antivm_vmware_libs", "time": 0.0 }, { "name": "antivm_wmi", "time": 0.0 }, { "name": "api_spamming", "time": 0.0 }, { "name": "api_uuidfromstringa", "time": 0.0 }, { "name": "bcdedit_command", "time": 0.0 }, { "name": "bootkit", "time": 0.0 }, { "name": "direct_hdd_access", "time": 0.0 }, { "name": "physical_drive_access", "time": 0.0 }, { "name": "potential_overwrite_mbr", "time": 0.0 }, { "name": "read_file_raw_disk_access", "time": 0.0 }, { "name": "suspicious_iocontrol_codes", "time": 0.0 }, { "name": "browser_needed", "time": 0.0 }, { "name": "regsvr32_squiblydoo_dll_load", "time": 0.0 }, { "name": "uac_bypass_cmstp", "time": 0.0 }, { "name": "uac_bypass_eventvwr", "time": 0.0 }, { "name": "uac_bypass_windows_Backup", "time": 0.0 }, { "name": "dotnet_code_compile", "time": 0.0 }, { "name": "queries_computer_name", "time": 0.0 }, { "name": "queries_user_name", "time": 0.0 }, { "name": "creates_largekey", "time": 0.0 }, { "name": "creates_nullvalue", "time": 0.0 }, { "name": "access_windows_passwords_vault", "time": 0.0 }, { "name": "lsass_credential_dumping", "time": 0.0 }, { "name": "critical_process", "time": 0.0 }, { "name": "cryptopool_domains", "time": 0.0 }, { "name": "dead_connect", "time": 0.0 }, { "name": "dead_link", "time": 0.0 }, { "name": "decoy_document", "time": 0.0 }, { "name": "decoy_image", "time": 0.0 }, { "name": "deletes_consolehost_history", "time": 0.0 }, { "name": "dep_bypass", "time": 0.0 }, { "name": "dep_disable", "time": 0.0 }, { "name": "disables_wfp", "time": 0.0 }, { "name": "add_windows_defender_exclusions", "time": 0.0 }, { "name": "mountpoints_volume_discovery", "time": 0.0 }, { "name": "dll_load_uncommon_file_types", "time": 0.0 }, { "name": "document_script_exe_drop", "time": 0.0 }, { "name": "guloader_apis", "time": 0.0 }, { "name": "driver_load", "time": 0.0 }, { "name": "dynamic_function_loading", "time": 0.0 }, { "name": "encrypted_ioc", "time": 0.0 }, { "name": "exec_crash", "time": 0.0 }, { "name": "process_creation_suspicious_location", "time": 0.0 }, { "name": "exploit_getbasekerneladdress", "time": 0.0 }, { "name": "exploit_gethaldispatchtable", "time": 0.0 }, { "name": "exploit_heapspray", "time": 0.0 }, { "name": "koadic_apis", "time": 0.0 }, { "name": "koadic_network_activity", "time": 0.0 }, { "name": "downloads_from_filehosting", "time": 0.0 }, { "name": "generic_phish", "time": 0.0 }, { "name": "http_request", "time": 0.0 }, { "name": "infostealer_browser", "time": 0.0 }, { "name": "infostealer_browser_password", "time": 0.0 }, { "name": "infostealer_cookies", "time": 0.0 }, { "name": "cryptbot_network", "time": 0.0 }, { "name": "purplewave_network_activity", "time": 0.0 }, { "name": "quilclipper_behavior", "time": 0.0 }, { "name": "raccoon_behavior", "time": 0.0 }, { "name": "captures_screenshot", "time": 0.0 }, { "name": "vidar_behavior", "time": 0.0 }, { "name": "injection_createremotethread", "time": 0.0 }, { "name": "creates_suspended_process", "time": 0.0 }, { "name": "injection_network_traffic", "time": 0.0 }, { "name": "injection_runpe", "time": 0.0 }, { "name": "injection_rwx", "time": 0.0 }, { "name": "injection_themeinitapihook", "time": 0.0 }, { "name": "resumethread_remote_process", "time": 0.0 }, { "name": "injection_write_exe_process", "time": 0.0 }, { "name": "injection_write_process", "time": 0.0 }, { "name": "internet_dropper", "time": 0.0 }, { "name": "escalate_privilege_via_named_pipe", "time": 0.0 }, { "name": "ipc_namedpipe", "time": 0.0 }, { "name": "js_phish", "time": 0.0 }, { "name": "js_suspicious_redirect", "time": 0.0 }, { "name": "loader_alien", "time": 0.0 }, { "name": "execute_binary_via_internet_explorer_exporter", "time": 0.0 }, { "name": "execute_binary_via_run_exe_helper_utility", "time": 0.0 }, { "name": "execute_ps_via_syncappvpublishingserver", "time": 0.0 }, { "name": "malicious_dynamic_function_loading", "time": 0.0 }, { "name": "encrypt_pcinfo", "time": 0.0 }, { "name": "encrypt_data_agenttesla_http", "time": 0.0 }, { "name": "encrypt_data_agentteslat2_http", "time": 0.0 }, { "name": "encrypt_data_nanocore", "time": 0.0 }, { "name": "reads_memory_remote_process", "time": 0.0 }, { "name": "mimics_filetime", "time": 0.0 }, { "name": "amsi_bypass_via_com_registry", "time": 0.0 }, { "name": "access_auto_logons_via_registry", "time": 0.0 }, { "name": "access_boot_key_via_registry", "time": 0.0 }, { "name": "create_suspicious_lnk_files", "time": 0.0 }, { "name": "credential_access_via_windows_credential_history", "time": 0.0 }, { "name": "dll_hijacking_via_microsoft_exchange", "time": 0.0 }, { "name": "dll_hijacking_via_waas_medic_svc_com_typelib", "time": 0.0 }, { "name": "execute_file_downloaded_via_openssh", "time": 0.0 }, { "name": "execute_safe_mode_from_suspicious_process", "time": 0.0 }, { "name": "execute_scripts_via_microsoft_management_console", "time": 0.0 }, { "name": "execute_suspicious_processes_via_windows_mssql_service", "time": 0.0 }, { "name": "execution_from_self_extracting_archive", "time": 0.0 }, { "name": "ip_address_discovery_via_trusted_program", "time": 0.0 }, { "name": "load_dll_via_control_panel", "time": 0.0 }, { "name": "network_connection_via_suspicious_process", "time": 0.0 }, { "name": "potential_location_discovery_via_unusual_process", "time": 0.0 }, { "name": "store_executable_registry", "time": 0.0 }, { "name": "Suspicious_Execution_Via_MicrosoftExchangeTransportAgent", "time": 0.0 }, { "name": "suspicious_java_execution_via_win_scripts", "time": 0.0 }, { "name": "Suspicious_Scheduled_Task_Creation_Via_Masqueraded_XML_File", "time": 0.0 }, { "name": "uses_restart_manager_for_suspicious_activities", "time": 0.0 }, { "name": "modify_desktop_wallpaper", "time": 0.0 }, { "name": "move_file_on_reboot", "time": 0.0 }, { "name": "multiple_useragents", "time": 0.0 }, { "name": "network_anomaly", "time": 0.0 }, { "name": "network_bind", "time": 0.0 }, { "name": "network_cnc_https_archive", "time": 0.0 }, { "name": "network_cnc_https_free_webhosting", "time": 0.0 }, { "name": "network_cnc_https_generic", "time": 0.0 }, { "name": "network_cnc_https_interactsh", "time": 0.0 }, { "name": "network_cnc_https_opensource", "time": 0.0 }, { "name": "network_cnc_https_pastesite", "time": 0.0 }, { "name": "network_cnc_https_payload", "time": 0.0 }, { "name": "network_cnc_https_serviceinterface", "time": 0.0 }, { "name": "network_cnc_https_socialmedia", "time": 0.0 }, { "name": "network_cnc_https_telegram", "time": 0.0 }, { "name": "network_cnc_https_tempstorage", "time": 0.0 }, { "name": "network_cnc_https_temp_urldns", "time": 0.0 }, { "name": "network_cnc_https_urlshortener", "time": 0.0 }, { "name": "network_cnc_https_useragent", "time": 0.0 }, { "name": "network_cnc_smtps_exfil", "time": 0.0 }, { "name": "network_cnc_smtps_generic", "time": 0.0 }, { "name": "network_dns_idn", "time": 0.0 }, { "name": "network_dns_suspicious_querytype", "time": 0.0 }, { "name": "network_dns_tunneling_request", "time": 0.0 }, { "name": "network_document_http", "time": 0.0 }, { "name": "explorer_http", "time": 0.0 }, { "name": "network_fake_useragent", "time": 0.0 }, { "name": "legitimate_domain_abuse", "time": 0.0 }, { "name": "suspicious_communication_trusted_site", "time": 0.0 }, { "name": "network_tor", "time": 0.0 }, { "name": "office_com_load", "time": 0.0 }, { "name": "office_dotnet_load", "time": 0.0 }, { "name": "office_mshtml_load", "time": 0.0 }, { "name": "office_vb_load", "time": 0.0 }, { "name": "office_wmi_load", "time": 0.0 }, { "name": "office_cve2017_11882", "time": 0.0 }, { "name": "office_cve2017_11882_network", "time": 0.0 }, { "name": "office_cve_2021_40444", "time": 0.0 }, { "name": "office_cve_2021_40444_m2", "time": 0.0 }, { "name": "office_flash_load", "time": 0.0 }, { "name": "office_postscript", "time": 0.0 }, { "name": "office_suspicious_processes", "time": 0.0 }, { "name": "office_write_exe", "time": 0.0 }, { "name": "persistence_via_autodial_dll_registry", "time": 0.0 }, { "name": "persistence_autorun", "time": 0.0 }, { "name": "persistence_autorun_tasks", "time": 0.0 }, { "name": "persistence_bootexecute", "time": 0.0 }, { "name": "persistence_registry_script", "time": 0.0 }, { "name": "powershell_network_connection", "time": 0.0 }, { "name": "powershell_download", "time": 0.0 }, { "name": "powershell_request", "time": 0.0 }, { "name": "createtoolhelp32snapshot_module_enumeration", "time": 0.0 }, { "name": "enumerates_running_processes", "time": 0.0 }, { "name": "process_interest", "time": 0.0 }, { "name": "process_needed", "time": 0.0 }, { "name": "mass_data_encryption", "time": 0.0 }, { "name": "ransomware_file_modifications", "time": 0.0 }, { "name": "ransomware_message", "time": 0.0 }, { "name": "nemty_network_activity", "time": 0.0 }, { "name": "nemty_note", "time": 0.0 }, { "name": "sodinokibi_behavior", "time": 0.0 }, { "name": "stop_ransomware_registry", "time": 0.0 }, { "name": "blackrat_apis", "time": 0.0 }, { "name": "blackrat_network_activity", "time": 0.0 }, { "name": "blackrat_registry_keys", "time": 0.0 }, { "name": "dcrat_behavior", "time": 0.0 }, { "name": "karagany_system_event_objects", "time": 0.0 }, { "name": "rat_luminosity", "time": 0.0 }, { "name": "rat_nanocore", "time": 0.0 }, { "name": "netwire_behavior", "time": 0.0 }, { "name": "obliquerat_network_activity", "time": 0.0 }, { "name": "orcusrat_behavior", "time": 0.0 }, { "name": "trochilusrat_apis", "time": 0.0 }, { "name": "reads_self", "time": 0.0 }, { "name": "recon_beacon", "time": 0.0 }, { "name": "recon_programs", "time": 0.0 }, { "name": "recon_systeminfo", "time": 0.0 }, { "name": "accesses_recyclebin", "time": 0.0 }, { "name": "remcos_shell_code_dynamic_wrapper_x", "time": 0.0 }, { "name": "script_created_process", "time": 0.0 }, { "name": "script_network_activity", "time": 0.0 }, { "name": "suspicious_js_script", "time": 0.0 }, { "name": "javascript_timer", "time": 0.0 }, { "name": "secure_login_phishing", "time": 0.0 }, { "name": "securityxploded_modules", "time": 0.0 }, { "name": "get_clipboard_data", "time": 0.0 }, { "name": "sets_autoconfig_url", "time": 0.0 }, { "name": "spoofs_procname", "time": 0.0 }, { "name": "stack_pivot", "time": 0.0 }, { "name": "stack_pivot_file_created", "time": 0.0 }, { "name": "stack_pivot_process_create", "time": 0.0 }, { "name": "set_clipboard_data", "time": 0.0 }, { "name": "stealth_childproc", "time": 0.0 }, { "name": "stealth_file", "time": 