Analysis
| Category | Package | Started | Completed | Duration | Options | Log |
|---|---|---|---|---|---|---|
| FILE | generic | 2026-04-10 09:03:28 | 2026-04-10 09:04:12 | 44 seconds | Show Options | Show Log |
procdump=1
amsidump=1
2025-12-02 01:29:41,500 [root] INFO: Date set to: 20260410T02:03:28, timeout set to: 150 2026-04-10 03:03:28,015 [root] DEBUG: Starting analyzer from: C:\tmpvsvg3hfz 2026-04-10 03:03:28,015 [root] DEBUG: Storing results at: C:\OudFTIAxGD 2026-04-10 03:03:28,015 [root] DEBUG: Pipe server name: \\.\PIPE\SVzxnqaJPB 2026-04-10 03:03:28,015 [root] DEBUG: Python path: C:\olddocs 2026-04-10 03:03:28,015 [root] DEBUG: No analysis package specified, trying to detect it automagically 2026-04-10 03:03:28,015 [root] INFO: Automatically selected analysis package "generic" 2026-04-10 03:03:28,015 [root] DEBUG: Importing analysis package "generic"... 2026-04-10 03:03:28,031 [root] DEBUG: Initializing analysis package "generic"... 2026-04-10 03:03:28,031 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL option 2026-04-10 03:03:28,031 [root] INFO: Analyzer: Package modules.packages.generic does not specify a DLL_64 option 2026-04-10 03:03:28,031 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader option 2026-04-10 03:03:28,031 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader_64 option 2026-04-10 03:03:28,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"... 2026-04-10 03:03:28,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"... 2026-04-10 03:03:28,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.default_apps"... 2026-04-10 03:03:28,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"... 2026-04-10 03:03:28,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"... 2026-04-10 03:03:28,125 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"... 2026-04-10 03:03:28,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.fiddler"... 2026-04-10 03:03:28,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"... 2026-04-10 03:03:28,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"... 2026-04-10 03:03:28,171 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2026-04-10 03:03:28,265 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2026-04-10 03:03:28,265 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2026-04-10 03:03:28,265 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"... 2026-04-10 03:03:28,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"... 2026-04-10 03:03:28,281 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"... 2026-04-10 03:03:28,281 [root] DEBUG: Initializing auxiliary module "Browser"... 2026-04-10 03:03:28,281 [root] DEBUG: Started auxiliary module Browser 2026-04-10 03:03:28,281 [root] DEBUG: Initializing auxiliary module "Curtain"... 2026-04-10 03:03:28,281 [root] DEBUG: Started auxiliary module Curtain 2026-04-10 03:03:28,281 [root] DEBUG: Initializing auxiliary module "DefaultApps"... 2026-04-10 03:03:28,328 [modules.auxiliary.default_apps] DEBUG: Getting current user SID using WinAPI 2026-04-10 03:03:28,328 [root] DEBUG: Started auxiliary module DefaultApps 2026-04-10 03:03:28,328 [root] DEBUG: Initializing auxiliary module "DigiSig"... 2026-04-10 03:03:28,328 [modules.auxiliary.digisig] INFO: signtool.exe was not found in bin/ 2026-04-10 03:03:28,328 [modules.auxiliary.digisig] INFO: dummy 2026-04-10 03:03:28,328 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, unsupported analyzer package 2026-04-10 03:03:28,328 [root] DEBUG: Started auxiliary module DigiSig 2026-04-10 03:03:28,328 [root] DEBUG: Initializing auxiliary module "Disguise"... 2026-04-10 03:03:28,609 [modules.auxiliary.disguise] INFO: Setting NoRecentDocsHistory 2026-04-10 03:03:28,625 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 2] The system cannot find the file specified 2026-04-10 03:03:28,625 [root] DEBUG: Initializing auxiliary module "Evtx"... 