Expectation when submitting a ransomware sample like lockbit for analysis.

[jezkerwin]

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [ X ] I am running the latest version
• [ X ] I did read the README!
• [ X ] I checked the documentation and found no answer
• [ X ] I checked to make sure that this issue has not already been filed
• [ X ] I'm reporting the issue to the correct repository (for multi-repository projects)
• [ X ] I have read and checked all configs (with all optional parts)

Expected Behavior

This is more of a general question rather than a problem to set my expectations. Just built an instance following the official instructions and have configured a x64 windows 10 guest.

I'm submitting this sample https://bazaar.abuse.ch/sample/c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e/ which is a lockbit ransomware sample.

When watching the VM guest via virt-manager as the analysis is being conducted I would've thought I would see the typcial ransomware page of "your files have been locked" when the sample is being executed on the VM. If I run the malware sample exe manually inside the VM (ie. via a double-click) I get the 'your files are locked, pay us bitcoin' money, but I'm not seeing it during the analysis.

My quesiton is, is this normal behaviour, is the malware sample being executed in the background via the agent and I'm just not simply seeing the actual activity on the VM guest or could there be something else happening that I'm not seeing.

Current Behavior

The analysis report shows signatures that seems to suggest that it has detected 'ransomware' activity, but doesn't show the usual page on the windows VM so no screen shot is captured showing that, I'm wondering if this is normal?

Performs a large number of encryption calls using the same key possibly indicative of ransomware file encryption behavior
encryption: The crypto key 0x2a6ad15a5b0 was used 903 times to encrypt data

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Run cape using poetry cape@capev2:/opt/CAPEv2$ poetry run python3 cuckoo.py -d

2. Submit the lockbit sample using poetry cape@capev2:/opt/CAPEv2$ poetry run python3 utils/submit.py -d --platform windows /home/cape/c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.zip

3. Received the following error, but the job seems to submit successfully.

   ERROR:lib.cuckoo.common.demux:argument of type 'NoneType' is not iterable
   Traceback (most recent call last):
   File "/opt/CAPEv2/utils/../lib/cuckoo/common/demux.py", line 213, in demux_sflock
   retlist.extend(_sf_children(ch) for ch in sf_child.children)
   File "/opt/CAPEv2/utils/../lib/cuckoo/common/demux.py", line 213, in <genexpr>
   retlist.extend(_sf_children(ch) for ch in sf_child.children)
   File "/opt/CAPEv2/utils/../lib/cuckoo/common/demux.py", line 175, in _sf_children
   or is_valid_package(child.package)
   File "/opt/CAPEv2/utils/../lib/cuckoo/common/demux.py", line 166, in is_valid_package
   return any(ptype in package for ptype in VALID_PACKAGES)
   File "/opt/CAPEv2/utils/../lib/cuckoo/common/demux.py", line 166, in <genexpr>
   return any(ptype in package for ptype in VALID_PACKAGES)
   TypeError: argument of type 'NoneType' is not iterable
   Success: File "/home/cape/c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.zip" added as task with ID 1

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	commit 16d61eb80ae3345bd03270453b21c0acedbae8cf
OS version	Ubuntu 22.04.3 LTS