0.0 }, { "name": "stealth_timeout", "time": 0.0 }, { "name": "stealth_window", "time": 0.0 }, { "name": "queries_keyboard_layout", "time": 0.0 }, { "name": "queries_locale_api", "time": 0.0 }, { "name": "terminates_remote_process", "time": 0.0 }, { "name": "uiautomationcore_load", "time": 0.0 }, { "name": "user_enum", "time": 0.0 }, { "name": "mmc_dll_script_load", "time": 0.0 }, { "name": "mmc_dotnet_load", "time": 0.0 }, { "name": "virus", "time": 0.0 }, { "name": "neshta_files", "time": 0.0 }, { "name": "neshta_regkeys", "time": 0.0 }, { "name": "webmail_phish", "time": 0.0 }, { "name": "persists_dev_util", "time": 0.0 }, { "name": "spawns_dev_util", "time": 0.0 }, { "name": "alters_windows_utility", "time": 0.0 }, { "name": "overwrites_accessibility_utility", "time": 0.0 }, { "name": "Potential_Lateral_Movement_Via_SMBEXEC", "time": 0.0 }, { "name": "potential_WebShell_Via_ScreenConnectServer", "time": 0.0 }, { "name": "uses_Microsoft_HTML_Help_Executable", "time": 0.0 }, { "name": "wiper_zeroedbytes", "time": 0.0 }, { "name": "wmi_create_process", "time": 0.0 }, { "name": "wmi_script_process", "time": 0.0 }, { "name": "antianalysis_tls_section", "time": 0.0 }, { "name": "antivirus_clamav", "time": 0.0 }, { "name": "antivirus_virustotal", "time": 0.0 }, { "name": "bad_certs", "time": 0.0 }, { "name": "bad_ssl_certs", "time": 0.0 }, { "name": "banker_zeus_p2p", "time": 0.0 }, { "name": "banker_zeus_url", "time": 0.0 }, { "name": "binary_yara", "time": 0.0 }, { "name": "bot_athenahttp", "time": 0.0 }, { "name": "bot_dirtjumper", "time": 0.0 }, { "name": "bot_drive", "time": 0.0 }, { "name": "bot_drive2", "time": 0.0 }, { "name": "bot_madness", "time": 0.0 }, { "name": "phishing_kit_detected", "time": 0.0 }, { "name": "family_proxyback", "time": 0.0 }, { "name": "flare_capa_antianalysis", "time": 0.0 }, { "name": "flare_capa_collection", "time": 0.0 }, { "name": "flare_capa_communication", "time": 0.0 }, { "name": "flare_capa_compiler", "time": 0.0 }, { "name": "flare_capa_datamanipulation", "time": 0.0 }, { "name": "flare_capa_executable", "time": 0.0 }, { "name": "flare_capa_hostinteraction", "time": 0.0 }, { "name": "flare_capa_impact", "time": 0.0 }, { "name": "flare_capa_lib", "time": 0.0 }, { "name": "flare_capa_linking", "time": 0.0 }, { "name": "flare_capa_loadcode", "time": 0.0 }, { "name": "flare_capa_malwarefamily", "time": 0.0 }, { "name": "flare_capa_nursery", "time": 0.0 }, { "name": "flare_capa_persistence", "time": 0.0 }, { "name": "flare_capa_runtime", "time": 0.0 }, { "name": "flare_capa_targeting", "time": 0.0 }, { "name": "threatfox", "time": 0.0 }, { "name": "log4shell", "time": 0.0 }, { "name": "mimics_extension", "time": 0.0 }, { "name": "network_country_distribution", "time": 0.0 }, { "name": "network_cnc_http", "time": 0.0 }, { "name": "network_ip_exe", "time": 0.0 }, { "name": "network_dga", "time": 0.0 }, { "name": "network_dga_fraunhofer", "time": 0.0 }, { "name": "network_dyndns", "time": 0.0 }, { "name": "network_excessive_udp", "time": 0.0 }, { "name": "network_http", "time": 0.0 }, { "name": "network_icmp", "time": 0.0 }, { "name": "network_irc", "time": 0.0 }, { "name": "network_open_proxy", "time": 0.001 }, { "name": "network_questionable_http_path", "time": 0.0 }, { "name": "network_questionable_https_path", "time": 0.0 }, { "name": "network_smtp", "time": 0.0 }, { "name": "network_torgateway", "time": 0.0 }, { "name": "origin_langid", "time": 0.0 }, { "name": "origin_resource_langid", "time": 0.0 }, { "name": "overlay", "time": 0.0 }, { "name": "packer_unknown_pe_section_name", "time": 0.0 }, { "name": "packer_aspack", "time": 0.0 }, { "name": "packer_aspirecrypt", "time": 0.0 }, { "name": "packer_bedsprotector", "time": 0.0 }, { "name": "packer_confuser", "time": 0.0 }, { "name": "packer_enigma", "time": 0.0 }, { "name": "packer_entropy", "time": 0.0 }, { "name": "packer_mpress", "time": 0.0 }, { "name": "packer_nate", "time": 0.0 }, { "name": "packer_nspack", "time": 0.0 }, { "name": "packer_smartassembly", "time": 0.0 }, { "name": "packer_spices", "time": 0.0 }, { "name": "packer_themida", "time": 0.0 }, { "name": "packer_titan", "time": 0.0 }, { "name": "packer_upx", "time": 0.0 }, { "name": "packer_vmprotect", "time": 0.0 }, { "name": "packer_yoda", "time": 0.0 }, { "name": "pdf_annot_urls_checker", "time": 0.0 }, { "name": "polymorphic", "time": 0.0 }, { "name": "punch_plus_plus_pcres", "time": 0.0 }, { "name": "procmem_yara", "time": 0.0 }, { "name": "recon_checkip", "time": 0.0 }, { "name": "static_authenticode", "time": 0.0 }, { "name": "invalid_authenticode_signature", "time": 0.0 }, { "name": "static_dotnet_anomaly", "time": 0.0 }, { "name": "static_java", "time": 0.0 }, { "name": "static_pdf", "time": 0.0 }, { "name": "contains_pe_overlay", "time": 0.0 }, { "name": "static_pe_anomaly", "time": 0.0 }, { "name": "pe_compile_timestomping", "time": 0.0 }, { "name": "static_pe_pdbpath", "time": 0.0 }, { "name": "static_rat_config", "time": 0.0 }, { "name": "static_versioninfo_anomaly", "time": 0.0 }, { "name": "suricata_alert", "time": 0.0 }, { "name": "suspicious_html_body", "time": 0.0 }, { "name": "suspicious_html_name", "time": 0.0 }, { "name": "suspicious_html_title", "time": 0.0 }, { "name": "volatility_devicetree_1", "time": 0.0 }, { "name": "volatility_handles_1", "time": 0.0 }, { "name": "volatility_ldrmodules_1", "time": 0.0 }, { "name": "volatility_ldrmodules_2", "time": 0.0 }, { "name": "volatility_malfind_1", "time": 0.0 }, { "name": "volatility_malfind_2", "time": 0.0 }, { "name": "volatility_modscan_1", "time": 0.0 }, { "name": "volatility_svcscan_1", "time": 0.0 }, { "name": "volatility_svcscan_2", "time": 0.0 }, { "name": "volatility_svcscan_3", "time": 0.0 }, { "name": "whois_create", "time": 0.0 }, { "name": "accesses_mailslot", "time": 0.0 }, { "name": "accesses_netlogon_regkey", "time": 0.0 }, { "name": "accesses_public_folder", "time": 0.0 }, { "name": "accesses_sysvol", "time": 0.0 }, { "name": "writes_sysvol", "time": 0.0 }, { "name": "adds_admin_user", "time": 0.0 }, { "name": "adds_user", "time": 0.0 }, { "name": "overwrites_admin_password", "time": 0.0 }, { "name": "antianalysis_detectfile", "time": 0.002 }, { "name": "antianalysis_detectreg", "time": 0.001 }, { "name": "modify_attachment_manager", "time": 0.0 }, { "name": "antiav_detectfile", "time": 0.003 }, { "name": "antiav_detectreg", "time": 0.004 }, { "name": "antiav_srp", "time": 0.0 }, { "name": "antiav_whitespace", "time": 0.0 }, { "name": "antidebug_devices", "time": 0.0 }, { "name": "antiemu_windefend", "time": 0.0 }, { "name": "antiemu_wine_reg", "time": 0.0 }, { "name": "antisandbox_cuckoo_files", "time": 0.0 }, { "name": "antisandbox_fortinet_files", "time": 0.0 }, { "name": "antisandbox_joe_anubis_files", "time": 0.0 }, { "name": "antisandbox_sboxie_mutex", "time": 0.0 }, { "name": "antisandbox_sunbelt_files", "time": 0.0 }, { "name": "antisandbox_threattrack_files", "time": 0.0 }, { "name": "antivm_bochs_keys", "time": 0.0 }, { "name": "antivm_generic_bios", "time": 0.0 }, { "name": "antivm_generic_diskreg", "time": 0.0 }, { "name": "antivm_hyperv_keys", "time": 0.0 }, { "name": "antivm_parallels_keys", "time": 0.0 }, { "name": "antivm_recentdocs", "time": 0.0 }, { "name": "antivm_vbox_devices", "time": 0.0 }, { "name": "antivm_vbox_files", "time": 0.001 }, { "name": "antivm_vbox_keys", "time": 0.001 }, { "name": "antivm_vmware_devices", "time": 0.0 }, { "name": "antivm_vmware_files", "time": 0.0 }, { "name": "antivm_vmware_keys", "time": 0.0 }, { "name": "antivm_vmware_mutexes", "time": 0.0 }, { "name": "antivm_vpc_files", "time": 0.0 }, { "name": "antivm_vpc_keys", "time": 0.0 }, { "name": "antivm_vpc_mutex", "time": 0.0 }, { "name": "antivm_xen_keys", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "gulpix_behavior", "time": 0.0 }, { "name": "ketrican_regkeys", "time": 0.0 }, { "name": "okrum_mutexes", "time": 0.0 }, { "name": "banker_cridex", "time": 0.0 }, { "name": "geodo_banking_trojan", "time": 0.001 }, { "name": "banker_spyeye_mutexes", "time": 0.0 }, { "name": "banker_zeus_mutex", "time": 0.0 }, { "name": "bitcoin_opencl", "time": 0.0 }, { "name": "enumerates_physical_drives", "time": 0.0 }, { "name": "bot_russkill", "time": 0.0 }, { "name": "browser_addon", "time": 0.0 }, { "name": "chromium_browser_extension_directory", "time": 0.0 }, { "name": "browser_helper_object", "time": 0.0 }, { "name": "browser_security", "time": 0.001 }, { "name": "browser_startpage", "time": 0.0 }, { "name": "ie_disables_process_tab", "time": 0.0 }, { "name": "odbcconf_bypass", "time": 0.0 }, { "name": "squiblydoo_bypass", "time": 0.0 }, { "name": "squiblytwo_bypass", "time": 0.0 }, { "name": "bypass_chromium_protection", "time": 0.0 }, { "name": "bypass_firewall", "time": 0.0 }, { "name": "checks_uac_status", "time": 0.0 }, { "name": "uac_bypass_cmstpcom", "time": 0.0 }, { "name": "uac_bypass_delegateexecute_sdclt", "time": 0.0 }, { "name": "uac_bypass_fodhelper", "time": 0.0 }, { "name": "cape_extracted_content", "time": 0.0 }, { "name": "carberp_mutex", "time": 0.0 }, { "name": "clears_logs", "time": 0.0 }, { "name": "cmdline_obfuscation", "time": 0.0 }, { "name": "cmdline_switches", "time": 0.0 }, { "name": "cmdline_terminate", "time": 0.0 }, { "name": "cmdline_forfiles_wildcard", "time": 0.0 }, { "name": "cmdline_http_link", "time": 0.0 }, { "name": "cmdline_long_string", "time": 0.0 }, { "name": "cmdline_reversed_http_link", "time": 0.0 }, { "name": "long_commandline", "time": 0.0 }, { "name": "powershell_renamed_commandline", "time": 0.0 }, { "name": "copies_self", "time": 0.0 }, { "name": "credwiz_credentialaccess", "time": 0.0 }, { "name": "enables_wdigest", "time": 0.0 }, { "name": "vaultcmd_credentialaccess", "time": 0.0 }, { "name": "file_credential_store_access", "time": 0.0 }, { "name": "file_credential_store_write", "time": 0.0 }, { "name": "kerberos_credential_access_via_rubeus", "time": 0.0 }, { "name": "registry_credential_dumping", "time": 0.0 }, { "name": "registry_credential_store_access", "time": 0.0 }, { "name": "registry_lsa_secrets_access", "time": 0.0 }, { "name": "comsvcs_credentialdump", "time": 0.0 }, { "name": "cryptomining_stratum_command", "time": 0.0 }, { "name": "cypherit_mutexes", "time": 0.0 }, { "name": "darkcomet_regkeys", "time": 0.0 }, { "name": "datop_loader", "time": 0.0 }, { "name": "deepfreeze_mutex", "time": 