search

kevoreilly / CAPEv2

Malware Configuration And Payload Extraction
https://capesandbox.com/analysis/
Other
1.85k stars 398 forks source link

File Details view in Quick Overvew doesn't show #1806

Closed meldzhaLV closed 10 months ago

meldzhaLV commented 10 months ago

About accounts on capesandbox.com

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

Expected Behavior

File Details can be seen in Quick Overview.

Current Behavior

In Recent -> Filename -> Quick Overview I am not seeing File Details view. I used to see it when analysing PDF files. I rebooted server and did migrations with migrate.py in web folder. Also now I don't see "Payloads" and "Compare this analysis to..." panes anymore.

What I did previously: I tweaked config files. Was searching which module does what, enabled / disabled them. Now I have changed everything to defaults in config files. But File Details are still not showing.

I ran this command aswell since I wanted to play with REST API: poetry run pip install djangorestframework

Also - previously my PDF malscores were constantly 5.7 - 5.9 which were false positives, but now I results are 1.9 - 2.2. Really hope that someone can help with this issue. Thank you.

doomedraven commented 10 months ago

malscore is useless is depends of community signatures(utils/communiy.py). i would say reprocess your task with debug poetry run python utils/process.py -r <task_id> -d to see debug output to see what is wrong on your side

meldzhaLV commented 10 months ago

This is the debug output:

Missed dependey XLMMacroDeobfuscator: pip3 install -U git+https://github.com/DissectMalware/XLMMacroDeobfuscator.git OPTIONAL! Missed dependency: pip3 install https://github.com/CAPESandbox/peepdf/archive/20eda78d7d77fc5b3b652ffc2d8a5b0af796e3dd.zip#egg=peepdf==0.4.2 OPTIONAL! Missed dependency: pip3 install -U git+https://github.com/DissectMalware/batch_deobfuscator OPTIONAL! Missed dependency: pip3 install -U git+https://github.com/CAPESandbox/httpreplay DEBUG:lib.cuckoo.core.plugins:Executing processing module "CAPE" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:24,093 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "CAPE" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.common.integrations.parse_pdf:Starting to load PDF 2023-10-18 07:00:24,531 [Task 260] [lib.cuckoo.common.integrations.parse_pdf] DEBUG: Starting to load PDF ERROR:lib.cuckoo.core.plugins:Failed to run the processing module "CAPE": [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' Traceback (most recent call last): File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 243, in process data = current.run() File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 352, in run self.process_file( File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 192, in process_file static_file_info( File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 232, in static_file_info data_dictionary["trid"] = trid_info(file_path) File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 289, in trid_info output = subprocess.check_output( File "/usr/lib/python3.10/subprocess.py", line 420, in check_output return run(popenargs, stdout=PIPE, timeout=timeout, check=True, File "/usr/lib/python3.10/subprocess.py", line 501, in run with Popen(popenargs, kwargs) as process: File "/usr/lib/python3.10/subprocess.py", line 969, in init self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.10/subprocess.py", line 1845, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' 2023-10-18 07:00:40,380 [Task 260] [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "CAPE": [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' Traceback (most recent call last): File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 243, in process data = current.run() File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 352, in run self.process_file( File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 192, in process_file static_file_info( File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 232, in static_file_info data_dictionary["trid"] = trid_info(file_path) File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 289, in trid_info output = subprocess.check_output( File "/usr/lib/python3.10/subprocess.py", line 420, in check_output return run(popenargs, stdout=PIPE, timeout=timeout, check=True, File "/usr/lib/python3.10/subprocess.py", line 501, in run with Popen(popenargs, kwargs) as process: File "/usr/lib/python3.10/subprocess.py", line 969, in init self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.10/subprocess.py", line 1845, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' DEBUG:lib.cuckoo.core.plugins:Executing processing module "AnalysisInfo" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,382 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "AnalysisInfo" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "BehaviorAnalysis" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,401 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "BehaviorAnalysis" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "Debug" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,660 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "Debug" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "MMBot" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,663 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "MMBot" on analysis at "/opt/CAPEv2/storage/analyses/260" ERROR:modules.processing.maliciousmacrobot:MaliciousMacroBot not installed, 'pip3 install mmbot', aborting mmbot analysis 2023-10-18 07:00:40,668 [Task 260] [modules.processing.maliciousmacrobot] ERROR: MaliciousMacroBot not installed, 'pip3 install mmbot', aborting mmbot analysis DEBUG:lib.cuckoo.core.plugins:Executing processing module "NetworkAnalysis" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,668 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "NetworkAnalysis" on analysis at "/opt/CAPEv2/storage/analyses/260" WARNING:modules.processing.network:The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/260/dump.pcap" 2023-10-18 07:00:40,668 [Task 260] [modules.processing.network] WARNING: The PCAP file does not exist at path "/opt/CAPEv2/storage/analyses/260/dump.pcap" DEBUG:lib.cuckoo.core.plugins:Executing processing module "Procmon" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,668 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "Procmon" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "Suricata" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,669 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "Suricata" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:modules.processing.suricata:Unable to Run Suricata: Pcap file /opt/CAPEv2/storage/analyses/260/dump.pcap does not exist. Did you run analysis with live connection? 2023-10-18 07:00:40,669 [Task 260] [modules.processing.suricata] DEBUG: Unable to Run Suricata: Pcap file /opt/CAPEv2/storage/analyses/260/dump.pcap does not exist. Did you run analysis with live connection? DEBUG:lib.cuckoo.core.plugins:Executing processing module "UrlAnalysis" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,669 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "UrlAnalysis" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "Usage" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,669 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "Usage" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "extract_overlay_data" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,670 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "extract_overlay_data" on analysis at "/opt/CAPEv2/storage/analyses/260" ERROR:lib.cuckoo.core.plugins:Failed to run the processing module "extract_overlay_data": 'extract_overlay_data' object has no attribute 'key' Traceback (most recent call last): File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 249, in process return {current.key: data} AttributeError: 'extract_overlay_data' object has no attribute 'key' 2023-10-18 07:00:40,670 [Task 260] [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "extract_overlay_data": 'extract_overlay_data' object has no attribute 'key' Traceback (most recent call last): File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 249, in process return {current.key: data} AttributeError: 'extract_overlay_data' object has no attribute 'key' DEBUG:lib.cuckoo.core.plugins:Executing processing module "script_log_processing" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,670 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "script_log_processing" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Executing processing module "ProcessMemory" on analysis at "/opt/CAPEv2/storage/analyses/260" 2023-10-18 07:00:40,671 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing processing module "ProcessMemory" on analysis at "/opt/CAPEv2/storage/analyses/260" DEBUG:lib.cuckoo.core.plugins:Applying signature overlays for signatures: creates_exe 2023-10-18 07:00:40,685 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Applying signature overlays for signatures: creates_exe DEBUG:lib.cuckoo.core.plugins:Running 242 evented signatures 2023-10-18 07:00:40,687 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running 242 evented signatures DEBUG:lib.cuckoo.core.plugins: |-- compression 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- compression DEBUG:lib.cuckoo.core.plugins: |-- decryption 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- decryption DEBUG:lib.cuckoo.core.plugins: |-- doppelganging 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- doppelganging DEBUG:lib.cuckoo.core.plugins: |-- evil_grab 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- evil_grab DEBUG:lib.cuckoo.core.plugins: |-- injection_inter_process 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_inter_process DEBUG:lib.cuckoo.core.plugins: |-- injection_create_remote_thread 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_create_remote_thread DEBUG:lib.cuckoo.core.plugins: |-- injection_process_hollowing 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_process_hollowing DEBUG:lib.cuckoo.core.plugins: |-- injection_set_window_long 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_set_window_long DEBUG:lib.cuckoo.core.plugins: |-- PlugX 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- PlugX DEBUG:lib.cuckoo.core.plugins: |-- reg_binary 2023-10-18 07:00:40,688 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- reg_binary DEBUG:lib.cuckoo.core.plugins: |-- transacted_hollowing 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- transacted_hollowing DEBUG:lib.cuckoo.core.plugins: |-- Unpacker 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- Unpacker DEBUG:lib.cuckoo.core.plugins: |-- anomalous_deletefile 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- anomalous_deletefile DEBUG:lib.cuckoo.core.plugins: |-- antiav_360_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_360_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_ahnlab_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_ahnlab_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_avast_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_avast_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_bitdefender_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_bitdefender_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_bullgaurd_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_bullgaurd_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_emsisoft_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_emsisoft_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_qurb_libs 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_qurb_libs DEBUG:lib.cuckoo.core.plugins: |-- antiav_servicestop 2023-10-18 07:00:40,689 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_servicestop DEBUG:lib.cuckoo.core.plugins: |-- antidebug_addvectoredexceptionhandler 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_addvectoredexceptionhandler DEBUG:lib.cuckoo.core.plugins: |-- antiav_apioverride_libs 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_apioverride_libs DEBUG:lib.cuckoo.core.plugins: |-- antidebug_checkremotedebuggerpresent 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_checkremotedebuggerpresent DEBUG:lib.cuckoo.core.plugins: |-- antidebug_debugactiveprocess 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_debugactiveprocess DEBUG:lib.cuckoo.core.plugins: |-- antidebug_gettickcount 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_gettickcount DEBUG:lib.cuckoo.core.plugins: |-- antidebug_guardpages 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_guardpages DEBUG:lib.cuckoo.core.plugins: |-- antidebug_ntcreatethreadex 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_ntcreatethreadex DEBUG:lib.cuckoo.core.plugins: |-- antiav_nthookengine_libs 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiav_nthookengine_libs DEBUG:lib.cuckoo.core.plugins: |-- antidebug_ntsetinformationthread 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_ntsetinformationthread DEBUG:lib.cuckoo.core.plugins: |-- antidebug_outputdebugstring 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_outputdebugstring DEBUG:lib.cuckoo.core.plugins: |-- antidebug_setunhandledexceptionfilter 2023-10-18 07:00:40,690 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_setunhandledexceptionfilter DEBUG:lib.cuckoo.core.plugins: |-- antidebug_windows 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antidebug_windows DEBUG:lib.cuckoo.core.plugins: |-- antiemu_wine_func 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antiemu_wine_func DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_check_userdomain 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_check_userdomain DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_cuckoo 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_cuckoo DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_cuckoocrash 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_cuckoocrash DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_foregroundwindows 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_foregroundwindows DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_mouse_hook 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_mouse_hook DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_restart 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_restart DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_sboxie_libs 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_sboxie_libs DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_sboxie_objects 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_sboxie_objects DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_script_timer 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_script_timer DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_sleep 2023-10-18 07:00:40,691 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_sleep DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_sunbelt_libs 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_sunbelt_libs DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_suspend 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_suspend DEBUG:lib.cuckoo.core.plugins: |-- antisandbox_unhook 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antisandbox_unhook DEBUG:lib.cuckoo.core.plugins: |-- antivm_directory_objects 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_directory_objects DEBUG:lib.cuckoo.core.plugins: |-- antivm_generic_disk 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_generic_disk DEBUG:lib.cuckoo.core.plugins: |-- antivm_generic_disk_setupapi 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_generic_disk_setupapi DEBUG:lib.cuckoo.core.plugins: |-- antivm_generic_scsi 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_generic_scsi DEBUG:lib.cuckoo.core.plugins: |-- antivm_generic_services 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_generic_services DEBUG:lib.cuckoo.core.plugins: |-- antivm_network_adapters 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_network_adapters DEBUG:lib.cuckoo.core.plugins: |-- antivm_vbox_libs 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_vbox_libs DEBUG:lib.cuckoo.core.plugins: |-- antivm_vbox_provname 2023-10-18 07:00:40,692 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_vbox_provname DEBUG:lib.cuckoo.core.plugins: |-- antivm_vbox_window 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_vbox_window DEBUG:lib.cuckoo.core.plugins: |-- antivm_vmware_events 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_vmware_events DEBUG:lib.cuckoo.core.plugins: |-- antivm_vmware_libs 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- antivm_vmware_libs DEBUG:lib.cuckoo.core.plugins: |-- api_spamming 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- api_spamming DEBUG:lib.cuckoo.core.plugins: |-- banker_prinimalka 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- banker_prinimalka DEBUG:lib.cuckoo.core.plugins: |-- bcdedit_command 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- bcdedit_command DEBUG:lib.cuckoo.core.plugins: |-- bootkit 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- bootkit DEBUG:lib.cuckoo.core.plugins: |-- potential_overwrite_mbr 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- potential_overwrite_mbr DEBUG:lib.cuckoo.core.plugins: |-- suspicious_ioctl_scsipassthough 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- suspicious_ioctl_scsipassthough DEBUG:lib.cuckoo.core.plugins: |-- browser_needed 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- browser_needed DEBUG:lib.cuckoo.core.plugins: |-- browser_scanbox 2023-10-18 07:00:40,693 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- browser_scanbox DEBUG:lib.cuckoo.core.plugins: |-- firefox_disables_process_tab 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- firefox_disables_process_tab DEBUG:lib.cuckoo.core.plugins: |-- regsvr32_squiblydoo_dll_load 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- regsvr32_squiblydoo_dll_load DEBUG:lib.cuckoo.core.plugins: |-- uac_bypass_cmstp 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- uac_bypass_cmstp DEBUG:lib.cuckoo.core.plugins: |-- uac_bypass_eventvwr 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- uac_bypass_eventvwr DEBUG:lib.cuckoo.core.plugins: |-- clickfraud_cookies 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- clickfraud_cookies DEBUG:lib.cuckoo.core.plugins: |-- clickfraud_volume 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- clickfraud_volume DEBUG:lib.cuckoo.core.plugins: |-- creates_largekey 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- creates_largekey DEBUG:lib.cuckoo.core.plugins: |-- creates_nullvalue 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- creates_nullvalue DEBUG:lib.cuckoo.core.plugins: |-- lsass_credential_dumping 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- lsass_credential_dumping DEBUG:lib.cuckoo.core.plugins: |-- critical_process 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- critical_process DEBUG:lib.cuckoo.core.plugins: |-- generates_crypto_key 2023-10-18 07:00:40,694 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- generates_crypto_key DEBUG:lib.cuckoo.core.plugins: |-- cve_2014_6332 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- cve_2014_6332 DEBUG:lib.cuckoo.core.plugins: |-- cve_2015_2419_js 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- cve_2015_2419_js DEBUG:lib.cuckoo.core.plugins: |-- cve_2016-0189 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- cve_2016-0189 DEBUG:lib.cuckoo.core.plugins: |-- cve_2016_7200 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- cve_2016_7200 DEBUG:lib.cuckoo.core.plugins: |-- dead_connect 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dead_connect DEBUG:lib.cuckoo.core.plugins: |-- dead_link 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dead_link DEBUG:lib.cuckoo.core.plugins: |-- debugs_self 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- debugs_self DEBUG:lib.cuckoo.core.plugins: |-- decoy_image 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- decoy_image DEBUG:lib.cuckoo.core.plugins: |-- deletes_self 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- deletes_self DEBUG:lib.cuckoo.core.plugins: |-- deletes_shadow_copies 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- deletes_shadow_copies DEBUG:lib.cuckoo.core.plugins: |-- deletes_system_state_backup 2023-10-18 07:00:40,695 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- deletes_system_state_backup DEBUG:lib.cuckoo.core.plugins: |-- dep_bypass 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dep_bypass DEBUG:lib.cuckoo.core.plugins: |-- dep_disable 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dep_disable DEBUG:lib.cuckoo.core.plugins: |-- disables_mappeddrives_autodisconnect 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- disables_mappeddrives_autodisconnect DEBUG:lib.cuckoo.core.plugins: |-- disables_spdy 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- disables_spdy DEBUG:lib.cuckoo.core.plugins: |-- disables_wfp 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- disables_wfp DEBUG:lib.cuckoo.core.plugins: |-- dll_load_uncommon_file_types 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dll_load_uncommon_file_types DEBUG:lib.cuckoo.core.plugins: |-- document_script_exe_drop 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- document_script_exe_drop DEBUG:lib.cuckoo.core.plugins: |-- guloader_apis 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- guloader_apis DEBUG:lib.cuckoo.core.plugins: |-- driver_load 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- driver_load DEBUG:lib.cuckoo.core.plugins: |-- dynamic_function_loading 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dynamic_function_loading DEBUG:lib.cuckoo.core.plugins: |-- exec_crash 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- exec_crash DEBUG:lib.cuckoo.core.plugins: |-- process_creation_suspicious_location 2023-10-18 07:00:40,696 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- process_creation_suspicious_location DEBUG:lib.cuckoo.core.plugins: |-- exploit_getbasekerneladdress 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- exploit_getbasekerneladdress DEBUG:lib.cuckoo.core.plugins: |-- exploit_gethaldispatchtable 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- exploit_gethaldispatchtable DEBUG:lib.cuckoo.core.plugins: |-- exploit_heapspray 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- exploit_heapspray DEBUG:lib.cuckoo.core.plugins: |-- koadic_apis 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- koadic_apis DEBUG:lib.cuckoo.core.plugins: |-- koadic_network_activity 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- koadic_network_activity DEBUG:lib.cuckoo.core.plugins: |-- downloads_from_filehosting 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- downloads_from_filehosting DEBUG:lib.cuckoo.core.plugins: |-- generic_phish 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- generic_phish DEBUG:lib.cuckoo.core.plugins: |-- http_request 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- http_request DEBUG:lib.cuckoo.core.plugins: |-- https_urls 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- https_urls DEBUG:lib.cuckoo.core.plugins: |-- infostealer_browser 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- infostealer_browser DEBUG:lib.cuckoo.core.plugins: |-- infostealer_browser_password 2023-10-18 07:00:40,697 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- infostealer_browser_password DEBUG:lib.cuckoo.core.plugins: |-- cryptbot_network 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- cryptbot_network DEBUG:lib.cuckoo.core.plugins: |-- infostealer_keylog 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- infostealer_keylog DEBUG:lib.cuckoo.core.plugins: |-- masslogger_artifacts 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- masslogger_artifacts DEBUG:lib.cuckoo.core.plugins: |-- masslogger_version 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- masslogger_version DEBUG:lib.cuckoo.core.plugins: |-- purplewave_network_activity 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- purplewave_network_activity DEBUG:lib.cuckoo.core.plugins: |-- quilclipper_behavior 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- quilclipper_behavior DEBUG:lib.cuckoo.core.plugins: |-- raccoon_behavior 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- raccoon_behavior DEBUG:lib.cuckoo.core.plugins: |-- captures_screenshot 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- captures_screenshot DEBUG:lib.cuckoo.core.plugins: |-- vidar_behavior 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- vidar_behavior DEBUG:lib.cuckoo.core.plugins: |-- injection_createremotethread 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_createremotethread DEBUG:lib.cuckoo.core.plugins: |-- injection_explorer 2023-10-18 07:00:40,698 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_explorer DEBUG:lib.cuckoo.core.plugins: |-- injection_needextension 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_needextension DEBUG:lib.cuckoo.core.plugins: |-- injection_network_traffic 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_network_traffic DEBUG:lib.cuckoo.core.plugins: |-- injection_runpe 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_runpe DEBUG:lib.cuckoo.core.plugins: |-- injection_themeinitapihook 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- injection_themeinitapihook DEBUG:lib.cuckoo.core.plugins: |-- internet_dropper 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- internet_dropper DEBUG:lib.cuckoo.core.plugins: |-- ipc_namedpipe 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- ipc_namedpipe DEBUG:lib.cuckoo.core.plugins: |-- js_phish 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- js_phish DEBUG:lib.cuckoo.core.plugins: |-- js_suspicious_redirect 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- js_suspicious_redirect DEBUG:lib.cuckoo.core.plugins: |-- malicious_dynamic_function_loading 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- malicious_dynamic_function_loading DEBUG:lib.cuckoo.core.plugins: |-- encrypt_pcinfo 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- encrypt_pcinfo DEBUG:lib.cuckoo.core.plugins: |-- encrypt_data_agenttesla_http 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- encrypt_data_agenttesla_http DEBUG:lib.cuckoo.core.plugins: |-- encrypt_data_agentteslat2_http 2023-10-18 07:00:40,699 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- encrypt_data_agentteslat2_http DEBUG:lib.cuckoo.core.plugins: |-- encrypt_data_nanocore 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- encrypt_data_nanocore DEBUG:lib.cuckoo.core.plugins: |-- mimics_filetime 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- mimics_filetime DEBUG:lib.cuckoo.core.plugins: |-- quilclipper_behavior 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- quilclipper_behavior DEBUG:lib.cuckoo.core.plugins: |-- modify_desktop_wallpaper 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- modify_desktop_wallpaper DEBUG:lib.cuckoo.core.plugins: |-- modify_zoneid_ads 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- modify_zoneid_ads DEBUG:lib.cuckoo.core.plugins: |-- move_file_on_reboot 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- move_file_on_reboot DEBUG:lib.cuckoo.core.plugins: |-- multiple_useragents 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- multiple_useragents DEBUG:lib.cuckoo.core.plugins: |-- network_anomaly 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_anomaly DEBUG:lib.cuckoo.core.plugins: |-- network_bind 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_bind DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_archive 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_archive DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_free_webshoting 