Analysis Logs

2023-12-19 10:48:15,616 [root] INFO: Date set to: 20231219T11:44:53, timeout set to: 300
2023-12-19 11:44:53,006 [root] DEBUG: kernel.OpenProcess failed for PID: 0
2023-12-19 11:44:53,038 [root] DEBUG: psapi.GetProcessImageFileNameA failed for PID: 4
2023-12-19 11:44:53,053 [root] DEBUG: kernel.OpenProcess failed for PID: 0
2023-12-19 11:44:53,053 [root] DEBUG: psapi.GetProcessImageFileNameA failed for PID: 4
2023-12-19 11:44:53,070 [root] DEBUG: Starting analyzer from: C:\tmp8nnuu52b
2023-12-19 11:44:53,070 [root] DEBUG: Storing results at: C:\nMhfbI
2023-12-19 11:44:53,070 [root] DEBUG: Pipe server name: \\.\PIPE\lOKUXyzhpC
2023-12-19 11:44:53,084 [root] DEBUG: Python path: C:\Program Files (x86)\Python312-32
2023-12-19 11:44:53,084 [root] INFO: analysis running as an admin
2023-12-19 11:44:53,084 [root] DEBUG: No analysis package specified, trying to detect it automagically
2023-12-19 11:44:53,084 [root] INFO: Automatically selected analysis package "zip"
2023-12-19 11:44:53,100 [root] DEBUG: Importing analysis package "zip"...
2023-12-19 11:44:53,115 [root] DEBUG: Initializing analysis package "zip"...
2023-12-19 11:44:53,133 [root] DEBUG: New location of moved file: C:\Users\John\AppData\Local\Temp\c165d80706ccb48e3d5f.zip
2023-12-19 11:44:53,133 [root] INFO: Analyzer: Package modules.packages.zip does not specify a DLL option
2023-12-19 11:44:53,133 [root] INFO: Analyzer: Package modules.packages.zip does not specify a DLL_64 option
2023-12-19 11:44:53,133 [root] INFO: Analyzer: Package modules.packages.zip does not specify a loader option
2023-12-19 11:44:53,147 [root] INFO: Analyzer: Package modules.packages.zip does not specify a loader_64 option
2023-12-19 11:44:53,178 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2023-12-19 11:44:53,178 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2023-12-19 11:44:53,193 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2023-12-19 11:44:53,209 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2023-12-19 11:44:53,225 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2023-12-19 11:44:53,240 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2023-12-19 11:44:53,256 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2023-12-19 11:44:53,256 [root] DEBUG: Importing auxiliary module "modules.auxiliary.html_scraper"...
2023-12-19 11:44:53,271 [modules.auxiliary.html_scraper] ERROR: No module named 'selenium'
2023-12-19 11:44:53,271 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2023-12-19 11:44:53,271 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2023-12-19 11:44:53,287 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2023-12-19 11:44:53,287 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2023-12-19 11:44:53,303 [root] DEBUG: Importing auxiliary module "modules.auxiliary.recentfiles"...
2023-12-19 11:44:53,303 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2023-12-19 11:44:53,319 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2023-12-19 11:44:53,365 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2023-12-19 11:44:53,365 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2023-12-19 11:44:53,381 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2023-12-19 11:44:53,396 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2023-12-19 11:44:53,412 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2023-12-19 11:44:53,412 [root] DEBUG: Initialized auxiliary module "Browser"
2023-12-19 11:44:53,412 [root] DEBUG: Trying to start auxiliary module "Browser"...
2023-12-19 11:44:53,412 [root] DEBUG: Started auxiliary module "Browser"
2023-12-19 11:44:53,412 [root] DEBUG: Started auxiliary module Browser