2026-04-10 03:03:28,625 [modules.auxiliary.evtx] INFO: Loading audit policy C:\tmpvsvg3hfz\bin\auditpol.csv 2026-04-10 03:03:28,890 [modules.auxiliary.evtx] INFO: Wiping logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell 2026-04-10 03:03:29,703 [root] DEBUG: Started auxiliary module Evtx 2026-04-10 03:03:29,703 [root] DEBUG: Initializing auxiliary module "Fiddler"... 2026-04-10 03:03:29,703 [modules.auxiliary.fiddler] INFO: fiddler package: dummy 2026-04-10 03:03:29,703 [root] DEBUG: Started auxiliary module Fiddler 2026-04-10 03:03:29,703 [root] DEBUG: Initializing auxiliary module "Human"... 2026-04-10 03:03:29,718 [root] DEBUG: Started auxiliary module Human 2026-04-10 03:03:29,718 [root] DEBUG: Initializing auxiliary module "Screenshots"... 2026-04-10 03:03:29,718 [root] DEBUG: Started auxiliary module Screenshots 2026-04-10 03:03:29,718 [root] DEBUG: Initializing auxiliary module "Sysmon"... 2026-04-10 03:03:29,718 [modules.auxiliary.sysmon] INFO: Seeing if we need to update sysmon config 2026-04-10 03:03:29,734 [root] DEBUG: Started auxiliary module Sysmon 2026-04-10 03:03:29,734 [root] DEBUG: Initializing auxiliary module "TLSDumpMasterSecrets"... 2026-04-10 03:03:29,734 [modules.auxiliary.sysmon] INFO: Found Sysmon Executable 2026-04-10 03:03:29,734 [modules.auxiliary.sysmon] INFO: Found Sysmon config 2026-04-10 03:03:29,734 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 556 2026-04-10 03:03:29,734 [lib.api.process] INFO: Monitor config for process 556: C:\tmpvsvg3hfz\dll\556.ini 2026-04-10 03:03:31,859 [modules.auxiliary.sysmon] INFO: Clearing existing sysmon logs 2026-04-10 03:03:32,750 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor 2026-04-10 03:03:32,750 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor 2026-04-10 03:03:32,750 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor 2026-04-10 03:03:32,750 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor 2026-04-10 03:03:32,750 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor 2026-04-10 03:03:32,750 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2026-04-10 03:03:32,750 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpvsvg3hfz\dll\dmPuthus.dll, loader C:\tmpvsvg3hfz\bin\FaolEvXi.exe 2026-04-10 03:03:32,781 [root] DEBUG: Loader: Injecting process 556 with C:\tmpvsvg3hfz\dll\dmPuthus.dll. 2026-04-10 03:03:32,828 [root] DEBUG: 556: Python path set to 'C:\olddocs'. 2026-04-10 03:03:32,828 [root] DEBUG: 556: Disabling sleep skipping. 2026-04-10 03:03:32,828 [root] DEBUG: 556: Process dumps enabled. 2026-04-10 03:03:32,828 [root] DEBUG: 556: AMSI dumping enabled. 2026-04-10 03:03:32,828 [root] DEBUG: 556: Monitor config - unrecognised key ntdll_protoect. 2026-04-10 03:03:32,828 [root] DEBUG: 556: TLS secret dump mode enabled. 2026-04-10 03:03:32,843 [root] DEBUG: 556: Monitor initialised: 64-bit capemon loaded in process 556 at 0x000007FEED0E0000, thread 404, image base 0x00000000FF650000, stack from 0x0000000002112000-0x0000000002120000 2026-04-10 03:03:32,859 [root] DEBUG: 556: Commandline: C:\Windows\system32\lsass.exe 2026-04-10 03:03:32,875 [root] DEBUG: 556: Hooked 5 out of 5 functions 2026-04-10 03:03:32,875 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2026-04-10 03:03:32,875 [root] DEBUG: Successfully injected DLL C:\tmpvsvg3hfz\dll\dmPuthus.dll. 2026-04-10 03:03:32,875 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 556 2026-04-10 03:03:32,875 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets 2026-04-10 03:03:32,875 [root] DEBUG: Initializing auxiliary module "Usage"... 