2023-10-18 07:00:40,700 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_free_webshoting DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_generic 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_generic DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_temp_urldns 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_temp_urldns DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_pastesite 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_pastesite DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_payload 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_payload DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_socialmedia 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_socialmedia DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_telegram 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_telegram DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_tempstorage 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_tempstorage DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_temp_urldns 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_temp_urldns DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_urlshortener 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_urlshortener DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_https_useragent 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_https_useragent DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_smtps_exfil 2023-10-18 07:00:40,701 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_smtps_exfil DEBUG:lib.cuckoo.core.plugins: |-- network_cnc_smtps_generic 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_cnc_smtps_generic DEBUG:lib.cuckoo.core.plugins: |-- network_dns_idn 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_dns_idn DEBUG:lib.cuckoo.core.plugins: |-- network_dns_suspicious_querytype 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_dns_suspicious_querytype DEBUG:lib.cuckoo.core.plugins: |-- network_dns_tunneling_request 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_dns_tunneling_request DEBUG:lib.cuckoo.core.plugins: |-- explorer_http 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- explorer_http DEBUG:lib.cuckoo.core.plugins: |-- network_fake_useragent 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_fake_useragent DEBUG:lib.cuckoo.core.plugins: |-- network_downloader_exe 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_downloader_exe DEBUG:lib.cuckoo.core.plugins: |-- network_tor 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- network_tor DEBUG:lib.cuckoo.core.plugins: |-- office_com_load 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_com_load DEBUG:lib.cuckoo.core.plugins: |-- office_dotnet_load 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_dotnet_load DEBUG:lib.cuckoo.core.plugins: |-- office_mshtml_load 2023-10-18 07:00:40,702 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_mshtml_load DEBUG:lib.cuckoo.core.plugins: |-- office_vb_load 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_vb_load DEBUG:lib.cuckoo.core.plugins: |-- office_wmi_load 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_wmi_load DEBUG:lib.cuckoo.core.plugins: |-- office_cve2017_11882_network 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_cve2017_11882_network DEBUG:lib.cuckoo.core.plugins: |-- office_cve_2021_40444 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_cve_2021_40444 DEBUG:lib.cuckoo.core.plugins: |-- office_cve_2021_40444_m2 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_cve_2021_40444_m2 DEBUG:lib.cuckoo.core.plugins: |-- office_flash_load 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_flash_load DEBUG:lib.cuckoo.core.plugins: |-- office_postscript 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_postscript DEBUG:lib.cuckoo.core.plugins: |-- office_suspicious_processes 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- office_suspicious_processes DEBUG:lib.cuckoo.core.plugins: |-- packer_themida 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- packer_themida DEBUG:lib.cuckoo.core.plugins: |-- persistence_autorun 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- persistence_autorun DEBUG:lib.cuckoo.core.plugins: |-- persistence_autorun_tasks 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- persistence_autorun_tasks DEBUG:lib.cuckoo.core.plugins: |-- persistence_bootexecute 2023-10-18 07:00:40,703 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- persistence_bootexecute DEBUG:lib.cuckoo.core.plugins: |-- persistence_registry_script 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- persistence_registry_script DEBUG:lib.cuckoo.core.plugins: |-- powershell_download 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- powershell_download DEBUG:lib.cuckoo.core.plugins: |-- powershell_request 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- powershell_request DEBUG:lib.cuckoo.core.plugins: |-- createtoolhelp32snapshot_module_enumeration 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- createtoolhelp32snapshot_module_enumeration DEBUG:lib.cuckoo.core.plugins: |-- enumerates_running_processes 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- enumerates_running_processes DEBUG:lib.cuckoo.core.plugins: |-- process_interest 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- process_interest DEBUG:lib.cuckoo.core.plugins: |-- process_needed 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- process_needed DEBUG:lib.cuckoo.core.plugins: |-- mass_data_encryption 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- mass_data_encryption DEBUG:lib.cuckoo.core.plugins: |-- ransomware_dmalocker 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- ransomware_dmalocker DEBUG:lib.cuckoo.core.plugins: |-- ransomware_file_modifications 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- ransomware_file_modifications DEBUG:lib.cuckoo.core.plugins: |-- ransomware_message 2023-10-18 07:00:40,704 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- ransomware_message DEBUG:lib.cuckoo.core.plugins: |-- nemty_network_activity 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- nemty_network_activity DEBUG:lib.cuckoo.core.plugins: |-- nemty_note 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- nemty_note DEBUG:lib.cuckoo.core.plugins: |-- sodinokibi_behavior 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- sodinokibi_behavior DEBUG:lib.cuckoo.core.plugins: |-- stop_ransomware_registry 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stop_ransomware_registry DEBUG:lib.cuckoo.core.plugins: |-- blackrat_apis 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- blackrat_apis DEBUG:lib.cuckoo.core.plugins: |-- blackrat_network_activity 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- blackrat_network_activity DEBUG:lib.cuckoo.core.plugins: |-- blackrat_registry_keys 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- blackrat_registry_keys DEBUG:lib.cuckoo.core.plugins: |-- dcrat_behavior 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- dcrat_behavior DEBUG:lib.cuckoo.core.plugins: |-- karagany_system_event_objects 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- karagany_system_event_objects DEBUG:lib.cuckoo.core.plugins: |-- rat_luminosity 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- rat_luminosity DEBUG:lib.cuckoo.core.plugins: |-- rat_nanocore 2023-10-18 07:00:40,705 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- rat_nanocore DEBUG:lib.cuckoo.core.plugins: |-- netwire_behavior 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- netwire_behavior DEBUG:lib.cuckoo.core.plugins: |-- obliquerat_network_activity 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- obliquerat_network_activity DEBUG:lib.cuckoo.core.plugins: |-- orcusrat_behavior 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- orcusrat_behavior DEBUG:lib.cuckoo.core.plugins: |-- trochilusrat_apis 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- trochilusrat_apis DEBUG:lib.cuckoo.core.plugins: |-- recon_beacon 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- recon_beacon DEBUG:lib.cuckoo.core.plugins: |-- recon_programs 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- recon_programs DEBUG:lib.cuckoo.core.plugins: |-- recon_systeminfo 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- recon_systeminfo DEBUG:lib.cuckoo.core.plugins: |-- accesses_recyclebin 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- accesses_recyclebin DEBUG:lib.cuckoo.core.plugins: |-- removes_zoneid_ads 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- removes_zoneid_ads DEBUG:lib.cuckoo.core.plugins: |-- script_created_process 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- script_created_process DEBUG:lib.cuckoo.core.plugins: |-- script_network_activity 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- script_network_activity DEBUG:lib.cuckoo.core.plugins: |-- suspicious_js_script 2023-10-18 07:00:40,706 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- suspicious_js_script DEBUG:lib.cuckoo.core.plugins: |-- secure_login_phishing 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- secure_login_phishing DEBUG:lib.cuckoo.core.plugins: |-- securityxploded_modules 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- securityxploded_modules DEBUG:lib.cuckoo.core.plugins: |-- get_clipboard_data 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- get_clipboard_data DEBUG:lib.cuckoo.core.plugins: |-- sets_autoconfig_url 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- sets_autoconfig_url DEBUG:lib.cuckoo.core.plugins: |-- spoofs_procname 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- spoofs_procname DEBUG:lib.cuckoo.core.plugins: |-- stack_pivot 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stack_pivot DEBUG:lib.cuckoo.core.plugins: |-- stack_pivot_file_created 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stack_pivot_file_created DEBUG:lib.cuckoo.core.plugins: |-- stack_pivot_process_create 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stack_pivot_process_create DEBUG:lib.cuckoo.core.plugins: |-- set_clipboard_data 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- set_clipboard_data DEBUG:lib.cuckoo.core.plugins: |-- stealth_childproc 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stealth_childproc DEBUG:lib.cuckoo.core.plugins: |-- stealth_network 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stealth_network DEBUG:lib.cuckoo.core.plugins: |-- stealth_system_procname 2023-10-18 07:00:40,707 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stealth_system_procname DEBUG:lib.cuckoo.core.plugins: |-- stealth_timeout 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stealth_timeout DEBUG:lib.cuckoo.core.plugins: |-- stealth_window 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- stealth_window DEBUG:lib.cuckoo.core.plugins: |-- terminates_remote_process 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- terminates_remote_process DEBUG:lib.cuckoo.core.plugins: |-- trickbot_task_delete 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- trickbot_task_delete DEBUG:lib.cuckoo.core.plugins: |-- user_enum 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- user_enum DEBUG:lib.cuckoo.core.plugins: |-- virus 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- virus DEBUG:lib.cuckoo.core.plugins: |-- neshta_files 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- neshta_files DEBUG:lib.cuckoo.core.plugins: |-- neshta_regkeys 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- neshta_regkeys DEBUG:lib.cuckoo.core.plugins: |-- webmail_phish 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- webmail_phish DEBUG:lib.cuckoo.core.plugins: |-- persists_dev_util 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- persists_dev_util DEBUG:lib.cuckoo.core.plugins: |-- spawns_dev_util 2023-10-18 07:00:40,708 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- spawns_dev_util DEBUG:lib.cuckoo.core.plugins: |-- alters_windows_utility 2023-10-18 07:00:40,709 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- alters_windows_utility DEBUG:lib.cuckoo.core.plugins: |-- overwrites_accessibility_utility 2023-10-18 07:00:40,709 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- overwrites_accessibility_utility DEBUG:lib.cuckoo.core.plugins: |-- wiper_zeroedbytes 2023-10-18 07:00:40,709 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- wiper_zeroedbytes DEBUG:lib.cuckoo.core.plugins: |-- wmi_create_process 2023-10-18 07:00:40,709 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- wmi_create_process DEBUG:lib.cuckoo.core.plugins: |-- wmi_script_process 2023-10-18 07:00:40,709 [Task 260] [lib.cuckoo.core.plugins] DEBUG: |-- wmi_script_process DEBUG:lib.cuckoo.core.plugins: -- win32_process_create 2023-10-18 07:00:40,709 [Task 260] [lib.cuckoo.core.plugins] DEBUG:-- win32_process_create DEBUG:lib.cuckoo.core.plugins:Running non-evented signatures 2023-10-18 07:00:41,000 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running non-evented signatures DEBUG:lib.cuckoo.core.plugins:Running signature "cape_detected_threat" 2023-10-18 07:00:41,000 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cape_detected_threat" DEBUG:lib.cuckoo.core.plugins:Running signature "accesses_mailslot" 2023-10-18 07:00:41,001 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "accesses_mailslot" DEBUG:lib.cuckoo.core.plugins:Running signature "accesses_netlogon_regkey" 2023-10-18 07:00:41,001 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "accesses_netlogon_regkey" DEBUG:lib.cuckoo.core.plugins:Running signature "accesses_sysvol" 2023-10-18 07:00:41,002 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "accesses_sysvol" DEBUG:lib.cuckoo.core.plugins:Running signature "writes_sysvol" 2023-10-18 07:00:41,002 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "writes_sysvol" DEBUG:lib.cuckoo.core.plugins:Running signature "adds_admin_user" 2023-10-18 07:00:41,003 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "adds_admin_user" DEBUG:lib.cuckoo.core.plugins:Running signature "adds_user" 2023-10-18 07:00:41,003 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "adds_user" DEBUG:lib.cuckoo.core.plugins:Running signature "overwrites_admin_password" 2023-10-18 07:00:41,004 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "overwrites_admin_password" DEBUG:lib.cuckoo.core.plugins:Running signature "antianalysis_detectfile" 2023-10-18 07:00:41,004 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antianalysis_detectfile" DEBUG:lib.cuckoo.core.plugins:Running signature "antianalysis_detectreg" 2023-10-18 07:00:41,014 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antianalysis_detectreg" DEBUG:lib.cuckoo.core.plugins:Running signature "modify_attachment_manager" 2023-10-18 07:00:41,017 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "modify_attachment_manager" DEBUG:lib.cuckoo.core.plugins:Running signature "antiav_detectfile" 2023-10-18 07:00:41,018 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antiav_detectfile" DEBUG:lib.cuckoo.core.plugins:Running signature "antiav_detectreg" 2023-10-18 07:00:41,024 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antiav_detectreg" DEBUG:lib.cuckoo.core.plugins:Running signature "antiav_srp" 2023-10-18 07:00:41,038 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antiav_srp" DEBUG:lib.cuckoo.core.plugins:Running signature "antiav_whitespace" 2023-10-18 07:00:41,038 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antiav_whitespace" DEBUG:lib.cuckoo.core.plugins:Running signature "antidebug_devices" 2023-10-18 07:00:41,039 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antidebug_devices" DEBUG:lib.cuckoo.core.plugins:Running signature "antiemu_windefend" 2023-10-18 07:00:41,040 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antiemu_windefend" DEBUG:lib.cuckoo.core.plugins:Running signature "antiemu_wine_reg" 2023-10-18 07:00:41,041 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antiemu_wine_reg" DEBUG:lib.cuckoo.core.plugins:Running signature "antisandbox_cuckoo_files" 2023-10-18 07:00:41,041 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antisandbox_cuckoo_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antisandbox_fortinet_files" 2023-10-18 07:00:41,042 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antisandbox_fortinet_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antisandbox_joe_anubis_files" 2023-10-18 07:00:41,043 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antisandbox_joe_anubis_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antisandbox_sboxie_mutex" 2023-10-18 07:00:41,043 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antisandbox_sboxie_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "antisandbox_sunbelt_files" 2023-10-18 07:00:41,043 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antisandbox_sunbelt_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antisandbox_threattrack_files" 2023-10-18 07:00:41,044 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antisandbox_threattrack_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antivirus_clamav" 2023-10-18 07:00:41,045 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivirus_clamav" DEBUG:lib.cuckoo.core.plugins:Running signature "antivirus_virustotal" 2023-10-18 07:00:41,045 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivirus_virustotal" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_bochs_keys" 2023-10-18 07:00:41,045 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_bochs_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_generic_bios" 2023-10-18 07:00:41,046 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_generic_bios" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_generic_cpu" 2023-10-18 07:00:41,046 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_generic_cpu" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_generic_diskreg" 2023-10-18 07:00:41,047 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_generic_diskreg" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_generic_system" 2023-10-18 07:00:41,048 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_generic_system" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_hyperv_keys" 2023-10-18 07:00:41,049 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_hyperv_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_parallels_keys" 2023-10-18 07:00:41,049 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_parallels_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vbox_devices" 2023-10-18 07:00:41,051 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vbox_devices" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vbox_files" 2023-10-18 07:00:41,051 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vbox_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vbox_keys" 2023-10-18 07:00:41,055 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vbox_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vmware_devices" 2023-10-18 07:00:41,057 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vmware_devices" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vmware_files" 2023-10-18 07:00:41,057 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vmware_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vmware_keys" 2023-10-18 07:00:41,058 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vmware_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vmware_mutexes" 2023-10-18 07:00:41,060 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vmware_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vpc_files" 2023-10-18 07:00:41,060 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vpc_files" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vpc_keys" 2023-10-18 07:00:41,061 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vpc_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_vpc_mutex" 2023-10-18 07:00:41,062 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_vpc_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "antivm_xen_keys" 2023-10-18 07:00:41,062 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "antivm_xen_keys" DEBUG:lib.cuckoo.core.plugins:Running signature "gulpix_behavior" 2023-10-18 07:00:41,063 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "gulpix_behavior" DEBUG:lib.cuckoo.core.plugins:Running signature "ketrican_regkeys" 2023-10-18 07:00:41,064 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ketrican_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "okrum_mutexes" 2023-10-18 07:00:41,065 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "okrum_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "bad_certs" 2023-10-18 07:00:41,066 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bad_certs" DEBUG:lib.cuckoo.core.plugins:Running signature "bad_ssl_certs" 2023-10-18 07:00:41,066 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bad_ssl_certs" DEBUG:lib.cuckoo.core.plugins:Running signature "banker_cridex" 2023-10-18 07:00:41,066 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "banker_cridex" DEBUG:lib.cuckoo.core.plugins:Running signature "geodo_banking_trojan" 2023-10-18 07:00:41,067 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "geodo_banking_trojan" DEBUG:lib.cuckoo.core.plugins:Running signature "banker_spyeye_mutexes" 2023-10-18 07:00:41,069 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "banker_spyeye_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "banker_zeus_mutex" 2023-10-18 07:00:41,069 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "banker_zeus_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "banker_zeus_p2p" 2023-10-18 07:00:41,070 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "banker_zeus_p2p" DEBUG:lib.cuckoo.core.plugins:Running signature "banker_zeus_url" 2023-10-18 07:00:41,071 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "banker_zeus_url" DEBUG:lib.cuckoo.core.plugins:Running signature "bitcoin_opencl" 2023-10-18 07:00:41,071 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bitcoin_opencl" DEBUG:lib.cuckoo.core.plugins:Running signature "accesses_primary_patition" 2023-10-18 07:00:41,072 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "accesses_primary_patition" DEBUG:lib.cuckoo.core.plugins:Running signature "direct_hdd_access" 2023-10-18 07:00:41,072 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "direct_hdd_access" DEBUG:lib.cuckoo.core.plugins:Running signature "enumerates_physical_drives" 2023-10-18 07:00:41,073 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "enumerates_physical_drives" DEBUG:lib.cuckoo.core.plugins:Running signature "physical_drive_access" 2023-10-18 07:00:41,073 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "physical_drive_access" DEBUG:lib.cuckoo.core.plugins:Running signature "bot_athenahttp" 2023-10-18 07:00:41,073 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bot_athenahttp" DEBUG:lib.cuckoo.core.plugins:Running signature "bot_dirtjumper" 2023-10-18 07:00:41,074 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bot_dirtjumper" DEBUG:lib.cuckoo.core.plugins:Running signature "bot_drive" 2023-10-18 07:00:41,074 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bot_drive" DEBUG:lib.cuckoo.core.plugins:Running signature "bot_drive2" 2023-10-18 07:00:41,075 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bot_drive2" DEBUG:lib.cuckoo.core.plugins:Running signature "bot_madness" 2023-10-18 07:00:41,076 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bot_madness" DEBUG:lib.cuckoo.core.plugins:Running signature "bot_russkill" 2023-10-18 07:00:41,077 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bot_russkill" DEBUG:lib.cuckoo.core.plugins:Running signature "browser_addon" 2023-10-18 07:00:41,077 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "browser_addon" DEBUG:lib.cuckoo.core.plugins:Running signature "browser_helper_object" 2023-10-18 07:00:41,078 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "browser_helper_object" DEBUG:lib.cuckoo.core.plugins:Running signature "browser_security" 2023-10-18 07:00:41,079 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "browser_security" DEBUG:lib.cuckoo.core.plugins:Running signature "browser_startpage" 2023-10-18 07:00:41,079 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "browser_startpage" DEBUG:lib.cuckoo.core.plugins:Running signature "ie_disables_process_tab" 2023-10-18 07:00:41,079 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ie_disables_process_tab" DEBUG:lib.cuckoo.core.plugins:Running signature "odbcconf_bypass" 2023-10-18 07:00:41,080 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "odbcconf_bypass" DEBUG:lib.cuckoo.core.plugins:Running signature "squiblydoo_bypass" 2023-10-18 07:00:41,080 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "squiblydoo_bypass" DEBUG:lib.cuckoo.core.plugins:Running signature "squiblytwo_bypass" 2023-10-18 07:00:41,080 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "squiblytwo_bypass" DEBUG:lib.cuckoo.core.plugins:Running signature "bypass_firewall" 2023-10-18 07:00:41,081 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "bypass_firewall" DEBUG:lib.cuckoo.core.plugins:Running signature "uac_bypass_cmstpcom" 2023-10-18 07:00:41,081 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uac_bypass_cmstpcom" DEBUG:lib.cuckoo.core.plugins:Running signature "uac_bypass_delegateexecute_sdclt" 2023-10-18 07:00:41,082 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uac_bypass_delegateexecute_sdclt" DEBUG:lib.cuckoo.core.plugins:Running signature "uac_bypass_fodhelper" 2023-10-18 07:00:41,083 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uac_bypass_fodhelper" DEBUG:lib.cuckoo.core.plugins:Running signature "cape_extracted_content" 2023-10-18 07:00:41,083 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cape_extracted_content" DEBUG:lib.cuckoo.core.plugins:Running signature "cape_extracted_config" 2023-10-18 07:00:41,084 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cape_extracted_config" DEBUG:lib.cuckoo.core.plugins:Running signature "cape_extracted_content" 2023-10-18 07:00:41,084 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cape_extracted_content" DEBUG:lib.cuckoo.core.plugins:Running signature "carberp_mutex" 2023-10-18 07:00:41,084 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "carberp_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "clears_logs" 2023-10-18 07:00:41,084 