2023-12-19 11:44:53,412 [root] DEBUG: Initialized auxiliary module "Curtain"
2023-12-19 11:44:53,428 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2023-12-19 11:44:53,428 [root] DEBUG: Started auxiliary module "Curtain"
2023-12-19 11:44:53,428 [root] DEBUG: Started auxiliary module Curtain
2023-12-19 11:44:53,428 [root] DEBUG: Initialized auxiliary module "DigiSig"
2023-12-19 11:44:53,428 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2023-12-19 11:44:53,428 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2023-12-19 11:44:53,647 [modules.auxiliary.digisig] DEBUG: File format not recognized
2023-12-19 11:44:53,647 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2023-12-19 11:44:53,647 [root] DEBUG: Started auxiliary module "DigiSig"
2023-12-19 11:44:53,647 [root] DEBUG: Started auxiliary module DigiSig
2023-12-19 11:44:53,647 [root] DEBUG: Initialized auxiliary module "Disguise"
2023-12-19 11:44:53,647 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2023-12-19 11:44:53,647 [modules.auxiliary.disguise] INFO: Disguising GUID to 84add49c-7f7f-40d6-acef-4f4288aae9fe
2023-12-19 11:44:53,662 [root] DEBUG: Started auxiliary module "Disguise"
2023-12-19 11:44:53,662 [root] DEBUG: Started auxiliary module Disguise
2023-12-19 11:44:53,662 [root] DEBUG: Initialized auxiliary module "Evtx"
2023-12-19 11:44:53,678 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2023-12-19 11:44:53,678 [root] DEBUG: Started auxiliary module "Evtx"
2023-12-19 11:44:53,678 [root] DEBUG: Started auxiliary module Evtx
2023-12-19 11:44:53,678 [root] DEBUG: Initialized auxiliary module "FilePickup"
2023-12-19 11:44:53,678 [root] DEBUG: Trying to start auxiliary module "FilePickup"...
2023-12-19 11:44:53,678 [root] DEBUG: Started auxiliary module "FilePickup"
2023-12-19 11:44:53,693 [root] DEBUG: Started auxiliary module FilePickup
2023-12-19 11:44:53,693 [root] DEBUG: Initialized auxiliary module "HtmlScraper"
2023-12-19 11:44:53,693 [root] DEBUG: Trying to start auxiliary module "HtmlScraper"...
2023-12-19 11:44:53,709 [root] DEBUG: Started auxiliary module "HtmlScraper"
2023-12-19 11:44:53,802 [root] DEBUG: Started auxiliary module HtmlScraper
2023-12-19 11:44:53,802 [root] DEBUG: Initialized auxiliary module "Human"
2023-12-19 11:44:53,802 [root] DEBUG: Trying to start auxiliary module "Human"...
2023-12-19 11:44:53,834 [root] DEBUG: Started auxiliary module "Human"
2023-12-19 11:44:53,834 [root] DEBUG: Started auxiliary module Human
2023-12-19 11:44:53,850 [root] DEBUG: Initialized auxiliary module "Permissions"
2023-12-19 11:44:53,850 [root] DEBUG: Trying to start auxiliary module "Permissions"...
2023-12-19 11:44:53,850 [root] DEBUG: Started auxiliary module "Permissions"
2023-12-19 11:44:53,850 [root] DEBUG: Started auxiliary module Permissions
2023-12-19 11:44:53,866 [root] DEBUG: Initialized auxiliary module "Pre_script"
2023-12-19 11:44:53,866 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2023-12-19 11:44:53,866 [root] DEBUG: Started auxiliary module "Pre_script"
2023-12-19 11:44:53,866 [root] DEBUG: Started auxiliary module Pre_script
2023-12-19 11:44:53,866 [root] DEBUG: Initialized auxiliary module "Procmon"
2023-12-19 11:44:53,883 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2023-12-19 11:44:53,896 [root] DEBUG: Started auxiliary module "Procmon"
2023-12-19 11:44:53,896 [root] DEBUG: Started auxiliary module Procmon
2023-12-19 11:44:53,928 [root] DEBUG: Initialized auxiliary module "RecentFiles"
2023-12-19 11:44:53,944 [root] DEBUG: Trying to start auxiliary module "RecentFiles"...
2023-12-19 11:44:53,990 [root] DEBUG: Started auxiliary module "RecentFiles"
2023-12-19 11:44:54,037 [root] DEBUG: Started auxiliary module RecentFiles