2026-04-10 03:03:32,875 [root] DEBUG: Started auxiliary module Usage 2026-04-10 03:03:35,531 [root] INFO: Restarting WMI Service 2026-04-10 03:03:39,593 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\foo.exe"" with pid 2060 2026-04-10 03:03:39,593 [lib.api.process] INFO: Monitor config for process 2060: C:\tmpvsvg3hfz\dll\2060.ini 2026-04-10 03:03:39,609 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor 2026-04-10 03:03:39,609 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor 2026-04-10 03:03:39,609 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor 2026-04-10 03:03:39,609 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor 2026-04-10 03:03:39,609 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor 2026-04-10 03:03:39,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpvsvg3hfz\dll\BkfVzWdE.dll, loader C:\tmpvsvg3hfz\bin\DjJbSHt.exe 2026-04-10 03:03:39,625 [root] DEBUG: Loader: Injecting process 2060 (thread 2584) with C:\tmpvsvg3hfz\dll\BkfVzWdE.dll. 2026-04-10 03:03:39,625 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-04-10 03:03:39,625 [root] DEBUG: Successfully injected DLL C:\tmpvsvg3hfz\dll\BkfVzWdE.dll. 2026-04-10 03:03:39,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2060 2026-04-10 03:03:41,625 [lib.api.process] INFO: Successfully resumed process with pid 2060 2026-04-10 03:03:41,687 [root] DEBUG: 2060: Python path set to 'C:\olddocs'. 2026-04-10 03:03:41,687 [root] DEBUG: 2060: Disabling sleep skipping. 2026-04-10 03:03:41,687 [root] DEBUG: 2060: Process dumps enabled. 2026-04-10 03:03:41,687 [root] DEBUG: 2060: AMSI dumping enabled. 2026-04-10 03:03:41,687 [root] DEBUG: 2060: Monitor config - unrecognised key ntdll_protoect. 2026-04-10 03:03:41,687 [root] DEBUG: 2060: Dropped file limit defaulting to 100. 2026-04-10 03:03:41,703 [root] DEBUG: 2060: YaraInit: Compiled 45 rule files 2026-04-10 03:03:41,703 [root] DEBUG: 2060: YaraInit: Compiled rules saved to file C:\tmpvsvg3hfz\data\yara\capemon.yac 2026-04-10 03:03:41,718 [root] DEBUG: 2060: YaraScan: Scanning 0x4A6D0000, size 0x4bb2e 2026-04-10 03:03:41,718 [root] DEBUG: 2060: Monitor initialised: 32-bit capemon loaded in process 2060 at 0x73b20000, thread 2584, image base 0x4a6d0000, stack from 0x333000-0x430000 2026-04-10 03:03:41,718 [root] DEBUG: 2060: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\foo.exe" 2026-04-10 03:03:41,750 [root] WARNING: b'Unable to place hook on GetCommandLineA' 2026-04-10 03:03:41,750 [root] DEBUG: 2060: set_hooks: Unable to hook GetCommandLineA 2026-04-10 03:03:41,750 [root] WARNING: b'Unable to place hook on GetCommandLineW' 2026-04-10 03:03:41,750 [root] DEBUG: 2060: set_hooks: Unable to hook GetCommandLineW 2026-04-10 03:03:41,750 [root] DEBUG: 2060: Hooked 625 out of 627 functions 2026-04-10 03:03:41,765 [root] DEBUG: 2060: RestoreHeaders: Restored original import table. 2026-04-10 03:03:41,765 [root] INFO: Loaded monitor into process with pid 2060 2026-04-10 03:03:41,781 [root] DEBUG: 2060: caller_dispatch: Added region at 0x4A6D0000 to tracked regions list (ntdll::NtOpenThread returns to 0x4A6D732B, thread 2584). 2026-04-10 03:03:41,781 [root] DEBUG: 2060: YaraScan: Scanning 0x4A6D0000, size 0x4bb2e 2026-04-10 03:03:41,781 [root] DEBUG: 2060: ProcessImageBase: Main module image at 0x4A6D0000 unmodified (entropy change 0.000000e+00) 2026-04-10 03:03:41,796 [root] DEBUG: 2060: DLL loaded at 0x740D0000: C:\Windows\SysWOW64\ntvdm64 (0x7000 bytes). 2026-04-10 03:03:41,796 [root] DEBUG: 2060: DLL loaded at 0x72ED0000: C:\Windows\SysWOW64\VERSION (0x9000 bytes). 2026-04-10 03:03:41,796 [root] DEBUG: 2060: DLL loaded at 0x72EE0000: C:\Windows\system32\uxtheme (0x80000 bytes). 2026-04-10 03:03:41,812 [root] DEBUG: 2060: DLL loaded at 0x740B0000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes). 