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "clears_logs" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_obfuscation" 2023-10-18 07:00:41,085 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_obfuscation" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_switches" 2023-10-18 07:00:41,085 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_switches" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_terminate" 2023-10-18 07:00:41,086 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_terminate" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_forfiles_wildcard" 2023-10-18 07:00:41,086 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_forfiles_wildcard" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_http_link" 2023-10-18 07:00:41,086 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_http_link" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_long_string" 2023-10-18 07:00:41,086 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_long_string" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_reversed_http_link" 2023-10-18 07:00:41,087 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_reversed_http_link" DEBUG:lib.cuckoo.core.plugins:Running signature "long_commandline" 2023-10-18 07:00:41,087 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "long_commandline" DEBUG:lib.cuckoo.core.plugins:Running signature "powershell_renamed_commandline" 2023-10-18 07:00:41,087 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powershell_renamed_commandline" DEBUG:lib.cuckoo.core.plugins:Running signature "system_account_discovery_cmd" 2023-10-18 07:00:41,087 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "system_account_discovery_cmd" DEBUG:lib.cuckoo.core.plugins:Running signature "system_info_discovery_cmd" 2023-10-18 07:00:41,087 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "system_info_discovery_cmd" DEBUG:lib.cuckoo.core.plugins:Running signature "system_info_discovery_pwsh" 2023-10-18 07:00:41,088 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "system_info_discovery_pwsh" DEBUG:lib.cuckoo.core.plugins:Running signature "system_network_discovery_cmd" 2023-10-18 07:00:41,088 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "system_network_discovery_cmd" DEBUG:lib.cuckoo.core.plugins:Running signature "system_network_discovery_pwsh" 2023-10-18 07:00:41,088 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "system_network_discovery_pwsh" DEBUG:lib.cuckoo.core.plugins:Running signature "system_user_discovery_cmd" 2023-10-18 07:00:41,088 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "system_user_discovery_cmd" DEBUG:lib.cuckoo.core.plugins:Running signature "copies_self" 2023-10-18 07:00:41,089 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "copies_self" DEBUG:lib.cuckoo.core.plugins:Running signature "enables_wdigest" 2023-10-18 07:00:41,089 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "enables_wdigest" DEBUG:lib.cuckoo.core.plugins:Running signature "file_credential_store_access" 2023-10-18 07:00:41,089 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "file_credential_store_access" DEBUG:lib.cuckoo.core.plugins:Running signature "file_credential_store_write" 2023-10-18 07:00:41,090 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "file_credential_store_write" DEBUG:lib.cuckoo.core.plugins:Running signature "registry_credential_dumping" 2023-10-18 07:00:41,091 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "registry_credential_dumping" DEBUG:lib.cuckoo.core.plugins:Running signature "registry_credential_store_access" 2023-10-18 07:00:41,091 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "registry_credential_store_access" DEBUG:lib.cuckoo.core.plugins:Running signature "registry_lsa_secrets_access" 2023-10-18 07:00:41,091 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "registry_lsa_secrets_access" DEBUG:lib.cuckoo.core.plugins:Running signature "cryptomining_stratum_command" 2023-10-18 07:00:41,092 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cryptomining_stratum_command" DEBUG:lib.cuckoo.core.plugins:Running signature "cryptopool_domains" 2023-10-18 07:00:41,092 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cryptopool_domains" DEBUG:lib.cuckoo.core.plugins:Running signature "cypherit_mutexes" 2023-10-18 07:00:41,092 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cypherit_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "darkcomet_regkeys" 2023-10-18 07:00:41,093 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "darkcomet_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "datop_loader" 2023-10-18 07:00:41,094 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "datop_loader" DEBUG:lib.cuckoo.core.plugins:Running signature "deepfreeze_mutex" 2023-10-18 07:00:41,094 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "deepfreeze_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "deletes_executed_files" 2023-10-18 07:00:41,095 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "deletes_executed_files" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_app_launch" 2023-10-18 07:00:41,095 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_app_launch" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_auto_app_termination" 2023-10-18 07:00:41,095 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_auto_app_termination" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_appv_virtualization" 2023-10-18 07:00:41,096 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_appv_virtualization" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_backups" 2023-10-18 07:00:41,096 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_backups" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_browser_warn" 2023-10-18 07:00:41,098 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_browser_warn" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_context_menus" 2023-10-18 07:00:41,100 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_context_menus" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_cpl_disable" 2023-10-18 07:00:41,101 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_cpl_disable" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_crashdumps" 2023-10-18 07:00:41,102 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_crashdumps" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_event_logging" 2023-10-18 07:00:41,102 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_event_logging" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_folder_options" 2023-10-18 07:00:41,103 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_folder_options" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_notificationcenter" 2023-10-18 07:00:41,103 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_notificationcenter" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_power_options" 2023-10-18 07:00:41,104 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_power_options" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_restore_default_state" 2023-10-18 07:00:41,105 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_restore_default_state" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_run_command" 2023-10-18 07:00:41,106 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_run_command" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_security" 2023-10-18 07:00:41,106 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_security" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_smartscreen" 2023-10-18 07:00:41,106 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_smartscreen" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_startmenu_search" 2023-10-18 07:00:41,107 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_startmenu_search" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_system_restore" 2023-10-18 07:00:41,108 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_system_restore" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_uac" 2023-10-18 07:00:41,109 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_uac" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_wer" 2023-10-18 07:00:41,110 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_wer" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_windows_defender" 2023-10-18 07:00:41,110 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_windows_defender" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_windows_defender_logging" 2023-10-18 07:00:41,111 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_windows_defender_logging" DEBUG:lib.cuckoo.core.plugins:Running signature "removes_windows_defender_contextmenu" 2023-10-18 07:00:41,112 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "removes_windows_defender_contextmenu" DEBUG:lib.cuckoo.core.plugins:Running signature "windows_defender_powershell" 2023-10-18 07:00:41,112 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "windows_defender_powershell" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_windows_file_protection" 2023-10-18 07:00:41,113 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_windows_file_protection" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_windowsupdate" 2023-10-18 07:00:41,113 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_windowsupdate" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_winfirewall" 2023-10-18 07:00:41,114 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_winfirewall" DEBUG:lib.cuckoo.core.plugins:Running signature "andromut_mutexes" 2023-10-18 07:00:41,115 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "andromut_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "downloader_cabby" 2023-10-18 07:00:41,115 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "downloader_cabby" DEBUG:lib.cuckoo.core.plugins:Running signature "phorpiex_mutexes" 2023-10-18 07:00:41,115 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "phorpiex_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "protonbot_mutexes" 2023-10-18 07:00:41,116 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "protonbot_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "driver_filtermanager" 2023-10-18 07:00:41,116 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "driver_filtermanager" DEBUG:lib.cuckoo.core.plugins:Running signature "dropper" 2023-10-18 07:00:41,117 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "dropper" DEBUG:lib.cuckoo.core.plugins:Running signature "excel4_macro_urls" 2023-10-18 07:00:41,117 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "excel4_macro_urls" DEBUG:lib.cuckoo.core.plugins:Running signature "spooler_access" 2023-10-18 07:00:41,117 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "spooler_access" DEBUG:lib.cuckoo.core.plugins:Running signature "spooler_svc_start" 2023-10-18 07:00:41,118 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "spooler_svc_start" DEBUG:lib.cuckoo.core.plugins:Running signature "family_proxyback" 2023-10-18 07:00:41,118 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "family_proxyback" DEBUG:lib.cuckoo.core.plugins:Running signature "mapped_drives_uac" 2023-10-18 07:00:41,118 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "mapped_drives_uac" DEBUG:lib.cuckoo.core.plugins:Running signature "hides_recycle_bin_icon" 2023-10-18 07:00:41,119 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "hides_recycle_bin_icon" DEBUG:lib.cuckoo.core.plugins:Running signature "apocalypse_stealer_file_behavior" 2023-10-18 07:00:41,120 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "apocalypse_stealer_file_behavior" DEBUG:lib.cuckoo.core.plugins:Running signature "arkei_files" 2023-10-18 07:00:41,121 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "arkei_files" DEBUG:lib.cuckoo.core.plugins:Running signature "azorult_mutexes" 2023-10-18 07:00:41,121 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "azorult_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "infostealer_bitcoin" 2023-10-18 07:00:41,123 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "infostealer_bitcoin" DEBUG:lib.cuckoo.core.plugins:Running signature "infostealer_cookies" 2023-10-18 07:00:41,128 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "infostealer_cookies" DEBUG:lib.cuckoo.core.plugins:Running signature "cryptbot_files" 2023-10-18 07:00:41,130 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cryptbot_files" DEBUG:lib.cuckoo.core.plugins:Running signature "echelon_files" 2023-10-18 07:00:41,131 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "echelon_files" DEBUG:lib.cuckoo.core.plugins:Running signature "infostealer_ftp" 2023-10-18 07:00:41,132 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "infostealer_ftp" DEBUG:lib.cuckoo.core.plugins:Running signature "infostealer_im" 2023-10-18 07:00:41,139 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "infostealer_im" DEBUG:lib.cuckoo.core.plugins:Running signature "infostealer_mail" 2023-10-18 07:00:41,143 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "infostealer_mail" DEBUG:lib.cuckoo.core.plugins:Running signature "masslogger_files" 2023-10-18 07:00:41,147 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "masslogger_files" DEBUG:lib.cuckoo.core.plugins:Running signature "poullight_files" 2023-10-18 07:00:41,147 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "poullight_files" DEBUG:lib.cuckoo.core.plugins:Running signature "purplewave_mutexes" 2023-10-18 07:00:41,151 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "purplewave_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "quilclipper_mutexes" 2023-10-18 07:00:41,151 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "quilclipper_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "qulab_files" 2023-10-18 07:00:41,152 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "qulab_files" DEBUG:lib.cuckoo.core.plugins:Running signature "qulab_mutexes" 2023-10-18 07:00:41,153 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "qulab_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "ie_martian_children" 2023-10-18 07:00:41,153 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ie_martian_children" DEBUG:lib.cuckoo.core.plugins:Running signature "office_martian_children" 2023-10-18 07:00:41,154 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_martian_children" DEBUG:lib.cuckoo.core.plugins:Running signature "mimics_extension" 2023-10-18 07:00:41,154 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "mimics_extension" DEBUG:lib.cuckoo.core.plugins:Running signature "mimics_icon" 2023-10-18 07:00:41,154 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "mimics_icon" DEBUG:lib.cuckoo.core.plugins:Running signature "masquerade_process_name" 2023-10-18 07:00:41,154 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "masquerade_process_name" DEBUG:lib.cuckoo.core.plugins:Running signature "mimikatz_modules" 2023-10-18 07:00:41,159 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "mimikatz_modules" DEBUG:lib.cuckoo.core.plugins:Running signature "dotnet_clr_usagelog_regkeys" 2023-10-18 07:00:41,159 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "dotnet_clr_usagelog_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "modify_hostfile" 2023-10-18 07:00:41,160 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "modify_hostfile" DEBUG:lib.cuckoo.core.plugins:Running signature "modify_oem_information" 2023-10-18 07:00:41,160 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "modify_oem_information" DEBUG:lib.cuckoo.core.plugins:Running signature "modify_security_center_warnings" 2023-10-18 07:00:41,161 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "modify_security_center_warnings" DEBUG:lib.cuckoo.core.plugins:Running signature "modify_uac_prompt" 2023-10-18 07:00:41,162 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "modify_uac_prompt" DEBUG:lib.cuckoo.core.plugins:Running signature "network_ip_exe" 2023-10-18 07:00:41,163 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_ip_exe" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dga" 2023-10-18 07:00:41,163 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dga" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dga_fraunhofer" 2023-10-18 07:00:41,164 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dga_fraunhofer" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_blockchain" 2023-10-18 07:00:41,164 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_blockchain" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_opennic" 2023-10-18 07:00:41,164 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_opennic" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_paste_site" 2023-10-18 07:00:41,164 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_paste_site" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_reverse_proxy" 2023-10-18 07:00:41,165 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_reverse_proxy" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_temp_file_storage" 2023-10-18 07:00:41,165 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_temp_file_storage" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_temp_urldns" 2023-10-18 07:00:41,165 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_temp_urldns" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_url_shortener" 2023-10-18 07:00:41,165 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_url_shortener" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dns_doh_tls" 2023-10-18 07:00:41,166 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dns_doh_tls" DEBUG:lib.cuckoo.core.plugins:Running signature "suspicious_tld" 2023-10-18 07:00:41,166 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "suspicious_tld" DEBUG:lib.cuckoo.core.plugins:Running signature "network_dyndns" 2023-10-18 07:00:41,166 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_dyndns" DEBUG:lib.cuckoo.core.plugins:Running signature "network_icmp" 2023-10-18 07:00:41,166 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_icmp" DEBUG:lib.cuckoo.core.plugins:Running signature "network_irc" 2023-10-18 07:00:41,167 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_irc" DEBUG:lib.cuckoo.core.plugins:Running signature "network_open_proxy" 2023-10-18 07:00:41,167 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_open_proxy" DEBUG:lib.cuckoo.core.plugins:Running signature "network_smtp" 2023-10-18 07:00:41,167 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_smtp" DEBUG:lib.cuckoo.core.plugins:Running signature "network_tor_service" 2023-10-18 07:00:41,167 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_tor_service" DEBUG:lib.cuckoo.core.plugins:Running signature "network_torgateway" 2023-10-18 07:00:41,168 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "network_torgateway" DEBUG:lib.cuckoo.core.plugins:Running signature "office_code_page" 2023-10-18 07:00:41,168 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_code_page" DEBUG:lib.cuckoo.core.plugins:Running signature "office_addinloading" 2023-10-18 07:00:41,168 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_addinloading" DEBUG:lib.cuckoo.core.plugins:Running signature "office_perfkey" 2023-10-18 07:00:41,169 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_perfkey" DEBUG:lib.cuckoo.core.plugins:Running signature "office_macro" 2023-10-18 07:00:41,169 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_macro" DEBUG:lib.cuckoo.core.plugins:Running signature "changes_trust_center_settings" 2023-10-18 07:00:41,169 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "changes_trust_center_settings" DEBUG:lib.cuckoo.core.plugins:Running signature "disables_vba_trust_access" 2023-10-18 07:00:41,170 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "disables_vba_trust_access" DEBUG:lib.cuckoo.core.plugins:Running signature "office_macro_autoexecution" 2023-10-18 07:00:41,170 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_macro_autoexecution" DEBUG:lib.cuckoo.core.plugins:Running signature "office_macro_ioc" 2023-10-18 07:00:41,171 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_macro_ioc" DEBUG:lib.cuckoo.core.plugins:Running signature "office_macro_malicious_prediction" 2023-10-18 07:00:41,171 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_macro_malicious_prediction" DEBUG:lib.cuckoo.core.plugins:Running signature "office_macro_suspicious" 2023-10-18 07:00:41,171 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_macro_suspicious" DEBUG:lib.cuckoo.core.plugins:Running signature "rtf_aslr_bypass" 2023-10-18 07:00:41,171 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rtf_aslr_bypass" DEBUG:lib.cuckoo.core.plugins:Running signature "rtf_anomaly_characterset" 2023-10-18 07:00:41,172 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rtf_anomaly_characterset" DEBUG:lib.cuckoo.core.plugins:Running signature "rtf_anomaly_version" 2023-10-18 07:00:41,172 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rtf_anomaly_version" DEBUG:lib.cuckoo.core.plugins:Running signature "rtf_embedded_content" 2023-10-18 07:00:41,172 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rtf_embedded_content" DEBUG:lib.cuckoo.core.plugins:Running signature "rtf_embedded_office_file" 2023-10-18 07:00:41,172 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rtf_embedded_office_file" DEBUG:lib.cuckoo.core.plugins:Running signature "rtf_exploit_static" 2023-10-18 07:00:41,172 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rtf_exploit_static" DEBUG:lib.cuckoo.core.plugins:Running signature "office_security" 2023-10-18 07:00:41,173 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_security" DEBUG:lib.cuckoo.core.plugins:Running signature "office_anomalous_feature" 2023-10-18 07:00:41,173 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_anomalous_feature" DEBUG:lib.cuckoo.core.plugins:Running signature "office_dde_command" 2023-10-18 07:00:41,174 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "office_dde_command" DEBUG:lib.cuckoo.core.plugins:Running signature "origin_langid" 2023-10-18 07:00:41,174 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "origin_langid" DEBUG:lib.cuckoo.core.plugins:Running signature "origin_resource_langid" 2023-10-18 07:00:41,174 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "origin_resource_langid" DEBUG:lib.cuckoo.core.plugins:Running signature "overlay" 2023-10-18 07:00:41,174 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "overlay" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_unknown_pe_section_name" 2023-10-18 07:00:41,175 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_unknown_pe_section_name" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_armadillo_mutex" 2023-10-18 07:00:41,175 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_armadillo_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_armadillo_regkey" 2023-10-18 07:00:41,175 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_armadillo_regkey" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_aspack" 2023-10-18 07:00:41,176 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_aspack" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_aspirecrypt" 2023-10-18 07:00:41,176 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_aspirecrypt" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_bedsprotector" 2023-10-18 07:00:41,176 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_bedsprotector" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_confuser" 2023-10-18 07:00:41,176 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_confuser" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_enigma" 2023-10-18 07:00:41,177 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_enigma" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_entropy" 2023-10-18 07:00:41,177 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_entropy" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_mpress" 2023-10-18 07:00:41,177 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_mpress" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_nate" 2023-10-18 07:00:41,177 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_nate" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_nspack" 2023-10-18 07:00:41,178 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_nspack" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_smartassembly" 2023-10-18 07:00:41,178 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_smartassembly" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_spices" 2023-10-18 07:00:41,178 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_spices" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_themida" 2023-10-18 07:00:41,178 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_themida" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_titan" 2023-10-18 07:00:41,178 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_titan" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_upx" 2023-10-18 07:00:41,179 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_upx" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_vmprotect" 2023-10-18 07:00:41,179 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_vmprotect" DEBUG:lib.cuckoo.core.plugins:Running signature "packer_yoda" 2023-10-18 07:00:41,179 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "packer_yoda" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_ads" 2023-10-18 07:00:41,179 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_ads" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_safeboot" 2023-10-18 07:00:41,180 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_safeboot" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_ifeo" 2023-10-18 07:00:41,180 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_ifeo" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_slient_process_exit" 2023-10-18 07:00:41,181 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_slient_process_exit" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_rdp_registry" 2023-10-18 07:00:41,181 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_rdp_registry" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_rdp_shadowing" 2023-10-18 07:00:41,182 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_rdp_shadowing" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_service" 2023-10-18 07:00:41,182 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_service" DEBUG:lib.cuckoo.core.plugins:Running signature "persistence_shim_database" 2023-10-18 07:00:41,183 