2023-12-19 11:44:54,037 [root] DEBUG: Initialized auxiliary module "Screenshots"
2023-12-19 11:44:54,037 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2023-12-19 11:44:54,068 [root] DEBUG: Started auxiliary module "Screenshots"
2023-12-19 11:44:54,068 [root] DEBUG: Started auxiliary module Screenshots
2023-12-19 11:44:54,084 [root] DEBUG: Initialized auxiliary module "Sysmon"
2023-12-19 11:44:54,084 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2023-12-19 11:44:54,084 [root] DEBUG: Started auxiliary module "Sysmon"
2023-12-19 11:44:54,084 [root] DEBUG: Started auxiliary module Sysmon
2023-12-19 11:44:54,084 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2023-12-19 11:44:54,084 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2023-12-19 11:44:54,084 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 616
2023-12-19 11:44:54,381 [lib.api.process] INFO: Monitor config for process 616: C:\tmp8nnuu52b\dll\616.ini
2023-12-19 11:44:54,381 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2023-12-19 11:44:54,381 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp8nnuu52b\dll\AKokyB.dll, loader C:\tmp8nnuu52b\bin\iyFifwHZ.exe
2023-12-19 11:44:54,412 [root] DEBUG: Loader: Injecting process 616 with C:\tmp8nnuu52b\dll\AKokyB.dll.
2023-12-19 11:44:54,443 [root] DEBUG: 616: Python path set to 'C:\Program Files (x86)\Python312-32'.
2023-12-19 11:44:54,443 [root] DEBUG: 616: TLS secret dump mode enabled.
2023-12-19 11:44:54,443 [root] INFO: Disabling sleep skipping.
2023-12-19 11:44:54,459 [root] DEBUG: 616: InternalYaraScan: Scanning 0x00007FFCD3930000, size 0x1f4542
2023-12-19 11:44:54,475 [root] DEBUG: 616: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2023-12-19 11:44:54,475 [root] DEBUG: 616: RtlInsertInvertedFunctionTable 0x00007FFCD394090E, LdrpInvertedFunctionTableSRWLock 0x00007FFCD3A9B4F0
2023-12-19 11:44:54,490 [root] DEBUG: 616: Monitor initialised: 64-bit capemon loaded in process 616 at 0x00007FFC99A60000, thread 3668, image base 0x00007FF63CB40000, stack from 0x000000B33BC74000-0x000000B33BC80000
2023-12-19 11:44:54,490 [root] DEBUG: 616: Commandline: C:\Windows\system32\lsass.exe
2023-12-19 11:44:54,506 [root] DEBUG: 616: Syscall hook installed, syscall logging level 1
2023-12-19 11:44:54,506 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2023-12-19 11:44:54,506 [root] DEBUG: Successfully injected DLL C:\tmp8nnuu52b\dll\AKokyB.dll.
2023-12-19 11:44:54,524 [lib.api.process] INFO: Injected into 64-bit process with pid 616
2023-12-19 11:44:54,524 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets"
2023-12-19 11:44:54,524 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2023-12-19 11:44:54,524 [root] DEBUG: Initialized auxiliary module "Usage"
2023-12-19 11:44:54,524 [root] DEBUG: Trying to start auxiliary module "Usage"...
2023-12-19 11:44:54,524 [root] DEBUG: Started auxiliary module "Usage"
2023-12-19 11:44:54,524 [root] DEBUG: Started auxiliary module Usage
2023-12-19 11:44:54,537 [root] DEBUG: Initialized auxiliary module "During_script"
2023-12-19 11:44:54,537 [root] DEBUG: Trying to start auxiliary module "During_script"...
2023-12-19 11:44:54,537 [root] DEBUG: Started auxiliary module "During_script"
2023-12-19 11:44:54,537 [root] DEBUG: Started auxiliary module During_script
2023-12-19 11:45:00,680 [root] INFO: Restarting WMI Service
2023-12-19 11:45:02,761 [lib.common.zip_utils] DEBUG: Archive is encrypted, using default password value: infected
2023-12-19 11:45:02,777 [lib.common.zip_utils] DEBUG: ['C:\\Program Files\\7-Zip\\7z.exe', 'l', 'C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip']