2026-04-10 03:03:41,859 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs 2026-04-10 03:03:41,968 [modules.auxiliary.human] INFO: Found button "OK", clicking it 2026-04-10 03:03:43,062 [root] DEBUG: 2060: NtTerminateProcess hook: Attempting to dump process 2060 2026-04-10 03:03:43,062 [root] DEBUG: 2060: DoProcessDump: Skipping process dump as code is identical on disk. 2026-04-10 03:03:43,078 [root] INFO: Process with pid 2060 has terminated 2026-04-10 03:03:44,703 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell 2026-04-10 03:03:45,031 [lib.common.results] INFO: File 1775815424953125000.InternetExplorer.evtx.gz size is 252, Max size: 100000000 2026-04-10 03:03:45,046 [lib.common.results] INFO: File 1775815424937500000.HardwareEvents.evtx.gz size is 214, Max size: 100000000 2026-04-10 03:03:45,046 [lib.common.results] INFO: File 1775815424953125000.KeyManagementService.evtx.gz size is 2253, Max size: 100000000 2026-04-10 03:03:45,062 [lib.common.results] INFO: File 1775815424937500000.Application.evtx.gz size is 7036, Max size: 100000000 2026-04-10 03:03:45,093 [lib.common.results] INFO: File 1775815425031250000.Setup.evtx.gz size is 244, Max size: 100000000 2026-04-10 03:03:45,109 [lib.common.results] INFO: File 1775815425031250000.OAlerts.evtx.gz size is 245, Max size: 100000000 2026-04-10 03:03:45,109 [lib.common.results] INFO: File 1775815425031250000.System.evtx.gz size is 8896, Max size: 100000000 2026-04-10 03:03:45,125 [lib.common.results] INFO: File 1775815425031250000.Security.evtx.gz size is 15205, Max size: 100000000 2026-04-10 03:03:45,140 [lib.common.results] INFO: File 1775815425093750000.WindowsPowerShell.evtx.gz size is 224, Max size: 100000000 2026-04-10 03:03:46,968 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1775815426.96875.sysmon.evtx.gz to host 2026-04-10 03:03:46,968 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 9910, Max size: 100000000 2026-04-10 03:03:49,625 [root] INFO: Process list is empty, terminating analysis 2026-04-10 03:03:50,625 [root] INFO: Created shutdown mutex 2026-04-10 03:03:51,625 [root] INFO: Shutting down package 2026-04-10 03:03:51,625 [root] INFO: Stopping auxiliary modules 2026-04-10 03:03:51,625 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [WinError 6] The handle is invalid 2026-04-10 03:03:51,640 [lib.common.results] INFO: File C:\curtain.log size is 0, Max size: 100000000 2026-04-10 03:03:51,640 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell 2026-04-10 03:03:51,937 [lib.common.results] INFO: File 1775815431859375000.HardwareEvents.evtx.gz size is 214, Max size: 100000000 2026-04-10 03:03:51,937 [lib.common.results] INFO: File 1775815431875000000.KeyManagementService.evtx.gz size is 2253, Max size: 100000000 2026-04-10 03:03:51,953 [lib.common.results] INFO: File 1775815431875000000.InternetExplorer.evtx.gz size is 252, Max size: 100000000 2026-04-10 03:03:51,953 [lib.common.results] INFO: File 1775815431859375000.Application.evtx.gz size is 6964, Max size: 100000000 2026-04-10 03:03:52,000 [lib.common.results] INFO: File 1775815431937500000.Security.evtx.gz size is 7210, Max size: 100000000 2026-04-10 03:03:52,015 [lib.common.results] INFO: File 1775815431937500000.OAlerts.evtx.gz size is 245, Max size: 100000000 2026-04-10 03:03:52,031 [lib.common.results] INFO: File 1775815431953125000.System.evtx.gz size is 8625, Max size: 100000000 2026-04-10 03:03:52,031 [lib.common.results] INFO: File 1775815431937500000.Setup.evtx.gz size is 244, Max size: 100000000 2026-04-10 03:03:52,046 [lib.common.results] INFO: File 1775815432000000000.WindowsPowerShell.evtx.gz size is 224, Max size: 100000000 2026-04-10 03:03:52,843 [lib.common.results] INFO: File c:\olddocs\1775815427843.saz size is 4610, Max size: 100000000 2026-04-10 03:03:52,875 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine 2026-04-10 03:03:57,156 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine 2026-04-10 03:03:57,156 [modules.auxiliary.sysmon] INFO: Doing final sysmon log dump 2026-04-10 03:04:00,171 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell 2026-04-10 03:04:00,437 [lib.common.results] INFO: File 1775815440375000000.InternetExplorer.evtx.gz size is 252, Max size: 100000000 2026-04-10 03:04:00,453 [lib.common.results] INFO: File 1775815440375000000.HardwareEvents.evtx.gz size is 214, Max size: 100000000 2026-04-10 03:04:00,468 [lib.common.results] INFO: File 1775815440359375000.Application.evtx.gz size is 6964, Max size: 100000000 2026-04-10 03:04:00,468 [lib.common.results] INFO: File 1775815440406250000.KeyManagementService.evtx.gz size is 2253, Max size: 100000000 2026-04-10 03:04:00,484 [lib.common.results] INFO: File 1775815440437500000.OAlerts.evtx.gz size is 245, Max size: 100000000 2026-04-10 03:04:00,500 [lib.common.results] INFO: File 1775815440437500000.Security.evtx.gz size is 6922, Max size: 100000000 2026-04-10 03:04:00,515 [lib.common.results] INFO: File 1775815440437500000.Setup.evtx.gz size is 244, Max size: 100000000 2026-04-10 03:04:00,515 [lib.common.results] INFO: File 1775815440437500000.System.evtx.gz size is 8345, Max size: 100000000 2026-04-10 03:04:00,531 [lib.common.results] INFO: File 1775815440484375000.WindowsPowerShell.evtx.gz size is 224, Max size: 100000000 2026-04-10 03:04:01,984 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs 2026-04-10 03:04:02,249 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1775815442.2499998.sysmon.evtx.gz to host 2026-04-10 03:04:02,249 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 11804, Max size: 100000000 2026-04-10 03:04:02,249 [root] INFO: Finishing auxiliary modules 2026-04-10 03:04:02,249 [root] INFO: Shutting down pipe server and dumping dropped files 2026-04-10 03:04:02,249 [root] WARNING: Folder at path "C:\OudFTIAxGD\debugger" does not exist, skipping 2026-04-10 03:04:02,249 [root] WARNING: Folder at path "C:\OudFTIAxGD\tlsdump" does not exist, skipping 2026-04-10 03:04:02,249 [root] INFO: Analysis completed
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win7office2k3flash2800137TWN3H103 | win7office2k3flash2800137TWN3H103 | KVM | 2026-04-10 09:03:29 | 2026-04-10 09:04:12 | internet |
File Details
| File Name | foo.exe |
|---|---|
| File Size | 3 bytes |
| File Type | ASCII text |
| MD5 | 764efa883dda1e11db47671c4a3bbd9e |
| SHA1 | 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 |
| SHA256 | 98ea6e4f216f2fb4b69fff9b3a44842c38686ca685f3f55dc48c5d3fb1107be4 |
| SHA512 | d78abb0542736865f94704521609c230dac03a2f369d043ac212d6933b91410e06399e37f9c5cc88436a31737330c1c8eccb2c2f9f374d62f716432a32d50fac |
| SHA3-384 | 5bf973b46a6137ba0d8dea85c6b7388d0c0e07618da89914dc13716ec4900069119332051e29fb1be22f813a34944f7e |
| CRC32 | ED6F7A7A |
| Ssdeep | 3:wn:wn |
|
File
|
|
hi |
Processing ( 9.41 seconds )
- 7.289 Suricata
- 1.617 Zircolite
- 0.116 ZfileRep
- 0.103 NetworkAnalysis
- 0.073 Deduplicate
- 0.059 Fiddler
- 0.053 BehaviorAnalysis
- 0.05 AnalysisInfo
- 0.022 CAPE
- 0.016 TargetInfo
- 0.004 Static
- 0.003 Debug
- 0.001 Strings
Signatures ( 0.08 seconds )
- 0.06 sigma
- 0.004 antiav_detectreg
- 0.002 infostealer_ftp
- 0.002 ransomware_files
- 0.002 territorial_disputes_sigs
- 0.001 persistence_autorun
- 0.001 antianalysis_detectfile
- 0.001 antiav_detectfile
- 0.001 geodo_banking_trojan
- 0.001 infostealer_im
- 0.001 ransomware_extensions
Reporting ( 0.14 seconds )
- 0.127 TMPFSCLEAN
- 0.009 JsonDump
Signatures
Network activity detected but not expressed in API logs
Screenshots
Hosts
| Direct | IP | Country Name |
|---|---|---|
| Y | 8.8.8.8 [VT] | United States |
DNS
No domains contacted.
Summary
C:\Users\pgabriel\AppData\Local\Temp
C:\Users
C:\Users\pgabriel
C:\Users\pgabriel\AppData
C:\Users\pgabriel\AppData\Local
C:\Users\pgabriel\AppData\Local\Temp\foo.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Users
C:\Users\pgabriel
C:\Users\pgabriel\AppData
C:\Users\pgabriel\AppData\Local
C:\Users\pgabriel\AppData\Local\Temp\foo.exe
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
"C:\Users\pgabriel\AppData\Local\Temp\foo.exe"
No static analysis available.
Sorry! No behavior.
Hosts
No hosts contacted.
TCP
No TCP connections recorded.
UDP
No UDP connections recorded.
DNS
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
ICMP traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.