0.0 }, { "name": "deletes_executed_files", "time": 0.0 }, { "name": "disables_app_launch", "time": 0.0 }, { "name": "disables_auto_app_termination", "time": 0.0 }, { "name": "disables_appv_virtualization", "time": 0.0 }, { "name": "disables_backups", "time": 0.001 }, { "name": "disables_browser_warn", "time": 0.001 }, { "name": "disables_context_menus", "time": 0.0 }, { "name": "disables_cpl_disable", "time": 0.0 }, { "name": "disables_crashdumps", "time": 0.0 }, { "name": "disables_event_logging", "time": 0.0 }, { "name": "disables_folder_options", "time": 0.0 }, { "name": "disables_notificationcenter", "time": 0.0 }, { "name": "disables_power_options", "time": 0.001 }, { "name": "disables_restore_default_state", "time": 0.0 }, { "name": "disables_run_command", "time": 0.0 }, { "name": "disables_smartscreen", "time": 0.0 }, { "name": "disables_startmenu_search", "time": 0.0 }, { "name": "disables_system_restore", "time": 0.0 }, { "name": "disables_uac", "time": 0.0 }, { "name": "disables_wer", "time": 0.0 }, { "name": "disables_windows_defender", "time": 0.0 }, { "name": "disables_windows_defender_logging", "time": 0.0 }, { "name": "removes_windows_defender_contextmenu", "time": 0.0 }, { "name": "removes_windows_defender_updates", "time": 0.0 }, { "name": "windows_defender_powershell", "time": 0.0 }, { "name": "disables_windows_file_protection", "time": 0.0 }, { "name": "disables_windowsupdate", "time": 0.0 }, { "name": "disables_winfirewall", "time": 0.0 }, { "name": "discover_registry_mount_points", "time": 0.0 }, { "name": "adfind_domain_enumeration", "time": 0.0 }, { "name": "domain_enumeration_commands", "time": 0.0 }, { "name": "andromut_mutexes", "time": 0.0 }, { "name": "downloader_cabby", "time": 0.0 }, { "name": "phorpiex_mutexes", "time": 0.0 }, { "name": "protonbot_mutexes", "time": 0.0 }, { "name": "driver_filtermanager", "time": 0.0 }, { "name": "dropper", "time": 0.0 }, { "name": "dll_archive_execution", "time": 0.0 }, { "name": "lnk_archive_execution", "time": 0.0 }, { "name": "script_archive_execution", "time": 0.0 }, { "name": "excel4_macro_urls", "time": 0.0 }, { "name": "escalate_privilege_via_ntlm_relay", "time": 0.0 }, { "name": "spooler_access", "time": 0.0 }, { "name": "spooler_svc_start", "time": 0.0 }, { "name": "mapped_drives_uac", "time": 0.0 }, { "name": "hides_recycle_bin_icon", "time": 0.0 }, { "name": "apocalypse_stealer_file_behavior", "time": 0.0 }, { "name": "arkei_files", "time": 0.0 }, { "name": "azorult_mutexes", "time": 0.001 }, { "name": "infostealer_bitcoin", "time": 0.001 }, { "name": "cryptbot_files", "time": 0.0 }, { "name": "echelon_files", "time": 0.001 }, { "name": "infostealer_ftp", "time": 0.002 }, { "name": "infostealer_im", "time": 0.001 }, { "name": "infostealer_mail", "time": 0.001 }, { "name": "masslogger_files", "time": 0.0 }, { "name": "poullight_files", "time": 0.001 }, { "name": "purplewave_mutexes", "time": 0.0 }, { "name": "quilclipper_mutexes", "time": 0.0 }, { "name": "qulab_files", "time": 0.0 }, { "name": "qulab_mutexes", "time": 0.0 }, { "name": "asyncrat_mutex", "time": 0.0 }, { "name": "Evade_Execution_Via_ASPNet_Compiler", "time": 0.0 }, { "name": "Evade_Execute_Via_DeviceCredentialDeployment", "time": 0.0 }, { "name": "Evade_Execution_Via_Filter_Manager_Control", "time": 0.0 }, { "name": "Evade_Execution_Via_Intel_GFXDownloadWrapper", "time": 0.0 }, { "name": "execute_binary_via_appvlp", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_OpenSSH", "time": 0.0 }, { "name": "execute_binary_via_pcalua", "time": 0.0 }, { "name": "Execute_Binary_Via_PesterPSModule", "time": 0.0 }, { "name": "Execute_Binary_Via_ScriptRunner", "time": 0.0 }, { "name": "execute_binary_via_ttdinject", "time": 0.0 }, { "name": "Execute_Binary_Via_VisualStudioLiveShare", "time": 0.0 }, { "name": "Execute_Msiexec_Via_Explorer", "time": 0.0 }, { "name": "execute_remote_msi", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_runscripthelper", "time": 0.0 }, { "name": "execute_suspicious_powershell_via_sqlps", "time": 0.0 }, { "name": "Indirect_Command_Execution_Via_ConsoleWindowHost", "time": 0.0 }, { "name": "Perform_Malicious_Activities_Via_Headless_Browser", "time": 0.0 }, { "name": "Register_DLL_Via_CertOC", "time": 0.0 }, { "name": "Register_DLL_Via_MSIEXEC", "time": 0.0 }, { "name": "Register_DLL_Via_Odbcconf", "time": 0.0 }, { "name": "Scriptlet_Proxy_Execution_Via_Pubprn", "time": 0.0 }, { "name": "ie_martian_children", "time": 0.0 }, { "name": "office_martian_children", "time": 0.0 }, { "name": "mimics_icon", "time": 0.0 }, { "name": "masquerade_process_name", "time": 0.001 }, { "name": "mimikatz_modules", "time": 0.0 }, { "name": "ms_office_cmd_rce", "time": 0.0 }, { "name": "mount_copy_to_webdav_share", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_legit_utilities", "time": 0.0 }, { "name": "potential_protocol_tunneling_via_qemu", "time": 0.0 }, { "name": "suspicious_execution_via_dotnet_remoting", "time": 0.0 }, { "name": "modify_certs", "time": 0.0 }, { "name": "dotnet_clr_usagelog_regkeys", "time": 0.0 }, { "name": "modify_hostfile", "time": 0.0 }, { "name": "modify_oem_information", "time": 0.0 }, { "name": "modify_security_center_warnings", "time": 0.0 }, { "name": "modify_uac_prompt", "time": 0.0 }, { "name": "network_dns_blockchain", "time": 0.0 }, { "name": "network_dns_opennic", "time": 0.0 }, { "name": "network_dns_paste_site", "time": 0.0 }, { "name": "network_dns_reverse_proxy", "time": 0.0 }, { "name": "network_dns_temp_file_storage", "time": 0.0 }, { "name": "network_dns_temp_urldns", "time": 0.0 }, { "name": "network_dns_url_shortener", "time": 0.0 }, { "name": "network_dns_doh_tls", "time": 0.0 }, { "name": "suspicious_tld", "time": 0.0 }, { "name": "network_tor_service", "time": 0.0 }, { "name": "office_code_page", "time": 0.0 }, { "name": "office_addinloading", "time": 0.0 }, { "name": "office_perfkey", "time": 0.0 }, { "name": "office_macro", "time": 0.0 }, { "name": "changes_trust_center_settings", "time": 0.0 }, { "name": "disables_vba_trust_access", "time": 0.0 }, { "name": "office_macro_autoexecution", "time": 0.0 }, { "name": "office_macro_ioc", "time": 0.0 }, { "name": "office_macro_malicious_prediction", "time": 0.0 }, { "name": "office_macro_suspicious", "time": 0.0 }, { "name": "rtf_aslr_bypass", "time": 0.0 }, { "name": "rtf_anomaly_characterset", "time": 0.0 }, { "name": "rtf_anomaly_version", "time": 0.0 }, { "name": "rtf_embedded_content", "time": 0.0 }, { "name": "rtf_embedded_office_file", "time": 0.0 }, { "name": "rtf_exploit_static", "time": 0.0 }, { "name": "office_security", "time": 0.0 }, { "name": "accesses_office_username", "time": 0.0 }, { "name": "office_anomalous_feature", "time": 0.0 }, { "name": "office_dde_command", "time": 0.0 }, { "name": "packer_armadillo_mutex", "time": 0.0 }, { "name": "packer_armadillo_regkey", "time": 0.0 }, { "name": "persistence_ads", "time": 0.0 }, { "name": "persistence_safeboot", "time": 0.0 }, { "name": "persistence_ifeo", "time": 0.0 }, { "name": "persistence_silent_process_exit", "time": 0.0 }, { "name": "persistence_rdp_registry", "time": 0.0 }, { "name": "persistence_rdp_shadowing", "time": 0.0 }, { "name": "persistence_service", "time": 0.0 }, { "name": "persistence_shim_database", "time": 0.0 }, { "name": "powerpool_mutexes", "time": 0.0 }, { "name": "powershell_scriptblock_logging", "time": 0.0 }, { "name": "powershell_command_suspicious", "time": 0.0 }, { "name": "powershell_history_save_mod", "time": 0.0 }, { "name": "powershell_renamed", "time": 0.0 }, { "name": "powershell_reversed", "time": 0.0 }, { "name": "powershell_variable_obfuscation", "time": 0.0 }, { "name": "prevents_safeboot", "time": 0.0 }, { "name": "cmdline_process_discovery", "time": 0.0 }, { "name": "cryptomix_mutexes", "time": 0.0 }, { "name": "dharma_mutexes", "time": 0.0 }, { "name": "ransomware_extensions_generic", "time": 0.0 }, { "name": "ransomware_extensions_known", "time": 0.004 }, { "name": "ransomware_files", "time": 0.006 }, { "name": "fonix_mutexes", "time": 0.0 }, { "name": "gandcrab_mutexes", "time": 0.0 }, { "name": "germanwiper_mutexes", "time": 0.0 }, { "name": "medusalocker_mutexes", "time": 0.0 }, { "name": "medusalocker_regkeys", "time": 0.0 }, { "name": "nemty_mutexes", "time": 0.0 }, { "name": "nemty_regkeys", "time": 0.0 }, { "name": "pysa_mutexes", "time": 0.0 }, { "name": "ransomware_radamant", "time": 0.0 }, { "name": "ransomware_recyclebin", "time": 0.0 }, { "name": "revil_mutexes", "time": 0.001 }, { "name": "ransomware_revil_regkey", "time": 0.0 }, { "name": "satan_mutexes", "time": 0.0 }, { "name": "snake_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransom_mutexes", "time": 0.0 }, { "name": "stop_ransomware_cmd", "time": 0.0 }, { "name": "ransomware_stopdjvu", "time": 0.0 }, { "name": "rat_beebus_mutexes", "time": 0.0 }, { "name": "blacknet_mutexes", "time": 0.0 }, { "name": "blackrat_mutexes", "time": 0.0 }, { "name": "crat_mutexes", "time": 0.0 }, { "name": "dcrat_files", "time": 0.0 }, { "name": "dcrat_mutexes", "time": 0.0 }, { "name": "rat_fynloski_mutexes", "time": 0.0 }, { "name": "limerat_mutexes", "time": 0.0 }, { "name": "limerat_regkeys", "time": 0.0 }, { "name": "lodarat_file_behavior", "time": 0.0 }, { "name": "modirat_behavior", "time": 0.0 }, { "name": "njrat_regkeys", "time": 0.0 }, { "name": "obliquerat_files", "time": 0.0 }, { "name": "obliquerat_mutexes", "time": 0.0 }, { "name": "parallax_mutexes", "time": 0.0 }, { "name": "rat_pcclient", "time": 0.0 }, { "name": "rat_plugx_mutexes", "time": 0.0 }, { "name": "rat_poisonivy_mutexes", "time": 0.0 }, { "name": "rat_quasar_mutexes", "time": 0.0 }, { "name": "ratsnif_mutexes", "time": 0.0 }, { "name": "rat_spynet", "time": 0.0 }, { "name": "venomrat_mutexes", "time": 0.0 }, { "name": "warzonerat_files", "time": 0.0 }, { "name": "warzonerat_regkeys", "time": 0.0 }, { "name": "xpertrat_files", "time": 0.0 }, { "name": "xpertrat_mutexes", "time": 0.0 }, { "name": "rat_xtreme_mutexes", "time": 0.0 }, { "name": "reads_password_database", "time": 0.0 }, { "name": "recon_fingerprint", "time": 0.0 }, { "name": "remcos_files", "time": 0.0 }, { "name": "remcos_mutexes", "time": 0.0 }, { "name": "remcos_regkeys", "time": 0.0 }, { "name": "rdptcp_key", "time": 0.0 }, { "name": "uses_rdp_clip", "time": 0.0 }, { "name": "uses_remote_desktop_session", "time": 