2023-12-19 11:45:02,823 [lib.common.zip_utils] DEBUG: ['C:\\Program Files\\7-Zip\\7z.exe', 'x', '-p', '-y', '-oC:\\Users\\John\\AppData\\Local\\Temp', 'C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip']
2023-12-19 11:45:02,839 [lib.common.zip_utils] DEBUG: b'\r\n7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20\r\n\r\nScanning the drive for archives:\r\n1 file, 111366 bytes (109 KiB)\r\n\r\nExtracting archive: C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip\r\n--\r\nPath = C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip\r\nType = zip\r\nPhysical Size = 111366\r\n\r\n\r\nSub items Errors: 1\r\n\r\nArchives with Errors: 1\r\n\r\nSub items Errors: 1\r\n' b'ERROR: Wrong password : c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.exe\r\n'
2023-12-19 11:45:02,839 [lib.common.zip_utils] DEBUG: ['C:\\Program Files\\7-Zip\\7z.exe', 'x', '-pinfected', '-y', '-oC:\\Users\\John\\AppData\\Local\\Temp', 'C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip']
2023-12-19 11:45:02,870 [lib.common.zip_utils] DEBUG: b'\r\n7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20\r\n\r\nScanning the drive for archives:\r\n1 file, 111366 bytes (109 KiB)\r\n\r\nExtracting archive: C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip\r\n--\r\nPath = C:\\Users\\John\\AppData\\Local\\Temp\\c165d80706ccb48e3d5f.zip\r\nType = zip\r\nPhysical Size = 111366\r\n\r\nEverything is Ok\r\n\r\nSize:       249856\r\nCompressed: 111366\r\n' b''
2023-12-19 11:45:02,870 [modules.packages.zip] DEBUG: Missing file option, auto executing: ['c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.exe']
2023-12-19 11:45:02,870 [modules.packages.zip] DEBUG: Interesting file_name: "c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.exe"
2023-12-19 11:45:02,870 [lib.core.compound] INFO: C:\Users\John\AppData\Local\Temp already exists, skipping creation
2023-12-19 11:45:02,886 [lib.api.process] INFO: Successfully executed process from path "C:\Users\John\AppData\Local\Temp\c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.exe" with arguments "" with pid 6084
2023-12-19 11:45:02,886 [lib.api.process] INFO: Monitor config for process 6084: C:\tmp8nnuu52b\dll\6084.ini
2023-12-19 11:45:02,901 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp8nnuu52b\dll\AKokyB.dll, loader C:\tmp8nnuu52b\bin\iyFifwHZ.exe
2023-12-19 11:45:02,917 [root] DEBUG: Loader: Injecting process 6084 (thread 6944) with C:\tmp8nnuu52b\dll\AKokyB.dll.
2023-12-19 11:45:02,917 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2023-12-19 11:45:02,917 [root] DEBUG: Successfully injected DLL C:\tmp8nnuu52b\dll\AKokyB.dll.
2023-12-19 11:45:02,933 [lib.api.process] INFO: Injected into 64-bit process with pid 6084
2023-12-19 11:45:04,948 [lib.api.process] INFO: Successfully resumed process with pid 6084
2023-12-19 11:45:04,964 [root] DEBUG: 6084: Python path set to 'C:\Program Files (x86)\Python312-32'.
2023-12-19 11:45:04,964 [root] DEBUG: 6084: Dropped file limit defaulting to 100.
2023-12-19 11:45:04,979 [root] DEBUG: 6084: YaraInit: Compiled 32 rule files
2023-12-19 11:45:04,995 [root] DEBUG: 6084: YaraInit: Compiled rules saved to file C:\tmp8nnuu52b\data\yara\capemon.yac
2023-12-19 11:45:04,995 [root] DEBUG: 6084: InternalYaraScan: Scanning 0x00007FFCD3930000, size 0x1f4542
2023-12-19 11:45:05,011 [root] DEBUG: 6084: InternalYaraScan hit: Syscall
2023-12-19 11:45:05,011 [root] DEBUG: 6084: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2023-12-19 11:45:05,011 [root] DEBUG: 6084: RtlInsertInvertedFunctionTable 0x00007FFCD394090E, LdrpInvertedFunctionTableSRWLock 0x00007FFCD3A9B4F0
2023-12-19 11:45:05,011 [root] DEBUG: 6084: YaraScan: Scanning 0x00007FF66AA50000, size 0x41658