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "persistence_shim_database" DEBUG:lib.cuckoo.core.plugins:Running signature "powerpool_mutexes" 2023-10-18 07:00:41,184 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powerpool_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "powershell_scriptblock_logging" 2023-10-18 07:00:41,184 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powershell_scriptblock_logging" DEBUG:lib.cuckoo.core.plugins:Running signature "powershell_command_suspicious" 2023-10-18 07:00:41,184 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powershell_command_suspicious" DEBUG:lib.cuckoo.core.plugins:Running signature "powershell_renamed" 2023-10-18 07:00:41,185 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powershell_renamed" DEBUG:lib.cuckoo.core.plugins:Running signature "powershell_reversed" 2023-10-18 07:00:41,185 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powershell_reversed" DEBUG:lib.cuckoo.core.plugins:Running signature "powershell_variable_obfuscation" 2023-10-18 07:00:41,185 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "powershell_variable_obfuscation" DEBUG:lib.cuckoo.core.plugins:Running signature "punch_plus_plus_pcres" 2023-10-18 07:00:41,185 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "punch_plus_plus_pcres" DEBUG:lib.cuckoo.core.plugins:Running signature "prevents_safeboot" 2023-10-18 07:00:41,185 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "prevents_safeboot" DEBUG:lib.cuckoo.core.plugins:Running signature "cmdline_process_discovery" 2023-10-18 07:00:41,186 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cmdline_process_discovery" DEBUG:lib.cuckoo.core.plugins:Running signature "procmem_yara" 2023-10-18 07:00:41,186 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "procmem_yara" DEBUG:lib.cuckoo.core.plugins:Running signature "cryptomix_mutexes" 2023-10-18 07:00:41,186 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "cryptomix_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "dharma_mutexes" 2023-10-18 07:00:41,187 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "dharma_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "ransomware_extensions" 2023-10-18 07:00:41,187 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ransomware_extensions" /opt/CAPEv2/utils/../lib/cuckoo/common/abstracts.py:991: FutureWarning: Possible nested set at position 5 exp = re.compile(pattern, re.IGNORECASE) DEBUG:lib.cuckoo.core.plugins:Running signature "ransomware_files" 2023-10-18 07:00:41,196 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ransomware_files" DEBUG:lib.cuckoo.core.plugins:Running signature "fonix_mutexes" 2023-10-18 07:00:41,208 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "fonix_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "gandcrab_mutexes" 2023-10-18 07:00:41,209 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "gandcrab_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "germanwiper_mutexes" 2023-10-18 07:00:41,209 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "germanwiper_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "medusalocker_mutexes" 2023-10-18 07:00:41,210 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "medusalocker_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "medusalocker_regkeys" 2023-10-18 07:00:41,210 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "medusalocker_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "nemty_mutexes" 2023-10-18 07:00:41,211 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "nemty_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "nemty_regkeys" 2023-10-18 07:00:41,212 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "nemty_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "pysa_mutexes" 2023-10-18 07:00:41,212 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "pysa_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "ransomware_radamant" 2023-10-18 07:00:41,212 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ransomware_radamant" DEBUG:lib.cuckoo.core.plugins:Running signature "ransomware_recyclebin" 2023-10-18 07:00:41,213 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ransomware_recyclebin" DEBUG:lib.cuckoo.core.plugins:Running signature "revil_mutexes" 2023-10-18 07:00:41,213 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "revil_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "ransomware_revil_regkey" 2023-10-18 07:00:41,216 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ransomware_revil_regkey" DEBUG:lib.cuckoo.core.plugins:Running signature "satan_mutexes" 2023-10-18 07:00:41,216 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "satan_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "snake_ransom_mutexes" 2023-10-18 07:00:41,217 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "snake_ransom_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "stop_ransom_mutexes" 2023-10-18 07:00:41,217 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "stop_ransom_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "stop_ransomware_cmd" 2023-10-18 07:00:41,218 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "stop_ransomware_cmd" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_beebus_mutexes" 2023-10-18 07:00:41,219 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_beebus_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "blacknet_mutexes" 2023-10-18 07:00:41,219 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "blacknet_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "blackrat_mutexes" 2023-10-18 07:00:41,220 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "blackrat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "crat_mutexes" 2023-10-18 07:00:41,220 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "crat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "dcrat_files" 2023-10-18 07:00:41,221 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "dcrat_files" DEBUG:lib.cuckoo.core.plugins:Running signature "dcrat_mutexes" 2023-10-18 07:00:41,222 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "dcrat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_fynloski_mutexes" 2023-10-18 07:00:41,222 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_fynloski_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "karagany_files" 2023-10-18 07:00:41,222 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "karagany_files" DEBUG:lib.cuckoo.core.plugins:Running signature "limerat_mutexes" 2023-10-18 07:00:41,223 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "limerat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "limerat_regkeys" 2023-10-18 07:00:41,223 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "limerat_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "lodarat_file_behavior" 2023-10-18 07:00:41,224 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "lodarat_file_behavior" DEBUG:lib.cuckoo.core.plugins:Running signature "modirat_behavior" 2023-10-18 07:00:41,225 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "modirat_behavior" DEBUG:lib.cuckoo.core.plugins:Running signature "njrat_regkeys" 2023-10-18 07:00:41,227 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "njrat_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "obliquerat_files" 2023-10-18 07:00:41,227 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "obliquerat_files" DEBUG:lib.cuckoo.core.plugins:Running signature "obliquerat_mutexes" 2023-10-18 07:00:41,228 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "obliquerat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "parallax_mutexes" 2023-10-18 07:00:41,228 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "parallax_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_pcclient" 2023-10-18 07:00:41,229 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_pcclient" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_plugx_mutexes" 2023-10-18 07:00:41,230 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_plugx_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_poisonivy_mutexes" 2023-10-18 07:00:41,231 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_poisonivy_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_quasar_mutexes" 2023-10-18 07:00:41,231 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_quasar_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "ratsnif_mutexes" 2023-10-18 07:00:41,231 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ratsnif_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_senna_mutexes" 2023-10-18 07:00:41,231 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_senna_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_spynet" 2023-10-18 07:00:41,232 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_spynet" DEBUG:lib.cuckoo.core.plugins:Running signature "venomrat_mutexes" 2023-10-18 07:00:41,233 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "venomrat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "warzonerat_files" 2023-10-18 07:00:41,233 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "warzonerat_files" DEBUG:lib.cuckoo.core.plugins:Running signature "warzonerat_regkeys" 2023-10-18 07:00:41,234 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "warzonerat_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "xpertrat_files" 2023-10-18 07:00:41,235 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "xpertrat_files" DEBUG:lib.cuckoo.core.plugins:Running signature "xpertrat_mutexes" 2023-10-18 07:00:41,235 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "xpertrat_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "rat_xtreme_mutexes" 2023-10-18 07:00:41,236 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rat_xtreme_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "recon_checkip" 2023-10-18 07:00:41,236 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "recon_checkip" DEBUG:lib.cuckoo.core.plugins:Running signature "recon_fingerprint" 2023-10-18 07:00:41,237 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "recon_fingerprint" DEBUG:lib.cuckoo.core.plugins:Running signature "remcos_files" 2023-10-18 07:00:41,238 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "remcos_files" DEBUG:lib.cuckoo.core.plugins:Running signature "remcos_mutexes" 2023-10-18 07:00:41,239 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "remcos_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "remcos_regkeys" 2023-10-18 07:00:41,240 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "remcos_regkeys" DEBUG:lib.cuckoo.core.plugins:Running signature "rdptcp_key" 2023-10-18 07:00:41,240 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "rdptcp_key" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_rdp_clip" 2023-10-18 07:00:41,241 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_rdp_clip" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_remote_desktop_session" 2023-10-18 07:00:41,241 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_remote_desktop_session" DEBUG:lib.cuckoo.core.plugins:Running signature "removes_networking_icon" 2023-10-18 07:00:41,242 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "removes_networking_icon" DEBUG:lib.cuckoo.core.plugins:Running signature "removes_pinned_programs" 2023-10-18 07:00:41,242 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "removes_pinned_programs" DEBUG:lib.cuckoo.core.plugins:Running signature "removes_security_maintenance_icon" 2023-10-18 07:00:41,243 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "removes_security_maintenance_icon" DEBUG:lib.cuckoo.core.plugins:Running signature "removes_startmenu_defaults" 2023-10-18 07:00:41,243 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "removes_startmenu_defaults" DEBUG:lib.cuckoo.core.plugins:Running signature "removes_username_startmenu" 2023-10-18 07:00:41,244 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "removes_username_startmenu" DEBUG:lib.cuckoo.core.plugins:Running signature "spicyhotpot_behavior" 2023-10-18 07:00:41,245 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "spicyhotpot_behavior" DEBUG:lib.cuckoo.core.plugins:Running signature "sniffer_winpcap" 2023-10-18 07:00:41,246 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "sniffer_winpcap" DEBUG:lib.cuckoo.core.plugins:Running signature "spreading_autoruninf" 2023-10-18 07:00:41,246 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "spreading_autoruninf" DEBUG:lib.cuckoo.core.plugins:Running signature "static_authenticode" 2023-10-18 07:00:41,247 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_authenticode" DEBUG:lib.cuckoo.core.plugins:Running signature "invalid_authenticode_signature" 2023-10-18 07:00:41,247 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "invalid_authenticode_signature" DEBUG:lib.cuckoo.core.plugins:Running signature "static_dotnet_anomaly" 2023-10-18 07:00:41,247 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_dotnet_anomaly" DEBUG:lib.cuckoo.core.plugins:Running signature "static_java" 2023-10-18 07:00:41,247 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_java" DEBUG:lib.cuckoo.core.plugins:Running signature "static_pdf" 2023-10-18 07:00:41,248 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_pdf" DEBUG:lib.cuckoo.core.plugins:Running signature "static_pe_anomaly" 2023-10-18 07:00:41,248 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_pe_anomaly" DEBUG:lib.cuckoo.core.plugins:Running signature "pe_compile_timestomping" 2023-10-18 07:00:41,248 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "pe_compile_timestomping" DEBUG:lib.cuckoo.core.plugins:Running signature "static_pe_pdbpath" 2023-10-18 07:00:41,248 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_pe_pdbpath" DEBUG:lib.cuckoo.core.plugins:Running signature "static_rat_config" 2023-10-18 07:00:41,249 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_rat_config" DEBUG:lib.cuckoo.core.plugins:Running signature "static_versioninfo_anomaly" 2023-10-18 07:00:41,249 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "static_versioninfo_anomaly" DEBUG:lib.cuckoo.core.plugins:Running signature "stealth_hidden_extension" 2023-10-18 07:00:41,249 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "stealth_hidden_extension" DEBUG:lib.cuckoo.core.plugins:Running signature "stealth_hiddenreg" 2023-10-18 07:00:41,250 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "stealth_hiddenreg" DEBUG:lib.cuckoo.core.plugins:Running signature "stealth_hide_notifications" 2023-10-18 07:00:41,251 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "stealth_hide_notifications" DEBUG:lib.cuckoo.core.plugins:Running signature "stealth_webhistory" 2023-10-18 07:00:41,251 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "stealth_webhistory" DEBUG:lib.cuckoo.core.plugins:Running signature "suricata_alert" 2023-10-18 07:00:41,252 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "suricata_alert" DEBUG:lib.cuckoo.core.plugins:Running signature "sysinternals_psexec" 2023-10-18 07:00:41,252 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "sysinternals_psexec" DEBUG:lib.cuckoo.core.plugins:Running signature "sysinternals_tools" 2023-10-18 07:00:41,253 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "sysinternals_tools" DEBUG:lib.cuckoo.core.plugins:Running signature "tampers_etw" 2023-10-18 07:00:41,253 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "tampers_etw" DEBUG:lib.cuckoo.core.plugins:Running signature "lsa_tampering" 2023-10-18 07:00:41,254 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "lsa_tampering" DEBUG:lib.cuckoo.core.plugins:Running signature "tampers_powershell_logging" 2023-10-18 07:00:41,255 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "tampers_powershell_logging" DEBUG:lib.cuckoo.core.plugins:Running signature "targeted_flame" 2023-10-18 07:00:41,255 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "targeted_flame" DEBUG:lib.cuckoo.core.plugins:Running signature "territorial_disputes_sigs" 2023-10-18 07:00:41,256 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "territorial_disputes_sigs" DEBUG:lib.cuckoo.core.plugins:Running signature "trickbot_mutex" 2023-10-18 07:00:41,263 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "trickbot_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "fleercivet_mutex" 2023-10-18 07:00:41,263 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "fleercivet_mutex" DEBUG:lib.cuckoo.core.plugins:Running signature "lokibot_mutexes" 2023-10-18 07:00:41,263 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "lokibot_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "ursnif_behavior" 2023-10-18 07:00:41,265 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "ursnif_behavior" DEBUG:lib.cuckoo.core.plugins:Running signature "upatre_files" 2023-10-18 07:00:41,270 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "upatre_files" DEBUG:lib.cuckoo.core.plugins:Running signature "upatre_files" 2023-10-18 07:00:41,270 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "upatre_files" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_adfind" 2023-10-18 07:00:41,270 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_adfind" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_ms_protocol" 2023-10-18 07:00:41,270 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_ms_protocol" DEBUG:lib.cuckoo.core.plugins:Running signature "neshta_mutexes" 2023-10-18 07:00:41,271 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "neshta_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "renamer_mutexes" 2023-10-18 07:00:41,271 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "renamer_mutexes" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_devicetree_1" 2023-10-18 07:00:41,271 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_devicetree_1" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_handles_1" 2023-10-18 07:00:41,272 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_handles_1" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_ldrmodules_1" 2023-10-18 07:00:41,272 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_ldrmodules_1" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_ldrmodules_2" 2023-10-18 07:00:41,272 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_ldrmodules_2" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_malfind_1" 2023-10-18 07:00:41,272 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_malfind_1" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_malfind_2" 2023-10-18 07:00:41,273 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_malfind_2" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_modscan_1" 2023-10-18 07:00:41,273 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_modscan_1" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_svcscan_1" 2023-10-18 07:00:41,273 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_svcscan_1" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_svcscan_2" 2023-10-18 07:00:41,273 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_svcscan_2" DEBUG:lib.cuckoo.core.plugins:Running signature "volatility_svcscan_3" 2023-10-18 07:00:41,273 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "volatility_svcscan_3" DEBUG:lib.cuckoo.core.plugins:Running signature "owa_web_shell_files" 2023-10-18 07:00:41,274 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "owa_web_shell_files" DEBUG:lib.cuckoo.core.plugins:Running signature "web_shell_files" 2023-10-18 07:00:41,274 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "web_shell_files" DEBUG:lib.cuckoo.core.plugins:Running signature "web_shell_processes" 2023-10-18 07:00:41,275 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "web_shell_processes" DEBUG:lib.cuckoo.core.plugins:Running signature "whois_create" 2023-10-18 07:00:41,275 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "whois_create" DEBUG:lib.cuckoo.core.plugins:Running signature "dotnet_csc_build" 2023-10-18 07:00:41,275 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "dotnet_csc_build" DEBUG:lib.cuckoo.core.plugins:Running signature "multiple_explorer_instances" 2023-10-18 07:00:41,275 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "multiple_explorer_instances" DEBUG:lib.cuckoo.core.plugins:Running signature "script_tool_executed" 2023-10-18 07:00:41,276 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "script_tool_executed" DEBUG:lib.cuckoo.core.plugins:Running signature "suspicious_certutil_use" 2023-10-18 07:00:41,276 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "suspicious_certutil_use" DEBUG:lib.cuckoo.core.plugins:Running signature "suspicious_command_tools" 2023-10-18 07:00:41,276 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "suspicious_command_tools" DEBUG:lib.cuckoo.core.plugins:Running signature "suspicious_mpcmdrun_use" 2023-10-18 07:00:41,276 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "suspicious_mpcmdrun_use" DEBUG:lib.cuckoo.core.plugins:Running signature "suspicious_ping_use" 2023-10-18 07:00:41,277 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "suspicious_ping_use" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_powershell_copyitem" 2023-10-18 07:00:41,277 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_powershell_copyitem" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities" 2023-10-18 07:00:41,277 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_appcmd" 2023-10-18 07:00:41,278 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_appcmd" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_csvde_ldifde" 2023-10-18 07:00:41,278 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_csvde_ldifde" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_cipher" 2023-10-18 07:00:41,278 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_cipher" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_clickonce" 2023-10-18 07:00:41,278 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_clickonce" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_dsquery" 2023-10-18 07:00:41,279 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_dsquery" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_esentutl" 2023-10-18 07:00:41,279 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_esentutl" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_finger" 2023-10-18 07:00:41,279 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_finger" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_mode" 2023-10-18 07:00:41,279 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_mode" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_ntdsutil" 2023-10-18 07:00:41,280 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_ntdsutil" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_nltest" 2023-10-18 07:00:41,280 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_nltest" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_to_create_scheduled_task" 2023-10-18 07:00:41,280 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_to_create_scheduled_task" DEBUG:lib.cuckoo.core.plugins:Running signature "uses_windows_utilities_xcopy" 2023-10-18 07:00:41,280 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "uses_windows_utilities_xcopy" DEBUG:lib.cuckoo.core.plugins:Running signature "wmic_command_suspicious" 2023-10-18 07:00:41,280 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "wmic_command_suspicious" DEBUG:lib.cuckoo.core.plugins:Running signature "scrcons_wmi_script_consumer" 2023-10-18 07:00:41,281 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "scrcons_wmi_script_consumer" DEBUG:lib.cuckoo.core.plugins:Running signature "allaple_mutexes" 2023-10-18 07:00:41,281 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Running signature "allaple_mutexes" DEBUG:lib.cuckoo.core.plugins:Analysis matched signature "antidebug_setunhandledexceptionfilter" 2023-10-18 07:00:41,281 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Analysis matched signature "antidebug_setunhandledexceptionfilter" DEBUG:lib.cuckoo.core.plugins:Analysis matched signature "exec_crash" 2023-10-18 07:00:41,282 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Analysis matched signature "exec_crash" DEBUG:lib.cuckoo.core.plugins:Executing reporting module "BinGraph" 2023-10-18 07:00:41,518 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "BinGraph" DEBUG:lib.cuckoo.core.plugins:Executing reporting module "MITRE_TTPS" 2023-10-18 07:00:41,518 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "MITRE_TTPS" DEBUG:Base.Attck:Calling MITRE Enterprise ATT&CK Framework 2023-10-18 07:00:42,176 [Task 260] [Base.Attck] DEBUG: Calling MITRE Enterprise ATT&CK Framework DEBUG:lib.cuckoo.core.plugins:Executing reporting module "PCAP2CERT" 2023-10-18 07:00:58,368 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "PCAP2CERT" DEBUG:lib.cuckoo.core.plugins:Executing reporting module "ReportHTMLSummary" 2023-10-18 07:00:58,369 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "ReportHTMLSummary" WARNING:lib.cuckoo.core.plugins:The reporting module "ReportHTMLSummary" returned the following error: Failed to generate summary HTML report: 'dict object' has no attribute 'CAPE' 2023-10-18 07:00:58,402 [Task 260] [lib.cuckoo.core.plugins] WARNING: The reporting module "ReportHTMLSummary" returned the following error: Failed to generate summary HTML report: 'dict object' has no attribute 'CAPE' DEBUG:lib.cuckoo.core.plugins:Executing reporting module "JsonDump" 2023-10-18 07:00:58,402 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "JsonDump" DEBUG:lib.cuckoo.core.plugins:Executing reporting module "ReportPDF" 2023-10-18 07:00:58,413 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "ReportPDF" WARNING:lib.cuckoo.core.plugins:The reporting module "ReportPDF" returned the following error: Unable to open summary HTML report to convert to PDF: Ensure reporthtmlsummary is enabled in reporting.conf 2023-10-18 07:00:58,414 [Task 260] [lib.cuckoo.core.plugins] WARNING: The reporting module "ReportPDF" returned the following error: Unable to open summary HTML report to convert to PDF: Ensure reporthtmlsummary is enabled in reporting.conf DEBUG:lib.cuckoo.core.plugins:Executing reporting module "MongoDB" 2023-10-18 07:00:58,414 [Task 260] [lib.cuckoo.core.plugins] DEBUG: Executing reporting module "MongoDB" DEBUG:modules.reporting.mongodb:Deleted previous MongoDB data for Task 260 2023-10-18 07:00:58,464 [Task 260] [modules.reporting.mongodb] DEBUG: Deleted previous MongoDB data for Task 260 DEBUG:root:Finished processing task