0.0 }, { "name": "removes_networking_icon", "time": 0.0 }, { "name": "removes_pinned_programs", "time": 0.0 }, { "name": "removes_security_maintenance_icon", "time": 0.0 }, { "name": "removes_startmenu_defaults", "time": 0.0 }, { "name": "removes_username_startmenu", "time": 0.0 }, { "name": "spicyhotpot_behavior", "time": 0.0 }, { "name": "sniffer_winpcap", "time": 0.0 }, { "name": "spreading_autoruninf", "time": 0.0 }, { "name": "stealth_hidden_extension", "time": 0.0 }, { "name": "stealth_hiddenreg", "time": 0.0 }, { "name": "stealth_hide_notifications", "time": 0.0 }, { "name": "stealth_webhistory", "time": 0.0 }, { "name": "sysinternals_psexec", "time": 0.0 }, { "name": "sysinternals_tools", "time": 0.0 }, { "name": "language_check_registry", "time": 0.0 }, { "name": "tampers_etw", "time": 0.0 }, { "name": "lsa_tampering", "time": 0.0 }, { "name": "tampers_powershell_logging", "time": 0.0 }, { "name": "targeted_flame", "time": 0.0 }, { "name": "territorial_disputes_sigs", "time": 0.002 }, { "name": "trickbot_mutex", "time": 0.0 }, { "name": "fleercivet_mutex", "time": 0.0 }, { "name": "lokibot_mutexes", "time": 0.0 }, { "name": "ursnif_behavior", "time": 0.001 }, { "name": "uses_adfind", "time": 0.0 }, { "name": "uses_ms_protocol", "time": 0.0 }, { "name": "neshta_mutexes", "time": 0.0 }, { "name": "renamer_mutexes", "time": 0.0 }, { "name": "owa_web_shell_files", "time": 0.0 }, { "name": "web_shell_files", "time": 0.0 }, { "name": "web_shell_processes", "time": 0.0 }, { "name": "dotnet_csc_build", "time": 0.0 }, { "name": "mavinject_lolbin", "time": 0.0 }, { "name": "multiple_explorer_instances", "time": 0.0 }, { "name": "script_tool_executed", "time": 0.0 }, { "name": "suspicious_certutil_use", "time": 0.0 }, { "name": "suspicious_command_tools", "time": 0.0 }, { "name": "suspicious_mpcmdrun_use", "time": 0.0 }, { "name": "suspicious_ping_use", "time": 0.0 }, { "name": "uses_powershell_copyitem", "time": 0.0 }, { "name": "uses_windows_utilities", "time": 0.0 }, { "name": "uses_windows_utilities_appcmd", "time": 0.0 }, { "name": "uses_windows_utilities_csvde_ldifde", "time": 0.0 }, { "name": "uses_windows_utilities_cipher", "time": 0.0 }, { "name": "uses_windows_utilities_clickonce", "time": 0.0 }, { "name": "uses_windows_utilities_curl", "time": 0.0 }, { "name": "uses_windows_utilities_dsquery", "time": 0.0 }, { "name": "uses_windows_utilities_esentutl", "time": 0.0 }, { "name": "uses_windows_utilities_finger", "time": 0.0 }, { "name": "uses_windows_utilities_mode", "time": 0.0 }, { "name": "uses_windows_utilities_ntdsutil", "time": 0.0 }, { "name": "uses_windows_utilities_nltest", "time": 0.0 }, { "name": "uses_windows_utilities_setx", "time": 0.0 }, { "name": "uses_windows_utilities_xcopy", "time": 0.0 }, { "name": "wmic_command_suspicious", "time": 0.0 }, { "name": "scrcons_wmi_script_consumer", "time": 0.0 }, { "name": "allaple_mutexes", "time": 0.0 } ], "reporting": [ { "name": "BinGraph", "time": 0.0 } ] }, "target": { "category": "file", "file": { "name": "test_sample.exe", "path": "/opt/CAPEv2/storage/binaries/2377e9e9e51a6fdf3c2532622778318d7cd2249a32a004e951188c252fd3d04f", "guest_paths": "", "size": 246568, "crc32": "7B8CF8BC", "md5": "8808c612f4224c1abba4cb4c7938fb53", "sha1": "ae95c6c1ad80904443814c34c151be99ae0b5aab", "sha256": "2377e9e9e51a6fdf3c2532622778318d7cd2249a32a004e951188c252fd3d04f", "sha512": "2c6e48dbd9fa071568f97fdeafb052479c52d0188118b204a23bfe346fa06a833d30672b2cc82c0ecd471cc36a96e7482e9d57eafd1d007ee5125f8accc9c8a6", "rh_hash": null, "ssdeep": "3072:lqN9AGD+OxDxL8BGDwCBwFG5m1sgIkDHQto912aJXZPEuuR4uz3Tn4cr8Esbtm:qqq+I2BGcCOFGjSTPJXeb3Tn4crzOtm", "type": "PE32+ executable (console) x86-64, for MS Windows", "yara": [ { "name": "spyeye", "meta": { "author": "Jean-Philippe Teissier / @Jipe_", "description": "SpyEye X.Y memory", "date": "2012-05-23", "version": "1.0", "filetype": "memory" }, "strings": [ "data_end" ], "addresses": { "f": 244579 } }, { "name": "IsPE64", "meta": {}, "strings": [], "addresses": {} }, { "name": "IsConsole", "meta": {}, "strings": [], "addresses": {} }, { "name": "HasOverlay", "meta": { "author": "_pusher_", "description": "Overlay Check" }, "strings": [], "addresses": {} }, { "name": "Microsoft_Visual_Cpp_80_DLL", "meta": {}, "strings": [ "{ 48 83 EC 28 }" ], "addresses": { "b": 25572 } } ], "cape_yara": [], "clamav": [], "tlsh": "T141345B85FF89ACEBD615063589AF432A3338F6D017935B171E2872341E13AD0EE8765B", "sha3_384": "43462965b39be8d113b544fa1443badb2c13d667c127995f1cbca8668cf14752a3e2450291c7fa99383eef19bcc74a81", "yara_hash": "b833150b13e1662cfeb7589959edd288cf4e73710395ec5c5f2123f39a668f4d", "options_hash": "44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a", "pe": { "guest_signers": { "aux_sha1": null, "aux_timestamp": null, "aux_valid": false, "aux_error": true, "aux_error_desc": "No signature found.", "aux_signers": [] }, "digital_signers": [], "imagebase": "0x140000000", "entrypoint": "0x000014d0", "ep_bytes": "4883ec28488b05d5820000c700000000", "peid_signatures": null, "reported_checksum": "0x00041dd7", "actual_checksum": "0x00041dd7", "osversion": "4.0", "machine_type": "IMAGE_FILE_MACHINE_AMD64", "pdbpath": null, "imports": { "KERNEL32": { "dll": "KERNEL32.dll", "imports": [ { "address": "0x14000d200", "name": "DeleteCriticalSection" }, { "address": "0x14000d208", "name": "EnterCriticalSection" }, { "address": "0x14000d210", "name": "GetEnvironmentVariableA" }, { "address": "0x14000d218", "name": "GetLastError" }, { "address": "0x14000d220", "name": "GetStartupInfoA" }, { "address": "0x14000d228", "name": "InitializeCriticalSection" }, { "address": "0x14000d230", "name": "IsDBCSLeadByteEx" }, { "address": "0x14000d238", "name": "LeaveCriticalSection" }, { "address": "0x14000d240", "name": "MultiByteToWideChar" }, { "address": "0x14000d248", "name": "SetUnhandledExceptionFilter" }, { "address": "0x14000d250", "name": "Sleep" }, { "address": "0x14000d258", "name": "TlsGetValue" }, { "address": "0x14000d260", "name": "VirtualProtect" }, { "address": "0x14000d268", "name": "VirtualQuery" }, { "address": "0x14000d270", "name": "WideCharToMultiByte" } ] }, "msvcrt": { "dll": "msvcrt.dll", "imports": [ { "address": "0x14000d280", "name": "__C_specific_handler" }, { "address": "0x14000d288", "name": "___lc_codepage_func" }, { "address": "0x14000d290", "name": "___mb_cur_max_func" }, { "address": "0x14000d298", "name": "__getmainargs" }, { "address": "0x14000d2a0", "name": "__initenv" }, { "address": "0x14000d2a8", "name": "__iob_func" }, { "address": "0x14000d2b0", "name": "__set_app_type" }, { "address": "0x14000d2b8", "name": "__setusermatherr" }, { "address": "0x14000d2c0", "name": "_acmdln" }, { "address": "0x14000d2c8", "name": "_amsg_exit" }, { "address": "0x14000d2d0", "name": "_cexit" }, { "address": "0x14000d2d8", "name": "_commode" }, { "address": "0x14000d2e0", "name": "_errno" }, { "address": "0x14000d2e8", "name": "_fmode" }, { "address": "0x14000d2f0", "name": "_initterm" }, { "address": "0x14000d2f8", "name": "_lock" }, { "address": "0x14000d300", "name": "_onexit" }, { "address": "0x14000d308", "name": "_unlock" }, { "address": "0x14000d310", "name": "abort" }, { "address": "0x14000d318", "name": "calloc" }, { "address": "0x14000d320", "name": "exit" }, { "address": "0x14000d328", "name": "fprintf" }, { "address": "0x14000d330", "name": "fputc" }, { "address": "0x14000d338", "name": "free" }, { "address": "0x14000d340", "name": "fwrite" }, { "address": "0x14000d348", "name": "localeconv" }, { "address": "0x14000d350", "name": "malloc" }, { "address": "0x14000d358", "name": "memcpy" }, { "address": "0x14000d360", "name": "memset" }, { "address": "0x14000d368", "name": "signal" }, { "address": "0x14000d370", "name": "strerror" }, { "address": "0x14000d378", "name": "strlen" }, { "address": "0x14000d380", "name": "strncmp" }, { "address": "0x14000d388", "name": "vfprintf" }, { "address": "0x14000d390", "name": "wcslen" } ] }, "USER32": { "dll": "USER32.dll", "imports": [ { "address": "0x14000d3a0", "name": "MessageBoxA" } ] } }, "exported_dll_name": null, "exports": [], "dirents": [ { "name": "IMAGE_DIRECTORY_ENTRY_EXPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IMPORT", "virtual_address": "0x0000d000", "size": "0x00000790" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION", "virtual_address": "0x0000a000", "size": "0x00000474" }, { "name": "IMAGE_DIRECTORY_ENTRY_SECURITY", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC", "virtual_address": "0x00010000", "size": "0x00000084" }, { "name": "IMAGE_DIRECTORY_ENTRY_DEBUG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_TLS", "virtual_address": "0x00009060", "size": "0x00000028" }, { "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_IAT", "virtual_address": "0x0000d200", "size": "0x000001b0" }, { "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR", "virtual_address": "0x00000000", "size": "0x00000000" }, { "name": "IMAGE_DIRECTORY_ENTRY_RESERVED", "virtual_address": "0x00000000", "size": "0x00000000" } ], "sections": [ { "name": ".text", "raw_address": "0x00000600", "virtual_address": "0x00001000", "virtual_size": "0x00006d48", "size_of_data": "0x00006e00", "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x60000060", "entropy": "6.27" }, { "name": ".data", "raw_address": "0x00007400", "virtual_address": "0x00008000", "virtual_size": "0x000000e0", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.95" }, { "name": ".rdata", "raw_address": "0x00007600", "virtual_address": "0x00009000", "virtual_size": "0x00000df0", "size_of_data": "0x00000e00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "4.81" }, { "name": ".pdata", "raw_address": "0x00008400", "virtual_address": "0x0000a000", "virtual_size": "0x00000474", "size_of_data": "0x00000600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "3.33" }, { "name": ".xdata", "raw_address": "0x00008a00", "virtual_address": "0x0000b000", "virtual_size": "0x00000430", "size_of_data": "0x00000600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x40000040", "entropy": "3.49" }, { "name": ".bss", "raw_address": "0x00000000", "virtual_address": "0x0000c000", "virtual_size": "0x00000ba0", "size_of_data": "0x00000000", "characteristics": "IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000080", "entropy": "0.00" }, { "name": ".idata", "raw_address": "0x00009000", "virtual_address": "0x0000d000", "virtual_size": "0x00000790", "size_of_data": "0x00000800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "3.80" }, { "name": ".CRT", "raw_address": "0x00009800", "virtual_address": "0x0000e000", "virtual_size": "0x00000060", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.26" }, { "name": ".tls", "raw_address": "0x00009a00", "virtual_address": "0x0000f000", "virtual_size": "0x00000010", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.00" }, { "name": ".reloc", "raw_address": "0x00009c00", "virtual_address": "0x00010000", "virtual_size": "0x00000084", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "1.54" }, { "name": "/4", "raw_address": "0x00009e00", "virtual_address": "0x00011000", "virtual_size": "0x00000650", "size_of_data": "0x00000800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "1.50" }, { "name": "/19", "raw_address": "0x0000a600", "virtual_address": "0x00012000", "virtual_size": "0x00011bab", "size_of_data": "0x00011c00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.78" }, { "name": "/31", "raw_address": "0x0001c200", "virtual_address": "0x00024000", "virtual_size": "0x00003261", "size_of_data": "0x00003400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.78" }, { "name": "/45", "raw_address": "0x0001f600", "virtual_address": "0x00028000", "virtual_size": "0x000069d7", "size_of_data": "0x00006a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.09" }, { "name": "/57", "raw_address": "0x00026000", "virtual_address": "0x0002f000", "virtual_size": "0x00002158", "size_of_data": "0x00002200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "3.59" }, { "name": "/70", "raw_address": "0x00028200", "virtual_address": "0x00032000", "virtual_size": "0x0000039d", "size_of_data": "0x00000400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.62" }, { "name": "/81", "raw_address": "0x00028600", "virtual_address": "0x00033000", "virtual_size": "0x00001662", "size_of_data": "0x00001800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.60" }, { "name": "/97", "raw_address": "0x00029e00", "virtual_address": "0x00035000", "virtual_size": "0x000078fd", "size_of_data": "0x00007a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.84" }, { "name": "/113", "raw_address": "0x00031800", "virtual_address": "0x0003d000", "virtual_size": "0x0000051f", "size_of_data": "0x00000600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.27" } ], "overlay": { "offset": "0x00031e00", "size": "0x0000a528" }, "resources": [], "versioninfo": [], "imphash": "10bcb861621198176cd748ec5e302b0c", "timestamp": "2026-03-06 06:34:43", "icon": null, "icon_hash": null, "icon_fuzzy": null, "icon_dhash": null, "imported_dll_count": 3 }, "data": null, "strings": [ "FileHeader", "__dll__", "STRTOG_Inexact", "corecrt_startup.h", "pexcept", "addr_imp", "ExceptionFlags", "__pformat_float", "fwrite", "_PVFV", "_W_decimal_point", "./mingw-w64-crt/crt/dllargv.c", "int32_t", "__major_os_version__", "__pformat_ullong_t", ".refptr.__RUNTIME_PSEUDO_RELOC_LIST_END__", "ndigits", "long double", "__xl_d", "Blink", "InitializeCriticalSection", "mb_max", "_Byte", "mingw_vfprintf.c", "MxCsr", "__pformat_ulong_t", ".debug_frame", "VT_INT_PTR", "wcsrtombs", "hStdInput", "errhandlingapi.h", ".idata$7$", "Characteristics", "___crt_xc_start__", "XMM_SAVE_AREA32", "_newmode", "nested", "thousands_chr", "__xd_a", ".idata$5X", "Reserved3", "__imp_memcpy", "_W_positive_sign", "MajorLinkerVersion", "[^_]A\\A]A^A_", "__imp_signal", "internal_ps", "GetStartupInfoA", "./mingw-w64-crt/misc/mbrtowc.c", "SizeOfHeapCommit", "NumberOfLinenumbers", "__mingwthr_cs_init", "__pformat_char_t", "backtrack", ".idata$4(", "LPVOID", "'exception_data", "VT_CLSID", "sign_bit", "__mingw_setusermatherr", "LONGLONG", "__imp__unlock", "vfprintfxl", "SpareWORD", "VT_RESERVED", "__pformat_emit_xfloat.isra.0", "<2ZGU", "value", "Destination", "DeleteCriticalSection", "__iob_func", "IMAGE_IMPORT_DESCRIPTOR", "$_fpreset", "ULONG_PTR", "Subsystem", "_CONTEXT", "grouping", "___DTOR_LIST__", "./mingw-w64-crt/gdtoa/gdtoa.c", ".refptr.__imp__commode", "?__report_error", "NT_TIB", "UATWVSH", "3__tmainCRTStartup", "SpinCount", "__imp___p__fmode", "e_magic", ".rdata$.refptr.__xc_z", "_W_negative_sign", "[^_A\\A]A^A_]", "___crt_xt_start__", "corecrt.h", "_XMM_SAVE_AREA32", "basetsd.h", "VirtualSize", "__mingwthr_key_t", "./mingw-w64-crt/crt/wildcard.c", "3_pei386_runtime_relocator", "__pformat_emit_numeric_value", "9GNU C17 12 20220819 -m64 -mtune=generic -march=x86-64 -g -O2 -fno-PIE", "Mingw-w64 runtime failure:", "__tI128", "_dowildcard", "SegEs", "PVOID", " __mingw_setusermatherr", "OwningThread", ".idata$7d", "__pformat_uchar_t", "GCC: (GNU) 12 20220819", "__loader_flags__", ".rdata$.refptr.__mingw_oldexcpt_handler", ".rdata$.refptr.__imp__fmode", "tagCOINITBASE", "GetLastError", "__imp___getmainargs", "DWORD_PTR", "LastExceptionFromRip", ".rdata$.refptr.__imp___initenv", "./mingw-w64-crt/crt/pseudo-reloc-list.c", ".idata$7h", "printf", "__freedtoa", ".CRT$XCA", "_W_thousands_sep", "__imp_fwrite", "_exception", ".CRT$XLA0", "SizeOfUninitializedData", "GNU C17 12 20220819 -m64 -mtune=generic -march=x86-64 -g -O2 -fno-PIE", "hStdOutput", "___crt_xt_end__", "int_curr_symbol", "wShowWindow", ".refptr.__xc_a", "cbReserved2", "./mingw-w64-crt/misc/__p__commode.c", "AWAVAUATUWVSH", "VT_EMPTY", "__pformat_int", "F__freedtoa", "R!function", "The result is too small to be represented (UNDERFLOW)", "D)\\$p", "runtime_pseudo_reloc_item_v1", "digits", ".pdata", "AVAUATUWVSH", "Xmm14", "_LIST_ENTRY", "DWORD64", "VT_STORAGE", "__Bigint", "chopzeros", "__lib64_libmsvcrt_def_a_iname", "VT_NULL", ".rdata", "action", ".idata$70", "VT_RECORD", "_FindPESectionByName", "__xl_a", "DebugControl", "__mingw_pcppinit", "___tls_start__", "borrow", "__pformat_long_t", "tchar.h", "WCHAR", ";__Bfree_D2A", "ilim1", "__minor_image_version__", "_fmode", "OptionalHeader", "__trailz_D2A", ")__pformat_int_bufsiz", "length", ".rdata$.refptr.__imp__commode", "FltSave", "SizeOfOptionalHeader", "GCC: (GNU) 12-win32", "e_lfanew", "_Float16", ".refptr.__mingw_initltsdyn_force", "start", "./mingw-w64-crt/misc/mingw_matherr.c", "./mingw-w64-crt/crt", "tlssup.c", "last_CS_init", "1FltSave", "Computer: %s", "___CTOR_LIST__", "mbrtowc.c", "pseudo-reloc.c", "runtime_pseudo_reloc_item_v2", "_FILEX", "__bigtens_D2A", "FloatRegisters", "./mingw-w64-crt/crt/cinitexe.c", ".idata$6N", ".debug_loclists", "_IMAGE_SECTION_HEADER", "__p__acmdln.c", "___mb_cur_max_func", "ULONGLONG", "./mingw-w64-crt/crt/xncommod.c", "math.h", "bufflen", "STRTOG_NaNbits", ".tls$ZZZ", " umHc", "__uninitialized", " Unknown pseudo relocation protocol version %d.", "roundoff", "P3Home", "SizeOfHeaders", ".rdata$.refptr.__mingw_initltsdyn_force", "__data_start__", "STRTOG_Retmask", "VT_UI2", "mainret", ".idata$5", "ATUWVSH", "lpszCommandLine", "gmisc.c", "base_address", "?aCoc", "__mingwthr_cs", "\"VARENUM", "e_lfarlc", "ATUWVSHcY", "pre_c_init", "HcQ", "state", "LPBYTE", "./mingw-w64-crt/crt/gccmain.c", ".refptr._commode", "__p_sig_fn_t", "VT_FILETIME", "__initialized", "index", "Reserved2", ".idata$68", ".idata$4H", "State", "_head_lib64_libuser32_a", "__imp__fmode", "./mingw-w64-crt/crt/tlsthrd.c", "p_sign_posn", "./mingw-w64-crt/stdio/mingw_lock.c", "new_key", "pOptHeader", "@__uI128", "VT_BYREF", "__setusermatherr", "VT_SAFEARRAY", " _initterm", "__pformat_xdouble", "VT_USERDEFINED", "Sleep", "._XMM_SAVE_AREA32", "___crt_xi_end__", "_onexit_t", ".CRT$XIA", " [^_H", ".CRT$XIAA", "__imp___set_app_type", "__strcp_D2A", "__imp_fputc", "._CONTEXT", " Unknown pseudo relocation bit size %d.", "Version", "PDWORD", "test_sample.c", "StartAddressOfRawData", "__minor_os_version__", "`.data", "NumberOfSections", "@[^_]A\\A]A^", "__imp_IsDBCSLeadByteEx", "=mark_section_writable", "__pformat_emit_inf_or_nan", "va_list", "CreatorBackTraceIndex", ".idata$5(", "dwXSize", "wtypes.h", "ContextRecord", "_tls_used", "*__isnanl", "string.h", "spec_case", ":MZuYHcBE1", "FPI_Round_up", ".ctors.65535", "locale.h", "SizeOfCode", "one_digit", "fpi.0", "saved_errno", "_matherr(): %s in %s(%g, %g) (retval=%g)", "___w64_mingwthr_remove_key_dtor", "./mingw-w64-crt/misc/strnlen.c", "cygming-crtend", "VT_VARIANT", ".idata$5H", "__tens_D2A", ".debug_rnglists", "X X.. ", "EVARENUM", "_commode", "*__lo0bits_D2A", "strerror", "__pformat_ushort_t", "__pformat_putc", "initialized", "cygming-crtbeg", "e_res", "unsigned char", "&_gnu_exception_handler", "sSecInfo", "e_csum", "mingw_matherr.c", "_f__p__acmdln", "__native_startup_state", "___RUNTIME_PSEUDO_RELOC_LIST_END__", "_M128A", "LPBOOL", "mingw_vfprintf", "__gcc_register_frame", "__imp_VirtualQuery", "#_fpreset", "(2vfprintf", ".debug_line_str", "__IAT_end__", "ExceptionList", "iargval", "./mingw-w64-crt/crt/merr.c", ")D$p)", "([^_]A\\A]A^A_", "pNTHeader", "__section_alignment__", "__pformat_cvt", "gdtoa.h", "VT_UI4", "ExChange", "__builtin_va_list", "Unknown error", "_IMAGE_DATA_DIRECTORY", "SegSs", "__size_of_heap_commit__", "___w64_mingwthr_add_key_dtor", "natstart.c", "__image_base__", "accept", "IMAGE_FILE_HEADER", "delta", "__lib64_libkernel32_a_iname", "fast_failed", "StartupInfo", "__gdtoa", "tlsmcrt.c", ".idata$58", "\"__mingwthr_run_key_dtors", ".bitstob", "stream", "2memcpy", "_bufsiz", "frac_digits", "pmem_next", "AddressOfIndex", "intlen", "Q!file", "__CTOR_LIST__", "lpReserved2", "=dtoa_lock", "handler", "rvaTarget", "__pformat_state_t", "count", ".idata$50", ".idata$4`", "__rv_alloc_D2A", "__Balloc_D2A", "FPI_Round_down", "PRTL_CRITICAL_SECTION", "STRTOG_Normal", "TimeDateStamp", "VT_BLOB", "cinitexe.c", "_GetPEImageBase", "region_size", "__pformat_efloat", "max_unsigned", "negative_sign", "._iobuf", "_dbl_union", ".text.startup", "MEMORY_BASIC_INFORMATION", ".rdata$.refptr.__mingw_app_type", "EXCEPTION_ROUTINE", "SegDs", "___crt_xp_end__", "H[^_]A\\A]A^A_", "_get_invalid_parameter_handler", "leftright", "VT_UNKNOWN", "__imp_SetUnhandledExceptionFilter", "*__mingw_initltsdrot_force", "_W_mon_thousands_sep", "__imp___setusermatherr", "p05.0", "_newmodep", "./mingw-w64-crt/crt/tlsmcrt.c", "mainCRTStartup", "Rcheck_managed_app", "__nrv_alloc_D2A", "maxSections", "__mingw_winmain_hInstance", ".debug_abbrev", "__builtin_fwrite", "dwFillAttribute", "./mingw-w64-crt/crt/crt_handler.c", "__p__commode.c", "__gnuc_va_list", "ptrdiff_t", "signal", "__xi_a", "8[^_]A\\A]A^A_", "'malloc", "__mingw_module_is_dll", "__p__fmode", "nptrs", "+malloc", "+dtoa_lock_cleanup", "pPEHeader", "s_mbstate.0", "7WinMainCRTStartup", "__mingw_enum_import_library_names", "VT_BSTR_BLOB", ".idata$5 ", "|$`E)", "Value", "kindp", "winnt.h", "BaseOfCode", "StackLimit", ".rdata$.refptr.