I see error related to CAPE module but I am not sure if it's related to "File Details" information. Couldn't it be related with installed "djangoframework"? Some version issues? Thanks in advance.

doomedraven commented 10 months ago

djangoframework is just rest api, is not related i would say your permission error is more related here, try to do this

sudo chown cape:cape /opt/CAPEv2/data/trid -R and then rerun analysis as you just did and reload after that web report to see if fixed

meldzhaLV commented 10 months ago

Hmm.. nothing changes. I still get the same permission error:

2023-10-18 07:28:35,035 [Task 260] [lib.cuckoo.common.integrations.parse_pdf] DEBUG: Starting to load PDF ERROR:lib.cuckoo.core.plugins:Failed to run the processing module "CAPE": [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' Traceback (most recent call last): File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 243, in process data = current.run() File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 352, in run self.process_file( File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 192, in process_file static_file_info( File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 232, in static_file_info data_dictionary["trid"] = trid_info(file_path) File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 289, in trid_info output = subprocess.check_output( File "/usr/lib/python3.10/subprocess.py", line 420, in check_output return run(popenargs, stdout=PIPE, timeout=timeout, check=True, File "/usr/lib/python3.10/subprocess.py", line 501, in run with Popen(popenargs, kwargs) as process: File "/usr/lib/python3.10/subprocess.py", line 969, in init self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.10/subprocess.py", line 1845, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' 2023-10-18 07:28:50,875 [Task 260] [lib.cuckoo.core.plugins] ERROR: Failed to run the processing module "CAPE": [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid' Traceback (most recent call last): File "/opt/CAPEv2/utils/../lib/cuckoo/core/plugins.py", line 243, in process data = current.run() File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 352, in run self.process_file( File "/opt/CAPEv2/utils/../modules/processing/CAPE.py", line 192, in process_file static_file_info( File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 232, in static_file_info data_dictionary["trid"] = trid_info(file_path) File "/opt/CAPEv2/utils/../lib/cuckoo/common/integrations/file_extra_info.py", line 289, in trid_info output = subprocess.check_output( File "/usr/lib/python3.10/subprocess.py", line 420, in check_output return run(popenargs, stdout=PIPE, timeout=timeout, check=True, File "/usr/lib/python3.10/subprocess.py", line 501, in run with Popen(popenargs, kwargs) as process: File "/usr/lib/python3.10/subprocess.py", line 969, in init self._execute_child(args, executable, preexec_fn, close_fds, File "/usr/lib/python3.10/subprocess.py", line 1845, in _execute_child raise child_exception_type(errno_num, err_msg, err_filename) PermissionError: [Errno 13] Permission denied: '/opt/CAPEv2/data/trid/trid'

Just for my own understanding: is CAPE module in charge of "File Details" box and "Payloads" page? And what is interesting, I haven't changed any permissions since I installed CAPE. Everything was working flawlessly.

meldzhaLV commented 10 months ago

Update: Did chmod +x * for files in "triad" directory. Now "File Details" shows. AND - "Payloads" and "Compare this analysis to..." also shows.

Unfortunately the PDF score is still 1.9, but previously it was 5.7. I understand that those are community signatures for malscore, but still I would like to have some consistency.

EDIT: Something is not working with PDF analysis. I checked previous reports on analysis and I could get for example JSON with /JavaScript and /OpenAction entries which I am not mistaken I would get from pdfid or peepdf.

doomedraven commented 10 months ago

well about score you need to see matches where it was highest and now, but that is crap feature.

about pdf the same, idk you need to see what changed on your side

doomedraven commented 10 months ago

Just for my own understanding: is CAPE module in charge of "File Details" box and "Payloads" page?

yes

And what is interesting, I haven't changed any permissions since I installed CAPE. Everything was working flawlessly.

do you have put/run trid update maybe idk, is your system you must know what accessed trid, i don't use trid, im using detect it easy

meldzhaLV commented 10 months ago

Seems like the issue is solved. Basically changed perms on trid and updated FLARE capa rules. Now I have all the views and PDF parsing is also working since I checked JSON export and I could search for "/JavaScript" and other related keywords. I am sorry if my questions were trivial and have a great day! :)

doomedraven commented 10 months ago

np, 3rd part software dependencies are always the most problematic as we don't have control over them

meldzhaLV commented 10 months ago

Sorry to bother. I noticed that the same issue persists. When I use command line in server and run sudo -u cape poetry run python utils/process.py -r 27 -d I get File Details view, Payload pane etc. I also added virustotal module and everything works just fine. But, when I submit the same sample from web interface results are different. This is analysis log when ran from web interface:

2023-10-19 06:48:30,374 [root] INFO: Date set to: 20231019T11:51:05, timeout set to: 200 2023-10-19 11:51:05,031 [root] DEBUG: Starting analyzer from: C:\tmpz162qo78 2023-10-19 11:51:05,031 [root] DEBUG: Storing results at: C:\mUVXgKYC 2023-10-19 11:51:05,031 [root] DEBUG: Pipe server name: \.\PIPE\DzVUmO 2023-10-19 11:51:05,031 [root] DEBUG: Python path: C:\Users\win7\AppData\Local\Programs\Python\Python36-32 2023-10-19 11:51:05,031 [root] INFO: Analysis package "exe" has been specified 2023-10-19 11:51:05,031 [root] DEBUG: Importing analysis package "exe"... 2023-10-19 11:51:05,046 [root] DEBUG: Initializing analysis package "exe"... 2023-10-19 11:51:05,046 [root] DEBUG: New location of moved file: C:\Users\win7\AppData\Local\Temp\malicious_file_blad.exe 2023-10-19 11:51:05,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2023-10-19 11:51:05,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2023-10-19 11:51:05,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2023-10-19 11:51:05,046 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2023-10-19 11:51:05,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"... 2023-10-19 11:51:05,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"... 2023-10-19 11:51:05,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"... 2023-10-19 11:51:05,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"... 2023-10-19 11:51:05,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"... 2023-10-19 11:51:05,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"... 2023-10-19 11:51:05,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"... 2023-10-19 11:51:05,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"... 2023-10-19 11:51:05,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"... 2023-10-19 11:51:05,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"... 2023-10-19 11:51:05,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"... 2023-10-19 11:51:05,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"... 2023-10-19 11:51:05,203 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2023-10-19 11:51:05,203 [lib.api.screenshot] ERROR: No module named 'PIL' 2023-10-19 11:51:05,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"... 2023-10-19 11:51:05,203 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"... 2023-10-19 11:51:05,218 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"... 2023-10-19 11:51:05,218 [root] DEBUG: Initialized auxiliary module "Browser" 2023-10-19 11:51:05,218 [root] DEBUG: Trying to start auxiliary module "Browser"... 2023-10-19 11:51:05,218 [root] DEBUG: Started auxiliary module "Browser" 2023-10-19 11:51:05,218 [root] DEBUG: Started auxiliary module Browser 2023-10-19 11:51:05,218 [root] DEBUG: Initialized auxiliary module "Curtain" 2023-10-19 11:51:05,218 [root] DEBUG: Trying to start auxiliary module "Curtain"... 2023-10-19 11:51:05,218 [root] DEBUG: Started auxiliary module "Curtain" 2023-10-19 11:51:05,218 [root] DEBUG: Started auxiliary module Curtain 2023-10-19 11:51:05,218 [root] DEBUG: Initialized auxiliary module "DigiSig" 2023-10-19 11:51:05,218 [root] DEBUG: Trying to start auxiliary module "DigiSig"... 2023-10-19 11:51:05,218 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2023-10-19 11:51:05,390 [modules.auxiliary.digisig] DEBUG: File is not signed 2023-10-19 11:51:05,390 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2023-10-19 11:51:05,390 [root] DEBUG: Started auxiliary module "DigiSig" 2023-10-19 11:51:05,390 [root] DEBUG: Started auxiliary module DigiSig 2023-10-19 11:51:05,390 [root] DEBUG: Initialized auxiliary module "Disguise" 2023-10-19 11:51:05,390 [root] DEBUG: Trying to start auxiliary module "Disguise"... 2023-10-19 11:51:05,406 [modules.auxiliary.disguise] INFO: Disguising GUID to 0eb78908-5770-4a32-9914-64198877fd6e 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module "Disguise" 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module Disguise 2023-10-19 11:51:05,406 [root] DEBUG: Initialized auxiliary module "Evtx" 2023-10-19 11:51:05,406 [root] DEBUG: Trying to start auxiliary module "Evtx"... 2023-10-19 11:51:05,406 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module "Evtx" 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module Evtx 2023-10-19 11:51:05,406 [root] DEBUG: Initialized auxiliary module "FilePickup" 2023-10-19 11:51:05,406 [root] DEBUG: Trying to start auxiliary module "FilePickup"... 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module "FilePickup" 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module FilePickup 2023-10-19 11:51:05,406 [root] DEBUG: Initialized auxiliary module "Human" 2023-10-19 11:51:05,406 [root] DEBUG: Trying to start auxiliary module "Human"... 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module "Human" 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module Human 2023-10-19 11:51:05,406 [root] DEBUG: Initialized auxiliary module "Permissions" 2023-10-19 11:51:05,406 [root] DEBUG: Trying to start auxiliary module "Permissions"... 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module "Permissions" 2023-10-19 11:51:05,406 [root] DEBUG: Started auxiliary module Permissions 2023-10-19 11:51:05,421 [root] DEBUG: Initialized auxiliary module "Pre_script" 2023-10-19 11:51:05,421 [root] DEBUG: Trying to start auxiliary module "Pre_script"... 2023-10-19 11:51:05,421 [root] DEBUG: Started auxiliary module "Pre_script" 2023-10-19 11:51:05,421 [root] DEBUG: Started auxiliary module Pre_script 2023-10-19 11:51:05,421 [root] DEBUG: Initialized auxiliary module "Procmon" 2023-10-19 11:51:05,421 [root] DEBUG: Trying to start auxiliary module "Procmon"... 2023-10-19 11:51:05,421 [root] DEBUG: Started auxiliary module "Procmon" 2023-10-19 11:51:05,421 [root] DEBUG: Started auxiliary module Procmon 2023-10-19 11:51:05,421 [root] DEBUG: Initialized auxiliary module "Screenshots" 2023-10-19 11:51:05,421 [root] DEBUG: Trying to start auxiliary module "Screenshots"... 2023-10-19 11:51:05,421 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2023-10-19 11:51:05,421 [root] DEBUG: Started auxiliary module "Screenshots" 2023-10-19 11:51:05,421 [root] DEBUG: Started auxiliary module Screenshots 2023-10-19 11:51:05,421 [root] DEBUG: Initialized auxiliary module "Sysmon" 2023-10-19 11:51:05,421 [root] DEBUG: Trying to start auxiliary module "Sysmon"... 2023-10-19 11:51:05,484 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable 2023-10-19 11:51:05,500 [root] WARNING: Cannot execute auxiliary module Sysmon: In order to use the Sysmon functionality, it is required to have the SMaster(64|32).exe file and sysmonconfig-export.xml file in the bin path. Note that the SMaster(64|32).exe files are just the standard Sysmon binaries renamed to avoid anti-analysis detection techniques. 2023-10-19 11:51:05,500 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2023-10-19 11:51:05,500 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"... 2023-10-19 11:51:05,500 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 480 2023-10-19 11:51:05,500 [lib.api.process] INFO: Monitor config for process 480: C:\tmpz162qo78\dll\480.ini 2023-10-19 11:51:05,500 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2023-10-19 11:51:05,500 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpz162qo78\dll\ELgSwhu.dll, loader C:\tmpz162qo78\bin\ybaDovEn.exe 2023-10-19 11:51:05,531 [root] DEBUG: Loader: Injecting process 480 with C:\tmpz162qo78\dll\ELgSwhu.dll. 2023-10-19 11:51:05,531 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable 2023-10-19 11:51:05,546 [root] DEBUG: Python path set to 'C:\Users\win7\AppData\Local\Programs\Python\Python36-32'. 2023-10-19 11:51:05,546 [root] DEBUG: TLS secret dump mode enabled. 2023-10-19 11:51:05,562 [root] INFO: Disabling sleep skipping. 2023-10-19 11:51:05,562 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 480 at 0x000007FEF2020000, thread 1208, image base 0x00000000FFA30000, stack from 0x00000000018D4000-0x00000000018E0000 2023-10-19 11:51:05,562 [root] DEBUG: Commandline: C:\Windows\system32\lsass.exe 2023-10-19 11:51:05,562 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2023-10-19 11:51:05,562 [root] DEBUG: Successfully injected DLL C:\tmpz162qo78\dll\ELgSwhu.dll. 2023-10-19 11:51:05,562 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 480 2023-10-19 11:51:05,578 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets" 2023-10-19 11:51:05,578 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets 2023-10-19 11:51:05,578 [root] DEBUG: Initialized auxiliary module "Usage" 2023-10-19 11:51:05,578 [root] DEBUG: Trying to start auxiliary module "Usage"... 2023-10-19 11:51:05,578 [root] DEBUG: Started auxiliary module "Usage" 2023-10-19 11:51:05,578 [root] DEBUG: Started auxiliary module Usage 2023-10-19 11:51:05,578 [root] DEBUG: Initialized auxiliary module "During_script" 2023-10-19 11:51:05,578 [root] DEBUG: Trying to start auxiliary module "During_script"... 2023-10-19 11:51:05,578 [root] DEBUG: Started auxiliary module "During_script" 2023-10-19 11:51:05,578 [root] DEBUG: Started auxiliary module During_script 2023-10-19 11:51:05,609 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable 2023-10-19 11:51:05,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable 2023-10-19 11:51:05,781 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logon" /success:enable /failure:enable 2023-10-19 11:51:05,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Logoff" /success:enable /failure:enable 2023-10-19 11:51:05,875 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable 2023-10-19 11:51:05,921 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable 2023-10-19 11:51:05,984 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable 2023-10-19 11:51:06,031 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable 2023-10-19 11:51:06,093 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable 2023-10-19 11:51:06,156 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable 2023-10-19 11:51:06,218 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable 2023-10-19 11:51:06,296 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File System" /success:enable /failure:enable 2023-10-19 11:51:06,359 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Registry" /success:enable /failure:enable 2023-10-19 11:51:06,421 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable 2023-10-19 11:51:06,500 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"SAM" /success:disable /failure:disable 2023-10-19 11:51:06,562 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable 2023-10-19 11:51:06,625 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable 2023-10-19 11:51:06,703 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable 2023-10-19 11:51:06,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"File Share" /success:enable /failure:enable 2023-10-19 11:51:06,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable 2023-10-19 11:51:06,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable 2023-10-19 11:51:06,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable 2023-10-19 11:51:07,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable 2023-10-19 11:51:07,062 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable 2023-10-19 11:51:07,125 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable 2023-10-19 11:51:07,218 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable 2023-10-19 11:51:07,296 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable 2023-10-19 11:51:07,359 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable 2023-10-19 11:51:07,406 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable 2023-10-19 11:51:07,468 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable 2023-10-19 11:51:07,531 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable 2023-10-19 11:51:07,593 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable 2023-10-19 11:51:07,656 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable 2023-10-19 11:51:07,718 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable 2023-10-19 11:51:07,765 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable 2023-10-19 11:51:07,828 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable 2023-10-19 11:51:07,890 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable 2023-10-19 11:51:07,953 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable 2023-10-19 11:51:08,015 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable 2023-10-19 11:51:08,078 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:enable 2023-10-19 11:51:08,140 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable 2023-10-19 11:51:08,187 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable 2023-10-19 11:51:08,249 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable 2023-10-19 11:51:08,312 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable 2023-10-19 11:51:08,375 [modules.auxiliary.evtx] DEBUG: Enabling advanced logging -> auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable 2023-10-19 11:51:08,437 [modules.auxiliary.evtx] DEBUG: Wiping Application 2023-10-19 11:51:08,500 [modules.auxiliary.evtx] DEBUG: Wiping HardwareEvents 2023-10-19 11:51:08,546 [modules.auxiliary.evtx] DEBUG: Wiping Internet Explorer 2023-10-19 11:51:08,593 [modules.auxiliary.evtx] DEBUG: Wiping Key Management Service 2023-10-19 11:51:08,640 [modules.auxiliary.evtx] DEBUG: Wiping OAlerts 2023-10-19 11:51:08,687 [modules.auxiliary.evtx] DEBUG: Wiping Security 2023-10-19 11:51:08,734 [modules.auxiliary.evtx] DEBUG: Wiping Setup 2023-10-19 11:51:08,781 [modules.auxiliary.evtx] DEBUG: Wiping System 2023-10-19 11:51:08,843 [modules.auxiliary.evtx] DEBUG: Wiping Windows PowerShell 2023-10-19 11:51:08,890 [modules.auxiliary.evtx] DEBUG: Wiping Microsoft-Windows-Sysmon/Operational 2023-10-19 11:51:13,328 [root] INFO: Restarting WMI Service 2023-10-19 11:51:15,406 [lib.core.compound] INFO: C:\Users\win7\AppData\Local\Temp already exists, skipping creation 2023-10-19 11:51:15,421 [lib.api.process] INFO: Successfully executed process from path "C:\Users\win7\AppData\Local\Temp\malicious_file_blad.exe" with arguments "" with pid 2304 2023-10-19 11:51:15,421 [lib.api.process] INFO: Monitor config for process 2304: C:\tmpz162qo78\dll\2304.ini 2023-10-19 11:51:15,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpz162qo78\dll\kCCCVFS.dll, loader C:\tmpz162qo78\bin\WzjAugi.exe 2023-10-19 11:51:15,468 [root] DEBUG: Loader: Injecting process 2304 (thread 2732) with C:\tmpz162qo78\dll\kCCCVFS.dll. 2023-10-19 11:51:15,468 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2023-10-19 11:51:15,468 [root] DEBUG: Successfully injected DLL C:\tmpz162qo78\dll\kCCCVFS.dll. 2023-10-19 11:51:15,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2304 2023-10-19 11:51:17,468 [lib.api.process] INFO: Successfully resumed process with pid 2304 2023-10-19 11:51:17,515 [root] DEBUG: Python path set to 'C:\Users\win7\AppData\Local\Programs\Python\Python36-32'. 2023-10-19 11:51:17,515 [root] DEBUG: Dropped file limit defaulting to 100. 2023-10-19 11:51:17,515 [root] DEBUG: Initialising Yara... 2023-10-19 11:51:17,531 [root] DEBUG: YaraInit: Compiled 24 rule files 2023-10-19 11:51:17,531 [root] DEBUG: YaraInit: Compiled rules saved to file C:\tmpz162qo78\data\yara\capemon.yac 2023-10-19 11:51:17,531 [root] DEBUG: Monitor initialised: 32-bit capemon loaded in process 2304 at 0x74ba0000, thread 2732, image base 0x400000, stack from 0x186000-0x190000 2023-10-19 11:51:17,531 [root] DEBUG: Commandline: "C:\Users\win7\AppData\Local\Temp\malicious_file_blad.exe" 2023-10-19 11:51:17,562 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x772e0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7733124a, Wow64PrepareForException: 0x0 2023-10-19 11:51:17,562 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x340000 2023-10-19 11:51:17,578 [root] DEBUG: api-rate-cap: NtDelayExecution hook disabled due to rate 2023-10-19 11:51:17,578 [root] DEBUG: api-rate-cap: NtDelayExecution hook disabled due to rate 2023-10-19 11:51:17,578 [root] DEBUG: RestoreHeaders: Restored original import table. 2023-10-19 11:51:17,578 [root] DEBUG: api-rate-cap: NtDelayExecution hook disabled due to rate 2023-10-19 11:51:17,593 [root] DEBUG: api-rate-cap: NtDelayExecution hook disabled due to rate 2023-10-19 11:51:17,593 [root] INFO: Loaded monitor into process with pid 2304 2023-10-19 11:51:17,593 [root] DEBUG: caller_dispatch: Added region at 0x00400000 to tracked regions list (kernel32::FindResourceExW returns to 0x00401585, thread 2732). 2023-10-19 11:51:17,593 [root] DEBUG: YaraScan: Scanning 0x00400000, size 0x22613 2023-10-19 11:51:17,593 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00350000, size: 0x18000. 2023-10-19 11:51:17,609 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003F0000, size: 0x1000. 2023-10-19 11:51:17,609 [root] DEBUG: AllocationHandler: Processing previous tracked region at: 0x00350000. 2023-10-19 11:51:17,609 [root] DEBUG: YaraScan: Scanning 0x00350000, size 0x17b04 2023-10-19 11:51:17,609 [root] DEBUG: DumpPEsInRange: Scanning range 0x00350000 - 0x00367B04. 2023-10-19 11:51:17,609 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x00350000-0x00367B04. 2023-10-19 11:51:17,640 [lib.common.results] INFO: Uploading file C:\mUVXgKYC\CAPE\2304_1481875017518194102023 to CAPE\ca25aa5d88c4b4529c4f3f878999b18a88d5f7683a8ff0cf3c90a1f47231c03c; Size is 97028; Max size: 10000000000 2023-10-19 11:51:17,656 [root] DEBUG: DumpMemory: Payload successfully created: C:\mUVXgKYC\CAPE\2304_1481875017518194102023 (size 97028 bytes) 2023-10-19 11:51:17,656 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00350000, size 98304 bytes. 2023-10-19 11:51:17,656 [root] DEBUG: ProcessTrackedRegion: Dumped region at 0x00350000. 2023-10-19 11:51:17,671 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00470000, size: 0x1b000. 2023-10-19 11:51:17,671 [root] DEBUG: AllocationHandler: Processing previous tracked region at: 0x003F0000. 2023-10-19 11:51:17,671 [root] DEBUG: YaraScan: Scanning 0x003F0000, size 0xee 2023-10-19 11:51:17,671 [root] DEBUG: DumpPEsInRange: Scanning range 0x003F0000 - 0x003F00EE. 2023-10-19 11:51:17,671 [root] DEBUG: ScanForDisguisedPE: Size too small. 2023-10-19 11:51:17,671 [lib.common.results] INFO: Uploading file C:\mUVXgKYC\CAPE\2304_1995956617518194102023 to CAPE\47cc8d939f0138854bf1017d1dacda1cc7aa81d821c41bb726e10220263cac5f; Size is 238; Max size: 10000000000 2023-10-19 11:51:17,687 [root] DEBUG: DumpMemory: Payload successfully created: C:\mUVXgKYC\CAPE\2304_1995956617518194102023 (size 238 bytes) 2023-10-19 11:51:17,687 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x003F0000, size 4096 bytes. 2023-10-19 11:51:17,687 [root] DEBUG: ProcessTrackedRegion: Dumped region at 0x003F0000. 2023-10-19 11:51:17,687 [root] DEBUG: YaraScan: Scanning 0x00470000, size 0x17d40 2023-10-19 11:51:17,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x00470000 - 0x00487D40. 2023-10-19 11:51:17,687 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x00470000-0x00487D40. 2023-10-19 11:51:17,703 [lib.common.results] INFO: Uploading file C:\mUVXgKYC\CAPE\2304_7585158255114194102023 to CAPE\7c8a5de386104c54868d8c0573ef139c338febbb61b27666785888e1f73c60a2; Size is 97600; Max size: 10000000000 2023-10-19 11:51:17,718 [root] DEBUG: DumpMemory: Payload successfully created: C:\mUVXgKYC\CAPE\2304_7585158255114194102023 (size 97600 bytes) 2023-10-19 11:51:17,718 [root] DEBUG: DumpRegion: Dumped entire allocation from 0x00470000, size 110592 bytes. 2023-10-19 11:51:17,718 [root] DEBUG: ProcessTrackedRegion: Dumped region at 0x00470000. 2023-10-19 11:51:17,734 [root] DEBUG: api-rate-cap: LdrGetDllHandle hook disabled due to rate 2023-10-19 11:51:17,750 [root] DEBUG: api-rate-cap: LdrGetProcedureAddress hook disabled due to rate 2023-10-19 11:51:17,750 [root] DEBUG: api-rate-cap: memcpy hook disabled due to rate 2023-10-19 11:51:17,750 [root] DEBUG: api-rate-cap: memcpy hook disabled due to rate 2023-10-19 11:51:17,750 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00490000, size: 0x1a000. 2023-10-19 11:51:17,750 [root] DEBUG: AllocationHandler: Processing previous tracked region at: 0x00470000. 2023-10-19 11:51:17,750 [root] DEBUG: DLL loaded at 0x75760000: C:\Windows\syswow64\shell32 (0xc4a000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x752E0000: C:\Windows\syswow64\wininet (0xf5000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x75550000: C:\Windows\syswow64\urlmon (0x136000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x76F80000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x750E0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x74B70000: C:\Windows\system32\wsock32 (0x7000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\userenv (0x17000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\profapi (0xb000 bytes). 2023-10-19 11:51:17,765 [root] DEBUG: AllocationHandler: Previously reserved region at 0x00400000, committing at: 0x00400000. 2023-10-19 11:51:17,765 [root] DEBUG: AllocationHandler: Processing previous tracked region at: 0x00490000. 2023-10-19 11:51:17,765 [root] DEBUG: YaraScan: Scanning 0x00490000, size 0x18ae1 2023-10-19 11:51:17,781 [root] DEBUG: DumpPEsInRange: Scanning range 0x00490000 - 0x004A8AE1. 2023-10-19 11:51:17,781 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x00490000 2023-10-19 11:51:17,781 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2023-10-19 11:51:17,781 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00490000. 2023-10-19 11:51:17,781 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001072C. 2023-10-19 11:51:17,781 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x00400000. 2023-10-19 11:51:17,796 [lib.common.results] INFO: Uploading file C:\mUVXgKYC\CAPE\2304_1604252117518194102023 to CAPE\9b2da4cf1d974669b8804012fe91a55a5b3b1d733d1129c468944a9413387227; Size is 93696; Max size: 10000000000 2023-10-19 11:51:17,812 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x16e00. 2023-10-19 11:51:17,812 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x00491000-0x004A8AE1. 2023-10-19 11:51:17,812 [root] DEBUG: DumpRegion: Dumped PE image(s) from base address 0x00490000, size 106496 bytes. 2023-10-19 11:51:17,812 [root] DEBUG: ProcessTrackedRegion: Dumped region at 0x00490000. 2023-10-19 11:51:17,812 [root] DEBUG: DLL loaded at 0x74E40000: C:\Windows\system32\uxtheme (0x80000 bytes). 2023-10-19 11:51:17,828 [root] DEBUG: DLL unloaded from 0x74E40000. 2023-10-19 11:51:17,828 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x12c and local view 0x044C0000 to global list. 2023-10-19 11:51:17,828 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\system32\SAMCLI (0xf000 bytes). 2023-10-19 11:51:17,828 [root] DEBUG: hook_api: Warning - NetUserGetInfo export address 0x74A3528E differs from GetProcAddress -> 0x74A21BE2 2023-10-19 11:51:17,828 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\system32\WKSCLI (0xf000 bytes). 2023-10-19 11:51:17,828 [root] DEBUG: hook_api: Warning - NetGetJoinInformation export address 0x74A34AD2 differs from GetProcAddress -> 0x74A12C3F 2023-10-19 11:51:17,828 [root] DEBUG: hook_api: Warning - NetUserGetLocalGroups export address 0x74A352A4 differs from GetProcAddress -> 0x74A228AA 2023-10-19 11:51:17,843 [root] DEBUG: DLL loaded at 0x749E0000: C:\Windows\system32\LOGONCLI (0x22000 bytes). 2023-10-19 11:51:17,843 [root] DEBUG: hook_api: Warning - DsEnumerateDomainTrustsW export address 0x74A33C9E differs from GetProcAddress -> 0x749EB1FA 2023-10-19 11:51:17,843 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\system32\netapi32 (0x11000 bytes). 2023-10-19 11:51:17,843 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\netutils (0x9000 bytes). 2023-10-19 11:51:17,843 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\srvcli (0x19000 bytes). 2023-10-19 11:51:17,843 [root] DEBUG: DLL loaded at 0x74770000: C:\Windows\system32\msi (0x240000 bytes). 2023-10-19 11:51:17,859 [root] DEBUG: DLL loaded at 0x74760000: C:\Windows\system32\pstorec (0xd000 bytes). 2023-10-19 11:51:17,859 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\system32\ATL (0x14000 bytes). 2023-10-19 11:51:18,968 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x18c and local view 0x047A0000 to global list. 2023-10-19 11:51:20,156 [root] DEBUG: DLL loaded at 0x000007FEFAF00000: C:\Windows\system32\pstorsvc (0xd000 bytes). 2023-10-19 11:51:20,156 [root] DEBUG: DLL loaded at 0x000007FEF93F0000: C:\Windows\system32\psbase (0x11000 bytes). 2023-10-19 11:51:25,140 [root] INFO: Disabling sleep skipping. 2023-10-19 11:51:25,140 [root] DEBUG: DLL loaded at 0x76B50000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes). 2023-10-19 11:51:25,156 [root] DEBUG: DLL loaded at 0x72790000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes). 2023-10-19 11:51:25,156 [root] DEBUG: DLL loaded at 0x76500000: C:\Windows\syswow64\PSAPI (0x5000 bytes). 2023-10-19 11:51:25,156 [root] DEBUG: DLL loaded at 0x74700000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes). 2023-10-19 11:51:25,156 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes). 2023-10-19 11:51:25,171 [root] DEBUG: DLL loaded at 0x74530000: C:\Windows\system32\MLANG (0x2e000 bytes). 2023-10-19 11:51:25,187 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x214 and local view 0x00730000 to global list. 2023-10-19 11:51:25,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 and local view 0x03710000 to global list. 2023-10-19 11:51:25,203 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c and local view 0x03720000 to global list. 2023-10-19 11:51:25,234 [root] DEBUG: DLL loaded at 0x74500000: C:\Windows\system32\ntmarta (0x21000 bytes). 2023-10-19 11:51:25,234 [root] DEBUG: DLL loaded at 0x76D00000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes). 2023-10-19 11:51:25,234 [root] DEBUG: DLL loaded at 0x73BC0000: C:\Windows\system32\VERSION (0x9000 bytes). 2023-10-19 11:51:25,234 [root] DEBUG: DLL unloaded from 0x75550000. 2023-10-19 11:51:25,328 [root] DEBUG: DLL loaded at 0x744B0000: C:\Windows\system32\dnsapi (0x44000 bytes). 2023-10-19 11:51:25,328 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\system32\iphlpapi (0x1c000 bytes). 2023-10-19 11:51:25,328 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\system32\WINNSI (0x7000 bytes). 2023-10-19 11:51:25,343 [root] DEBUG: DLL loaded at 0x73220000: C:\Windows\system32\mswsock (0x3c000 bytes). 2023-10-19 11:51:25,343 [root] DEBUG: DLL loaded at 0x73210000: C:\Windows\System32\wshtcpip (0x5000 bytes). 2023-10-19 11:51:25,343 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\system32\NLAapi (0x10000 bytes). 2023-10-19 11:51:25,343 [root] DEBUG: DLL loaded at 0x74460000: C:\Windows\system32\napinsp (0x10000 bytes). 2023-10-19 11:51:25,343 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\pnrpnsp (0x12000 bytes). 2023-10-19 11:51:25,359 [root] DEBUG: DLL loaded at 0x74430000: C:\Windows\System32\winrnr (0x8000 bytes). 2023-10-19 11:51:37,359 [root] DEBUG: DLL loaded at 0x74420000: C:\Windows\system32\rasadhlp (0x6000 bytes). 2023-10-19 11:54:38,468 [root] INFO: Analysis timeout hit, terminating analysis 2023-10-19 11:54:38,468 [lib.api.process] INFO: Terminate event set for process 2304 2023-10-19 11:54:38,468 [root] DEBUG: Terminate Event: Attempting to dump process 2304 2023-10-19 11:54:38,468 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000. 2023-10-19 11:54:38,468 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2023-10-19 11:54:38,468 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000. 2023-10-19 11:54:38,468 [root] DEBUG: DumpProcess: Module entry point VA is 0x0001072C. 2023-10-19 11:54:38,484 [lib.common.results] INFO: Uploading file C:\mUVXgKYC\CAPE\2304_1918838548194102023 to procdump\66ef8132e519913c291c3ca1112dd083552e92612ead22f83e70be72eaad3b2d; Size is 94720; Max size: 10000000000 2023-10-19 11:54:38,500 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x17200. 2023-10-19 11:54:38,500 [root] INFO: Added new file to list with pid None and path C:\Users\win7\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat 2023-10-19 11:54:38,500 [root] INFO: Added new file to list with pid None and path C:\Users\win7\AppData\Roaming\Microsoft\Windows\Cookies\index.dat 2023-10-19 11:54:38,515 [root] INFO: Added new file to list with pid None and path C:\Users\win7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat 2023-10-19 11:54:38,515 [lib.api.process] INFO: Termination confirmed for process 2304 2023-10-19 11:54:38,515 [root] INFO: Terminate event set for process 2304 2023-10-19 11:54:38,515 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2304 2023-10-19 11:54:38,515 [root] INFO: Created shutdown mutex 2023-10-19 11:54:39,515 [root] INFO: Shutting down package 2023-10-19 11:54:39,515 [root] INFO: Stopping auxiliary modules 2023-10-19 11:54:39,515 [root] INFO: Stopping auxiliary module: Browser 2023-10-19 11:54:39,515 [root] INFO: Stopping auxiliary module: Curtain 2023-10-19 11:54:39,578 [lib.common.results] INFO: Uploading file C:\curtain.log to curtain/1697705679.578125.curtain.log; Size is 36; Max size: 10000000000 2023-10-19 11:54:39,593 [root] INFO: Stopping auxiliary module: Evtx 2023-10-19 11:54:39,593 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump 2023-10-19 11:54:39,593 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump 2023-10-19 11:54:39,609 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump 2023-10-19 11:54:39,609 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump 2023-10-19 11:54:39,609 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump 2023-10-19 11:54:39,609 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump 2023-10-19 11:54:39,609 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump 2023-10-19 11:54:39,625 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump 2023-10-19 11:54:39,625 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host 2023-10-19 11:54:39,625 [lib.common.results] INFO: Uploading file evtx.zip to evtx/evtx.zip; Size is 32672; Max size: 10000000000 2023-10-19 11:54:39,640 [root] INFO: Stopping auxiliary module: FilePickup 2023-10-19 11:54:39,640 [root] INFO: Stopping auxiliary module: Human 2023-10-19 11:54:39,640 [root] INFO: Stopping auxiliary module: Pre_script 2023-10-19 11:54:39,640 [root] INFO: Stopping auxiliary module: Procmon 2023-10-19 11:54:39,718 [lib.common.results] WARNING: File C:\mUVXgKYC\bin\procmon.xml doesn't exist anymore 2023-10-19 11:54:39,718 [root] INFO: Stopping auxiliary module: Screenshots 2023-10-19 11:54:39,734 [root] INFO: Stopping auxiliary module: Usage 2023-10-19 11:54:39,734 [root] INFO: Stopping auxiliary module: During_script 2023-10-19 11:54:39,734 [root] INFO: Finishing auxiliary modules 2023-10-19 11:54:39,734 [root] INFO: Shutting down pipe server and dumping dropped files 2023-10-19 11:54:39,734 [lib.common.results] INFO: Uploading file C:\Users\win7\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat to files\cf6dfb6e7ac48cb9d7a22dc09c070c177e13d7a9d43e15727a0b34ee6991805c; Size is 32768; Max size: 10000000000 2023-10-19 11:54:39,750 [lib.common.results] INFO: Uploading file C:\Users\win7\AppData\Roaming\Microsoft\Windows\Cookies\index.dat to files\75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a; Size is 16384; Max size: 10000000000 2023-10-19 11:54:39,765 [lib.common.results] INFO: Uploading file C:\Users\win7\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat to files\f29f8fd58b8e4845331ebb8887f3223b02c0c33fb60651d24586fcf21221fb18; Size is 32768; Max size: 10000000000 2023-10-19 11:54:39,781 [root] WARNING: Folder at path "C:\mUVXgKYC\debugger" does not exist, skipping 2023-10-19 11:54:39,781 [root] WARNING: Folder at path "C:\mUVXgKYC\tlsdump" does not exist, skipping 2023-10-19 11:54:39,781 [root] INFO: Analysis completed