__mingw_initltssuo_force", "HcP", "state", "|$>E1", "vfprintf", "STRTOG_NaN", "VT_INT_PTR", "wcsrtombs", "LPBYTE", "FPI_Round_up", "./mingw-w64-crt/crt/gccmain.c", "locale.h", "hStdInput", "SizeOfCode", "one_digit", "s_mbstate", "errhandlingapi.h", "saved_errno", "_matherr(): %s in %s(%g, %g) (retval=%g)", "EnterCriticalSection", "Characteristics", "gdtoaimp.h", "XMM_SAVE_AREA32", "e_res2", "IMAGE_DATA_DIRECTORY", "__p_sig_fn_t", "VT_FILETIME", "__initialized", "FPI_Round_near", "___w64_mingwthr_remove_key_dtor", "index", "_newmode", "Reserved2", "./mingw-w64-crt/misc/strnlen.c", "_matherr", "has_cctor", "unsigned int", "decpt", "VT_VARIANT", "nested", "thousands_chr", "_RTL_CRITICAL_SECTION", "C$9C(~", "__tens_D2A", "/build", "__xd_a", "State", "Reserved3", "X X.. ", "EVARENUM", "_commode", "*__lo0bits_D2A", "strerror", "__pformat_ushort_t", "__pformat_putc", "__imp__fmode", "./mingw-w64-crt/crt/tlsthrd.c", "initialized", "_W_positive_sign", "p_sign_posn", "./mingw-w64-crt/stdio/mingw_lock.c", "ULong", "MajorLinkerVersion", "VT_STREAM", "[^_]A\\A]A^A_", "_EXCEPTION_POINTERS", "NumberOfRvaAndSizes", "$__p__commode", "e_res", "new_key", "pOptHeader", "addend", "GetStartupInfoA", "/sign_exponent", "@__uI128", "VT_UI1", "VT_BYREF", "SizeOfHeapCommit", "NumberOfLinenumbers", "unsigned char", "&_gnu_exception_handler", "__mingwthr_cs_init", "sSecInfo", "./mingw-w64-crt/misc/mbrtowc.c", "__pformat_char_t", "backtrack", "__setusermatherr", "VT_SAFEARRAY", " _initterm", "LPVOID", "__pformat_xdouble", "e_csum", "'exception_data", "VT_USERDEFINED", "Sleep", "._XMM_SAVE_AREA32", "VT_CLSID", "sign_bit", "mingw_matherr.c", "_f__p__acmdln", "PIMAGE_IMPORT_DESCRIPTOR", "__mingw_setusermatherr", " [^_]A\\H", "fputc", "__native_startup_state", "NumberOfSymbols", "crtexe.c", "SIZE_T", "_M128A", "LONGLONG", "LPBOOL", "_onexit_t", ")_exception", " [^_H", "SpareWORD", "VT_RESERVED", "__imp__acmdln", "Header", "<2ZGU", "long long unsigned int", "value", "#_fpreset", "3pre_c_init", "no_digits", "(2vfprintf", "small_ilim", "__strcp_D2A", "Destination", "mbstate_t", "DeleteCriticalSection", "__iob_func", "IMAGE_IMPORT_DESCRIPTOR", "_tls_end", "ExceptionList", "iargval", "._CONTEXT", "./mingw-w64-crt/crt/merr.c", ")D$p)", "$_fpreset", "ULONG_PTR", " Unknown pseudo relocation bit size %d.", "([^_]A\\A]A^A_", "Subsystem", "pNTHeader", "_CONTEXT", "tmp_dst", "Version", "PDWORD", "grouping", "*__isnan", "AddressOfEntryPoint", "gdtoa.h", "StartAddressOfRawData", "./mingw-w64-crt/gdtoa/gdtoa.c", "`.data", "VT_UI4", "NumberOfSections", "./mingw-w64-crt/gdtoa/misc.c", "VirtualQuery", "@[^_]A\\A]A^", "?__report_error", "=mark_section_writable", "ExChange", "NT_TIB", "__builtin_va_list", "UATWVSH", "Unknown error", "va_list", "__pformat_emit_inf_or_nan", "!tagCOINITBASE", "CreatorBackTraceIndex", "3__tmainCRTStartup", "LoaderFlags", "dwXSize", "VT_STREAMED_OBJECT", "_IMAGE_DATA_DIRECTORY", "inDoubleQuote", "wtypes.h", "SegSs", "SpinCount", "___w64_mingwthr_add_key_dtor", "ContextRecord", "__imp___p__fmode", "winbase.h", "e_magic", "_tls_used", "*__isnanl", "string.h", "__image_base__", "__native_dllmain_reason", "ImageBase", ":MZuYHcB= 5.4.1 for best performance\n2026-03-05 20:38:15,314 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.screenshots\"\n2026-03-05 20:38:15,314 [root] DEBUG: Imported auxiliary module \"modules.auxiliary.tlsdump\"\n2026-03-05 20:38:15,329 [root] DEBUG: Initialized auxiliary module \"Browser\"\n2026-03-05 20:38:15,329 [root] DEBUG: attempting to configure 'Browser' from data\n2026-03-05 20:38:15,329 [root] DEBUG: module Browser does not support data configuration, ignoring\n2026-03-05 20:38:15,329 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.browser\"...\n2026-03-05 20:38:15,329 [root] DEBUG: Started auxiliary module modules.auxiliary.browser\n2026-03-05 20:38:15,329 [root] DEBUG: Initialized auxiliary module \"DigiSig\"\n2026-03-05 20:38:15,329 [root] DEBUG: attempting to configure 'DigiSig' from data\n2026-03-05 20:38:15,329 [root] DEBUG: module DigiSig does not support data configuration, ignoring\n2026-03-05 20:38:15,329 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.digisig\"...\n2026-03-05 20:38:15,329 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature\n2026-03-05 20:38:15,673 [modules.auxiliary.digisig] DEBUG: File is not signed\n2026-03-05 20:38:15,673 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json\n2026-03-05 20:38:15,689 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig\n2026-03-05 20:38:15,689 [root] DEBUG: Initialized auxiliary module \"Disguise\"\n2026-03-05 20:38:15,689 [root] DEBUG: attempting to configure 'Disguise' from data\n2026-03-05 20:38:15,689 [root] DEBUG: module Disguise does not support data configuration, ignoring\n2026-03-05 20:38:15,689 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.disguise\"...\n2026-03-05 20:38:15,704 [modules.auxiliary.disguise] INFO: Disguising GUID to ec8bbd24-c8f2-42c4-a779-1de65c423ecb\n2026-03-05 20:38:15,704 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise\n2026-03-05 20:38:15,704 [root] DEBUG: Initialized auxiliary module \"Human\"\n2026-03-05 20:38:15,704 [root] DEBUG: attempting to configure 'Human' from data\n2026-03-05 20:38:15,704 [root] DEBUG: module Human does not support data configuration, ignoring\n2026-03-05 20:38:15,704 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.human\"...\n2026-03-05 20:38:15,720 [root] DEBUG: Started auxiliary module modules.auxiliary.human\n2026-03-05 20:38:15,720 [root] DEBUG: Initialized auxiliary module \"Screenshots\"\n2026-03-05 20:38:15,720 [root] DEBUG: attempting to configure 'Screenshots' from data\n2026-03-05 20:38:15,736 [root] DEBUG: module Screenshots does not support data configuration, ignoring\n2026-03-05 20:38:15,736 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.screenshots\"...\n2026-03-05 20:38:15,736 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots\n2026-03-05 20:38:15,736 [root] DEBUG: Initialized auxiliary module \"TLSDumpMasterSecrets\"\n2026-03-05 20:38:15,736 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data\n2026-03-05 20:38:15,736 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring\n2026-03-05 20:38:15,736 [root] DEBUG: Trying to start auxiliary module \"modules.auxiliary.tlsdump\"...\n2026-03-05 20:38:15,751 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 644\n2026-03-05 20:38:15,782 [lib.api.process] INFO: Monitor config for : C:\\tvrblpce\\dll\\644.ini\n2026-03-05 20:38:15,782 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor\n2026-03-05 20:38:15,798 [lib.api.process] INFO: 64-bit DLL to inject is C:\\tvrblpce\\dll\\tEOoLB.dll, loader C:\\tvrblpce\\bin\\YPpQJggo.exe\n2026-03-05 20:38:15,986 [root] DEBUG: Loader: Injecting process 644 with C:\\tvrblpce\\dll\\tEOoLB.dll.\n2026-03-05 20:38:16,439 [root] DEBUG: 644: Python path set to 'C:\\Python310'.\n2026-03-05 20:38:16,455 [root] DEBUG: 644: Disabling sleep skipping.\n2026-03-05 20:38:16,455 [root] DEBUG: 644: TLS secret dump mode enabled.\n2026-03-05 20:38:16,533 [root] DEBUG: 644: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500\n2026-03-05 20:38:16,533 [root] DEBUG: 644: Monitor initialised: 64-bit capemon loaded in process 644 at 0x00007FFEAC4F0000, thread 8004, image base 0x00007FF7C23E0000, stack from 0x0000008E4C9F1000-0x0000008E4CA00000\n2026-03-05 20:38:16,548 [root] DEBUG: 644: Commandline: C:\\Windows\\system32\\lsass.exe\n2026-03-05 20:38:16,579 [root] DEBUG: 644: Hooked 5 out of 5 functions\n2026-03-05 20:38:16,579 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.\n2026-03-05 20:38:16,579 [root] DEBUG: Successfully injected DLL C:\\tvrblpce\\dll\\tEOoLB.dll.\n2026-03-05 20:38:16,579 [lib.api.process] INFO: Injected into 64-bit \n2026-03-05 20:38:16,595 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump\n2026-03-05 20:38:21,205 [root] DEBUG: 644: TLS 1.2 secrets logged to: C:\\WbXUDubO\\tlsdump\\tlsdump.log\n2026-03-05 20:38:24,189 [root] INFO: Restarting WMI Service\n2026-03-05 20:38:26,298 [root] DEBUG: package modules.packages.exe does not support configure, ignoring\n2026-03-05 20:38:26,298 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'\n2026-03-05 20:38:26,298 [lib.core.compound] INFO: C:\\Users\\cape\\AppData\\Local\\Temp already exists, skipping creation\n2026-03-05 20:38:26,392 [lib.api.process] INFO: Successfully executed process from path \"C:\\Users\\cape\\AppData\\Local\\Temp\\test_sample.exe\" with arguments \"\" with pid 2788\n2026-03-05 20:38:26,392 [lib.api.process] INFO: Monitor config for : C:\\tvrblpce\\dll\\2788.ini\n2026-03-05 20:38:26,423 [lib.api.process] INFO: 64-bit DLL to inject is C:\\tvrblpce\\dll\\tEOoLB.dll, loader C:\\tvrblpce\\bin\\YPpQJggo.exe\n2026-03-05 20:38:26,455 [root] DEBUG: Loader: Injecting process 2788 (thread 1680) with C:\\tvrblpce\\dll\\tEOoLB.dll.\n2026-03-05 20:38:26,455 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.\n2026-03-05 20:38:26,455 [root] DEBUG: Successfully injected DLL C:\\tvrblpce\\dll\\tEOoLB.dll.\n2026-03-05 20:38:26,470 [lib.api.process] INFO: Injected into 64-bit \n2026-03-05 20:38:28,486 [lib.api.process] INFO: Successfully resumed \n2026-03-05 20:38:28,642 [root] DEBUG: 2788: Python path set to 'C:\\Python310'.\n2026-03-05 20:38:28,657 [root] DEBUG: 2788: Disabling sleep skipping.\n2026-03-05 20:38:28,657 [root] DEBUG: 2788: Dropped file limit defaulting to 100.