Web is run with cape user. Also checked modules directory everything is chown by cape user. Any thoughts what could be the problem? Thank you in advance.

meldzhaLV commented 10 months ago

Problem solved again. I added cape user to www-data group. Reloaded daemons and restarted nginx service. Everything works now.

eingel86 commented 6 months ago

Dear @meldzhaLV,

I also encounter the following errors:

feb 22 18:26:52 capev2sandbox python3[32074]: 2024-02-22 18:26:52,007 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:53 capev2sandbox python3[32074]: 2024-02-22 18:26:53,050 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:53 capev2sandbox python3[32074]: 2024-02-22 18:26:53,742 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:54 capev2sandbox python3[32074]: 2024-02-22 18:26:54,774 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:55 capev2sandbox python3[32074]: 2024-02-22 18:26:55,423 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:56 capev2sandbox python3[32074]: 2024-02-22 18:26:56,174 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:56 capev2sandbox python3[32074]: 2024-02-22 18:26:56,888 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:57 capev2sandbox python3[32074]: 2024-02-22 18:26:57,658 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R feb 22 18:26:58 capev2sandbox python3[32074]: 2024-02-22 18:26:58,437 [Task 6] [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R

can you help me understand how you solved it? I gave the command but it keeps coming out. :(

Regards Engel

doomedraven commented 6 months ago

@eingel86 https://linux.die.net/man/8/usermod

eingel86 commented 6 months ago

Dear @doomedraven , I know it is an open product and the support you provide is free of charge, for which I thank you and apologise for the inconvenience. But could you point me to the specific command to give since the one indicated in cli (sudo chown cape:cape /opt/CAPEv2/data/trid -R) does not solve the problem? I would be very grateful, thank you.

doomedraven commented 6 months ago

before ask for help provide useful details for faster help, to save you and me time. i have feeling that you running cape wtih non cape user right?

eingel86 commented 6 months ago

I installed cape following the guide 'https://capev2.readthedocs.io/en/latest/index.html'. I use a different user to connect in ssh or via desktop on Ubuntu. I don't know the password of the cape user that was created when I ran the command: "sudo ./cape2.sh all cape | tee cape.log" but I don't think I should use it to log in in ssh or via desktop. When I run the commands: journalctl -u SERVICE --follow I do it with the no cape user, but only that. The analysis is performed from the web page and not from the cli. Below are the active processes:

userssh@capev2sandbox:~$ top | grep cape 42601 cape 20 0 897088 276968 41724 R 82,4 0,8 260:41.23 python 47624 userssh 20 0 13636 4416 3264 R 11,8 0,0 0:00.05 top 42601 cape 20 0 897088 276968 41724 R 78,9 0,8 260:43.62 python 42630 cape 20 0 1321868 294504 47232 S 21,8 0,9 59:09.59 python 1538 cape 20 0 475416 3284 2688 S 0,7 0,0 4:06.78 Suricata-Main 47624 userssh 20 0 13636 4416 3264 R 0,7 0,0 0:00.07 top 4257 userssh 20 0 2385620 182456 51520 S 0,3 0,6 7:33.55 virt-manager 42601 cape 20 0 897088 276968 41724 S 79,9 0,8 260:46.04 python 42630 cape 20 0 1321868 294504 47232 S 14,5 0,9 59:10.03 python 47624 userssh 20 0 13636 4416 3264 R 1,3 0,0 0:00.11 top 42599 cape 20 0 666492 83004 40320 S 0,7 0,3 0:30.83 /home/cape/.cac

I noticed that while having the error: [lib.cuckoo.common.integrations.file_extra_info] ERROR: You have permission error. FIX IT! sudo chown cape:cape /opt/CAPEv2/data/trid -R

The analysis is performed and the report is generated.

doomedraven commented 6 months ago

well a bit better but still has lack of details. what about? post outpt of next commands(when posting output use code escape block by using ```output here```):

so your UNIQUE problem is that output about permission? do you know what is trid?

eingel86 commented 6 months ago

Looking at the logs in realtime, I found the trid permission error. No I don't know what trid is, I apologise for my ignorance.

userssh@capev2sandbox:~$ ls -lah /opt/CAPEv2/data/trid total 5,9M drwxr-xr-x 2 cape cape 4,0K feb 21 00:19 . drwxr-xr-x 13 cape cape 4,0K feb 23 00:05 .. -rw-r--r-- 1 cape cape 755K feb 23 00:05 trid -rw-r--r-- 1 cape cape 5,1M feb 23 00:05 triddefs.trd -rw-r--r-- 1 cape cape 3,1K feb 23 00:05 tridupdate.py userssh@capev2sandbox:~$ ls -lah /opt/CAPEv2 total 740K drwxr-xr-x 25 cape cape 4,0K feb 22 09:24 . drwxr-xr-x 3 root root 4,0K feb 21 00:15 .. -rw-r--r-- 1 cape cape 1,7K feb 21 00:16 acknowledgment.md drwxr-xr-x 2 cape cape 4,0K feb 21 00:16 admin drwxr-xr-x 2 cape cape 4,0K feb 21 00:16 agent drwxr-xr-x 4 cape cape 4,0K feb 21 00:16 analyzer drwxr-xr-x 3 root root 4,0K feb 21 00:26 .cache -rw-r--r-- 1 cape cape 50K feb 21 00:16 changelog.md -rw-r--r-- 1 cape cape 605 feb 21 00:16 CITATION.cff drwxr-xr-x 2 cape cape 4,0K feb 23 10:55 conf -rw-r--r-- 1 cape cape 4,5K feb 21 00:16 cuckoo.py drwxr-xr-x 5 cape cape 4,0K feb 21 00:16 custom drwxr-xr-x 13 cape cape 4,0K feb 23 00:05 data drwxr-xr-x 3 cape cape 4,0K feb 21 00:26 dev_utils drwxr-xr-x 3 cape cape 4,0K feb 21 00:16 docs drwxr-xr-x 5 cape cape 4,0K feb 21 00:16 extra drwxr-xr-x 8 cape cape 4,0K feb 21 00:16 .git drwxr-xr-x 4 cape cape 4,0K feb 21 00:16 .github -rw-r--r-- 1 cape cape 252 feb 21 00:16 .gitignore -rw-r--r-- 1 cape cape 101 feb 21 00:16 .gitmodules drwxr-xr-x 2 cape cape 4,0K feb 21 00:16 installer drwxr-xr-x 4 cape cape 4,0K feb 21 00:19 lib -rw-r--r-- 1 cape cape 34K feb 21 00:16 LICENSE drwxr-xr-x 2 cape cape 4,0K feb 23 10:29 log drwxr-xr-x 9 cape cape 4,0K feb 21 00:26 modules -rw-r--r-- 1 cape cape 338K feb 21 00:16 poetry.lock -rw-r--r-- 1 cape cape 677 feb 21 00:16 .pre-commit-config.yaml -rw-r--r-- 1 cape cape 3,5K feb 21 00:16 pyproject.toml -rw-r--r-- 1 cape cape 11K feb 21 00:16 README.md -rw-r--r-- 1 cape cape 757 feb 21 00:16 .readthedocs.yaml -rw-r--r-- 1 cape cape 155K feb 21 00:16 requirements.txt -rw-r--r-- 1 cape cape 483 feb 21 00:16 SECURITY.md drwxr-xr-x 5 cape cape 4,0K feb 22 09:24 storage drwxr-xr-x 2 cape cape 4,0K feb 21 00:16 systemd drwxr-xr-x 6 cape cape 4,0K feb 21 00:16 tests drwxr-xr-x 2 cape cape 4,0K feb 21 00:16 tests_parsers drwxr-xr-x 5 cape cape 4,0K feb 21 00:19 utils drwxr-xr-x 2 cape cape 4,0K feb 21 00:16 uwsgi drwxr-xr-x 13 cape cape 4,0K feb 22 08:47 web -rw-r--r-- 1 cape cape 205 feb 21 00:16 .yara-ci.yml

I have noticed other errors, but I don't think it is correct to include them here, or perhaps they are related to the lack of trid permission.

doomedraven commented 6 months ago

please start using the code block for formatting output. so i don't see any issue here. i guess your problem is that trid is not executable. sudo chmod a+x /opt/CAPEv2/data/trid/trid. Is hard to help you if you describe the problem, i have guess all the time, that is not how i will follow

eingel86 commented 6 months ago

Dear @doomedraven , thanks for the command: sudo chmod a+x /opt/CAPEv2/data/trid/trid solved the problem.

doomedraven commented 6 months ago

small advice, do no activate parts that you don't have no idea what they are. Google them first otherwise with limited experience you might get into bigger problems