\n2026-03-05 20:38:28,689 [root] DEBUG: 2788: YaraInit: Compiled 44 rule files\n2026-03-05 20:38:28,689 [root] DEBUG: 2788: YaraInit: Compiled rules saved to file C:\\tvrblpce\\data\\yara\\capemon.yac\n2026-03-05 20:38:28,720 [root] DEBUG: 2788: RtlInsertInvertedFunctionTable 0x00007FFEFE86090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEFE9BD500\n2026-03-05 20:38:28,720 [root] DEBUG: 2788: YaraScan: Scanning 0x00007FF6BF320000, size 0x3d51e\n2026-03-05 20:38:28,720 [root] DEBUG: 2788: Monitor initialised: 64-bit capemon loaded in process 2788 at 0x00007FFEAC4F0000, thread 1680, image base 0x00007FF6BF320000, stack from 0x000000D4563F1000-0x000000D456400000\n2026-03-05 20:38:28,736 [root] DEBUG: 2788: Commandline: \"C:\\Users\\cape\\AppData\\Local\\Temp\\test_sample.exe\"\n2026-03-05 20:38:28,767 [root] DEBUG: 2788: hook_api: LdrpCallInitRoutine export address 0x00007FFEFE8699BC obtained via GetFunctionAddress\n2026-03-05 20:38:28,829 [root] WARNING: b'Unable to place hook on LockResource'\n2026-03-05 20:38:28,829 [root] DEBUG: 2788: set_hooks: Unable to hook LockResource\n2026-03-05 20:38:28,861 [root] DEBUG: 2788: Hooked 627 out of 628 functions\n2026-03-05 20:38:28,861 [root] DEBUG: 2788: Syscall hook installed, syscall logging level 1\n2026-03-05 20:38:28,892 [root] DEBUG: 2788: RestoreHeaders: Restored original import table.\n2026-03-05 20:38:28,892 [root] INFO: Loaded monitor into process with pid 2788\n2026-03-05 20:38:28,892 [root] DEBUG: 2788: YaraScan: Scanning 0x00007FF6BF320000, size 0x3d51e\n2026-03-05 20:38:28,892 [root] DEBUG: 2788: YaraScan: Scanning 0x00007FF6BF320000, size 0x3d51e\n2026-03-05 20:38:28,970 [root] DEBUG: 2788: caller_dispatch: Added region at 0x00007FF6BF320000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6BF32125E, thread 1680).\n2026-03-05 20:38:28,986 [root] DEBUG: 2788: YaraScan: Scanning 0x00007FF6BF320000, size 0x3d51e\n2026-03-05 20:38:29,001 [root] DEBUG: 2788: ProcessImageBase: Main module image at 0x00007FF6BF320000 unmodified (entropy change 0.000000e+00)\n2026-03-05 20:38:29,001 [root] DEBUG: 2788: DLL loaded at 0x00007FFEEA690000: C:\\Windows\\SYSTEM32\\TextShaping (0xac000 bytes).\n2026-03-05 20:38:29,048 [root] DEBUG: 2788: DLL loaded at 0x00007FFEF9980000: C:\\Windows\\system32\\uxtheme (0x9e000 bytes).\n2026-03-05 20:38:29,048 [root] DEBUG: 2788: DLL loaded at 0x00007FFEFE6C0000: C:\\Windows\\System32\\MSCTF (0x115000 bytes).\n2026-03-05 20:38:29,064 [root] DEBUG: 2788: set_hooks_by_export_directory: Hooked 0 out of 628 functions\n2026-03-05 20:38:29,064 [root] DEBUG: 2788: DLL loaded at 0x00007FFEF9E80000: C:\\Windows\\SYSTEM32\\kernel.appcore (0x12000 bytes).\n2026-03-05 20:38:29,064 [root] DEBUG: 2788: DLL loaded at 0x00007FFEFC380000: C:\\Windows\\System32\\bcryptPrimitives (0x82000 bytes).\n2026-03-05 20:38:29,095 [root] DEBUG: 2788: DLL loaded at 0x00007FFEFAC70000: C:\\Windows\\SYSTEM32\\ntmarta (0x33000 bytes).\n2026-03-05 20:38:29,095 [root] DEBUG: 2788: DLL loaded at 0x00007FFEF9770000: C:\\Windows\\System32\\CoreMessaging (0xf2000 bytes).\n2026-03-05 20:38:29,095 [root] DEBUG: 2788: DLL loaded at 0x00007FFEF8C40000: C:\\Windows\\SYSTEM32\\wintypes (0x154000 bytes).\n2026-03-05 20:38:29,095 [root] DEBUG: 2788: DLL loaded at 0x00007FFEFE330000: C:\\Windows\\System32\\SHCORE (0xad000 bytes).\n2026-03-05 20:38:29,095 [root] DEBUG: 2788: DLL loaded at 0x00007FFEF9310000: C:\\Windows\\System32\\CoreUIComponents (0x35e000 bytes).\n2026-03-05 20:38:29,095 [root] DEBUG: 2788: DLL loaded at 0x00007FFEECA90000: C:\\Windows\\SYSTEM32\\textinputframework (0xf9000 bytes).\n2026-03-05 20:39:29,439 [root] INFO: Analysis timeout hit, terminating analysis\n2026-03-05 20:39:29,439 [lib.api.process] INFO: Terminate event set for \n2026-03-05 20:39:29,439 [root] DEBUG: 2788: Terminate Event: Attempting to dump process 2788\n2026-03-05 20:39:29,439 [root] DEBUG: 2788: VerifyCodeSection: Executable code does not match, 0x6d2a of 0x6d40 matching\n2026-03-05 20:39:29,454 [root] DEBUG: 2788: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF6BF320000.\n2026-03-05 20:39:29,454 [root] DEBUG: 2788: DumpImageInCurrentProcess: Attempting to dump virtual PE image.\n2026-03-05 20:39:29,454 [root] DEBUG: 2788: DumpProcess: Instantiating PeParser with address: 0x00007FF6BF320000.\n2026-03-05 20:39:29,454 [root] DEBUG: 2788: DumpProcess: Module entry point VA is 0x00007FF6BF3214D0.\n2026-03-05 20:39:29,564 [lib.common.results] INFO: Uploading file C:\\WbXUDubO\\CAPE\\2788_211972939175432026 to procdump\\cec469417f73bb3e1ee40b3a8cd87f067003f91dd14716d2c452d16b1ff2a3d5; Size is 206848; Max size: 100000000\n2026-03-05 20:39:29,579 [root] DEBUG: 2788: DumpProcess: Module image dump success - dump size 0x32800.\n2026-03-05 20:39:29,611 [lib.api.process] INFO: Termination confirmed for \n2026-03-05 20:39:29,611 [root] INFO: Terminate event set for process 2788\n2026-03-05 20:39:29,611 [root] INFO: Created shutdown mutex\n2026-03-05 20:39:29,611 [root] DEBUG: 2788: Terminate Event: monitor shutdown complete for process 2788\n2026-03-05 20:39:30,626 [root] INFO: Shutting down package\n2026-03-05 20:39:30,658 [root] INFO: Stopping auxiliary modules\n2026-03-05 20:39:30,658 [root] INFO: Stopping auxiliary module: Browser\n2026-03-05 20:39:30,658 [root] INFO: Stopping auxiliary module: Human\n2026-03-05 20:39:31,376 [root] INFO: Stopping auxiliary module: Screenshots\n2026-03-05 20:39:31,861 [root] INFO: Finishing auxiliary modules\n2026-03-05 20:39:31,861 [root] INFO: Shutting down pipe server and dumping dropped files\n2026-03-05 20:39:31,861 [root] WARNING: Folder at path \"C:\\WbXUDubO\\debugger\" does not exist, skipping\n2026-03-05 20:39:31,876 [root] INFO: Uploading files at path \"C:\\WbXUDubO\\tlsdump\"\n2026-03-05 20:39:31,876 [lib.common.results] INFO: Uploading file C:\\WbXUDubO\\tlsdump\\tlsdump.log to tlsdump\\tlsdump.log; Size is 2740; Max size: 100000000\n2026-03-05 20:39:31,876 [root] INFO: Analysis completed\n", "errors": [] }, "network": { "pcap_sha256": "27d5d163634674d6a5fe3c06a7ba03ed99857f8131b0e6f2c2157fcc41244e93", "hosts": [ { "ip": "2.23.90.38", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "13.107.6.156", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.41", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "13.107.253.44", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "150.171.27.11", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "84.47.178.49", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "52.123.242.97", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "20.42.65.93", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "40.126.53.14", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "4.207.247.139", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] }, { "ip": "20.189.173.2", "country_name": "unknown", "asn": "", "asn_name": "", "hostname": "", "inaddrarpa": "", "ports": [ 443 ] } ], "domains": [], "tcp": [ { "src": "192.168.1.100", "sport": 49723, "dst": "20.189.173.2", "dport": 443, "offset": 24, "time": 0.0 }, { "src": "192.168.1.100", "sport": 49724, "dst": "20.189.173.2", "dport": 443, "offset": 95, "time": 0.9221639633178711 }, { "src": "192.168.1.100", "sport": 49784, "dst": "40.126.53.14", "dport": 443, "offset": 248, "time": 4.628948926925659 }, { "src": "192.168.1.100", "sport": 49721, "dst": "8.8.8.8", "dport": 443, "offset": 8723, "time": 5.2031028270721436 }, { "src": "192.168.1.100", "sport": 49812, "dst": "40.126.53.14", "dport": 443, "offset": 14474, "time": 10.654247045516968 }, { "src": "192.168.1.100", "sport": 49821, "dst": "4.207.247.139", "dport": 443, "offset": 64219, "time": 28.369138956069946 }, { "src": "192.168.1.100", "sport": 49728, "dst": "150.171.27.11", "dport": 443, "offset": 75392, "time": 30.51382088661194 }, { "src": "192.168.1.100", "sport": 49822, "dst": "13.107.253.44", "dport": 443, "offset": 76026, "time": 32.960121870040894 }, { "src": "192.168.1.100", "sport": 49823, "dst": "84.47.178.49", "dport": 443, "offset": 78423, "time": 33.167136907577515 }, { "src": "192.168.1.100", "sport": 49825, "dst": "52.123.128.14", "dport": 443, "offset": 223159, "time": 34.06683588027954 }, { "src": "192.168.1.100", "sport": 49710, "dst": "84.47.178.41", "dport": 443, "offset": 257035, "time": 39.71616291999817 }, { "src": "192.168.1.100", "sport": 49719, "dst": "8.8.4.4", "dport": 443, "offset": 257317, "time": 40.263190031051636 }, { "src": "192.168.1.100", "sport": 49708, "dst": "13.107.6.156", "dport": 443, "offset": 257599, "time": 41.01310396194458 }, { "src": "192.168.1.100", "sport": 49712, "dst": "84.47.178.41", "dport": 443, "offset": 384835, "time": 42.20020389556885 }, { "src": "192.168.1.100", "sport": 49829, "dst": "4.207.247.139", "dport": 443, "offset": 391654, "time": 48.22535490989685 }, { "src": "4.207.247.139", "sport": 443, "dst": "192.168.1.100", "dport": 49806, "offset": 402174, "time": 48.4492609500885 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49738, "offset": 407193, "time": 79.40759801864624 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49733, "offset": 407294, "time": 79.40763092041016 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49736, "offset": 407465, "time": 79.40773582458496 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49752, "offset": 407706, "time": 79.4078049659729 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49744, "offset": 407947, "time": 79.40789294242859 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49776, "offset": 408468, "time": 79.40798687934875 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49772, "offset": 408849, "time": 79.40826797485352 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49740, "offset": 409090, "time": 79.40832591056824 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49766, "offset": 409331, "time": 79.40835690498352 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49754, "offset": 409572, "time": 79.40842986106873 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49760, "offset": 410023, "time": 79.40876984596252 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49768, "offset": 410404, "time": 79.40890884399414 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49774, "offset": 410715, "time": 79.40897798538208 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49762, "offset": 411026, "time": 79.40909194946289 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49789, "offset": 411127, "time": 79.409108877182 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49778, "offset": 411438, "time": 79.40919303894043 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49783, "offset": 412029, "time": 79.4093689918518 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49792, "offset": 412340, "time": 79.40948987007141 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49746, "offset": 412441, "time": 79.40954089164734 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49761, "offset": 412612, "time": 79.40959191322327 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49796, "offset": 412923, "time": 79.40965700149536 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49759, "offset": 413514, "time": 79.40998697280884 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49734, "offset": 413825, "time": 79.41010999679565 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49751, "offset": 413996, "time": 79.41016983985901 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49745, "offset": 414307, "time": 79.41028094291687 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49749, "offset": 414618, "time": 79.41035389900208 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49799, "offset": 414929, "time": 79.41049695014954 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49743, "offset": 415240, "time": 79.41057991981506 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49739, "offset": 415341, "time": 79.41063594818115 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49753, "offset": 415932, "time": 79.41075897216797 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49771, "offset": 416173, "time": 79.41081190109253 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49765, "offset": 416344, "time": 79.41082382202148 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49737, "offset": 416935, "time": 79.41098690032959 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49767, "offset": 417176, "time": 79.4110779762268 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49780, "offset": 417767, "time": 79.41201591491699 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49747, "offset": 417938, "time": 79.41208791732788 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49770, "offset": 418389, "time": 79.41247391700745 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49769, "offset": 418700, "time": 79.41378998756409 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49742, "offset": 419011, "time": 79.41408896446228 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49775, "offset": 419322, "time": 79.41527605056763 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49788, "offset": 419563, "time": 79.41552495956421 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49773, "offset": 419804, "time": 79.41560196876526 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49779, "offset": 419975, "time": 79.41583490371704 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49781, "offset": 420146, "time": 79.41604804992676 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49777, "offset": 420247, "time": 79.41613698005676 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49785, "offset": 420908, "time": 79.4163019657135 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49791, "offset": 421359, "time": 79.4164879322052 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49801, "offset": 421810, "time": 79.4179618358612 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49794, "offset": 422121, "time": 79.41811203956604 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49798, "offset": 422432, "time": 79.4184319972992 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49787, "offset": 422743, "time": 79.41983890533447 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49732, "offset": 423054, "time": 79.42810988426208 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49741, "offset": 423365, "time": 79.43800401687622 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49731, "offset": 423676, "time": 79.4387149810791 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49735, "offset": 423987, "time": 79.44636392593384 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49750, "offset": 424298, "time": 79.44676089286804 }, { "src": "2.23.90.38", "sport": 443, "dst": "192.168.1.100", "dport": 49748, "offset": 424469, "time": 79.44688296318054 } ], "udp": [ { "src": "192.168.1.100", "sport": 61717, "dst": "8.8.8.8", "dport": 53, "offset": 63714, "time": 28.12889790534973 }, { "src": "192.168.1.100", "sport": 138, "dst": "192.168.1.255", "dport": 138, "offset": 75533, "time": 31.66464400291443 }, { "src": "192.168.1.100", "sport": 53141, "dst": "8.8.8.8", "dport": 53, "offset": 222564, "time": 34.01432490348816 }, { "src": "192.168.1.100", "sport": 63771, "dst": "8.8.8.8", "dport": 53, "offset": 257740, "time": 41.099112033843994 } ], "icmp": [], "http": [], "dns": [], "smtp": [], "irc": [], "dead_hosts": [ [ "20.42.65.93", 443 ], [ "52.123.242.97", 443 ] ] }, "suricata": { "alerts": [], "tls": [], "perf": [], "files": [], "http": [], "dns": [], "ssh": [], "fileinfo": [], "eve_log_full_path": "/opt/CAPEv2/storage/analyses/12/logs/eve.json", "alert_log_full_path": null, "tls_log_full_path": null, "http_log_full_path": null, "file_log_full_path": null, "ssh_log_full_path": null, "dns_log_full_path": null }, "url_analysis": {}, "procmemory": [], "signatures": [ { "name": "stealth_network", "description": "Network activity detected but not expressed in monitor API logs", "categories": [ "stealth" ], "severity": 1, "weight": 1, "confidence": 100, "references": [], "data": [ { "ip": "2.23.90.38" }, { "ip": "13.107.6.156" }, { "ip": "84.47.178.41" }, { "ip": "13.107.253.44" }, { "ip": "150.171.27.11" }, { "ip": "84.47.178.49" }, { "ip": "52.123.242.97" }, { "ip": "20.42.65.93" }, { "ip": "40.126.53.14" }, { "ip": "4.207.247.139" }, { "ip": "20.189.173.2" } ], "new_data": [], "alert": false, "families": [] }, { "name": "antidebug_setunhandledexceptionfilter", "description": "SetUnhandledExceptionFilter detected (possible anti-debug)", "categories": [ "anti-debug" ], "severity": 1, "weight": 1, "confidence": 40, "references": [], "data": [ { "type": "call", "pid": 2788, "cid": 17 } ], "new_data": [], "alert": false, "families": [] }, { "name": "antianalysis_tls_section", "description": "Contains .tls (Thread Local Storage) section", "categories": [ "anti-analysis" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "section": { "name": ".tls", "raw_address": "0x00009a00", "virtual_address": "0x0000f000", "virtual_size": "0x00000010", "size_of_data": "0x00000200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE", "characteristics_raw": "0xc0000040", "entropy": "0.00" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "packer_unknown_pe_section_name", "description": "The binary contains an unknown PE section name indicative of packing", "categories": [ "packer" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "unknown section": { "name": "/4", "raw_address": "0x00009e00", "virtual_address": "0x00011000", "virtual_size": "0x00000650", "size_of_data": "0x00000800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "1.50" } }, { "unknown section": { "name": "/19", "raw_address": "0x0000a600", "virtual_address": "0x00012000", "virtual_size": "0x00011bab", "size_of_data": "0x00011c00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.78" } }, { "unknown section": { "name": "/31", "raw_address": "0x0001c200", "virtual_address": "0x00024000", "virtual_size": "0x00003261", "size_of_data": "0x00003400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.78" } }, { "unknown section": { "name": "/45", "raw_address": "0x0001f600", "virtual_address": "0x00028000", "virtual_size": "0x000069d7", "size_of_data": "0x00006a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.09" } }, { "unknown section": { "name": "/57", "raw_address": "0x00026000", "virtual_address": "0x0002f000", "virtual_size": "0x00002158", "size_of_data": "0x00002200", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "3.59" } }, { "unknown section": { "name": "/70", "raw_address": "0x00028200", "virtual_address": "0x00032000", "virtual_size": "0x0000039d", "size_of_data": "0x00000400", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.62" } }, { "unknown section": { "name": "/81", "raw_address": "0x00028600", "virtual_address": "0x00033000", "virtual_size": "0x00001662", "size_of_data": "0x00001800", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "4.60" } }, { "unknown section": { "name": "/97", "raw_address": "0x00029e00", "virtual_address": "0x00035000", "virtual_size": "0x000078fd", "size_of_data": "0x00007a00", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.84" } }, { "unknown section": { "name": "/113", "raw_address": "0x00031800", "virtual_address": "0x0003d000", "virtual_size": "0x0000051f", "size_of_data": "0x00000600", "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ", "characteristics_raw": "0x42000040", "entropy": "5.27" } } ], "new_data": [], "alert": false, "families": [] }, { "name": "contains_pe_overlay", "description": "The PE file contains an overlay", "categories": [ "static" ], "severity": 2, "weight": 1, "confidence": 100, "references": [], "data": [ { "overlay": "Contains overlay at offset 0x00031e00 with size: 42280 bytes" } ], "new_data": [], "alert": false, "families": [] }, { "name": "binary_yara", "description": "Binary file triggered multiple YARA rules", "categories": [ "static" ], "severity": 3, "weight": 1, "confidence": 80, "references": [], "data": [ { "Binary triggered YARA rule": "spyeye" }, { "Binary triggered YARA rule": "IsPE64" }, { "Binary triggered YARA rule": "IsConsole" }, { "Binary triggered YARA rule": "HasOverlay" }, { "Binary triggered YARA rule": "Microsoft_Visual_Cpp_80_DLL" } ], "new_data": [], "alert": false, "families": [] }, { "name": "procmem_yara", "description": "Yara detections observed in process dumps, payloads or dropped files", "categories": [ "malware" ], "severity": 3, "weight": 4, "confidence": 100, "references": [], "data": [ { "Hit": "PID 2788 triggered the Yara rule 'IsPE64' with data '[]'" }, { "Hit": "PID 2788 triggered the Yara rule 'IsConsole' with data '[]'" }, { "Hit": "PID 2788 triggered the Yara rule 'Microsoft_Visual_Cpp_80_DLL' with data '['{ 48 83 EC 28 }']'" } ], "new_data": [], "alert": false, "families": [] } ], "malscore": 8.0, "ttps": [ { "signature": "antianalysis_tls_section", "ttps": [ "T1055" ], "mbcs": [ "B0002", "B0003", "E1055" ] }, { "signature": "packer_unknown_pe_section_name", "ttps": [ "T1027.002", "T1027" ], "mbcs": [ "OB0001", "OB0002", "OB0006", "F0001" ] }, { "signature": "procmem_yara", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] }, { "signature": "contains_pe_overlay", "ttps": [ "T1071" ], "mbcs": [ "OC0006", "C0002" ] } ], "malstatus": "Malicious" }