2023-12-19 11:45:05,026 [root] DEBUG: 6084: AmsiDumper initialised.
2023-12-19 11:45:05,026 [root] DEBUG: 6084: Monitor initialised: 64-bit capemon loaded in process 6084 at 0x00007FFC99A60000, thread 6944, image base 0x00007FF66AA50000, stack from 0x000000E5E59A5000-0x000000E5E59B0000
2023-12-19 11:45:05,026 [root] DEBUG: 6084: Commandline: "C:\Users\John\AppData\Local\Temp\c165d80706ccb48e3d5f77a51068771dec247362a8726588c563f335a3df5b6e.exe"
2023-12-19 11:45:05,042 [root] DEBUG: 6084: hook_api: Warning - CoCreateInstance export address 0x00007FFCD24642EB differs from GetProcAddress -> 0x00007FFCD2A8C030 (combase.dll::0x2c030)
2023-12-19 11:45:05,042 [root] DEBUG: 6084: hook_api: Warning - CoCreateInstanceEx export address 0x00007FFCD246432A differs from GetProcAddress -> 0x00007FFCD2B27B60 (combase.dll::0xc7b60)
2023-12-19 11:45:05,058 [root] DEBUG: 6084: hook_api: Warning - CoGetClassObject export address 0x00007FFCD24648BA differs from GetProcAddress -> 0x00007FFCD2ABB340 (combase.dll::0x5b340)
2023-12-19 11:45:05,058 [root] DEBUG: 6084: hook_api: Warning - UpdateProcThreadAttribute export address 0x00007FFCD36574B4 differs from GetProcAddress -> 0x00007FFCD13F4A30 (KERNELBASE.dll::0x74a30)
2023-12-19 11:45:05,073 [root] DEBUG: 6084: hook_api: Warning - CLSIDFromProgID export address 0x00007FFCD2463B36 differs from GetProcAddress -> 0x00007FFCD2AF8380 (combase.dll::0x98380)
2023-12-19 11:45:05,089 [root] DEBUG: 6084: Syscall hook installed, syscall logging level 1
2023-12-19 11:45:05,104 [root] DEBUG: 6084: RestoreHeaders: Restored original import table.
2023-12-19 11:45:05,104 [root] INFO: Loaded monitor into process with pid 6084
2023-12-19 11:45:05,104 [root] DEBUG: 6084: caller_dispatch: Added region at 0x00007FF66AA50000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x00007FF66AA730C5, thread 6944).
2023-12-19 11:45:05,104 [root] DEBUG: 6084: YaraScan: Scanning 0x00007FF66AA50000, size 0x41658
2023-12-19 11:45:05,120 [root] DEBUG: 6084: ProcessImageBase: Main module image at 0x00007FF66AA50000 unmodified.
2023-12-19 11:45:05,120 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0920000: C:\Windows\SYSTEM32\CRYPTSP (0x18000 bytes).
2023-12-19 11:45:05,120 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD00B0000: C:\Windows\system32\rsaenh (0x34000 bytes).
2023-12-19 11:45:05,136 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD17B0000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2023-12-19 11:45:05,136 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0A40000: C:\Windows\SYSTEM32\ncrypt (0x27000 bytes).
2023-12-19 11:45:05,136 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD2EB0000: C:\Windows\System32\OLEAUT32 (0xcd000 bytes).
2023-12-19 11:45:05,151 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC7620000: C:\Windows\SYSTEM32\Rstrtmgr (0x39000 bytes).
2023-12-19 11:45:05,151 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0A00000: C:\Windows\SYSTEM32\NTASN1 (0x3b000 bytes).
2023-12-19 11:45:05,151 [root] DEBUG: 6084: hook_api: NetUserGetInfo address 0x00007FFCC2450E7E obtained via GetExportAddress
2023-12-19 11:45:05,151 [root] DEBUG: 6084: hook_api: NetGetJoinInformation address 0x00007FFCC244FED3 obtained via GetExportAddress
2023-12-19 11:45:05,167 [root] DEBUG: 6084: hook_api: NetUserGetLocalGroups address 0x00007FFCC2450EAA obtained via GetExportAddress
2023-12-19 11:45:05,167 [root] DEBUG: 6084: hook_api: DsEnumerateDomainTrustsW address 0x00007FFCC244E93F obtained via GetExportAddress
2023-12-19 11:45:05,167 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC2440000: C:\Windows\SYSTEM32\Netapi32 (0x18000 bytes).
2023-12-19 11:45:05,167 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0420000: C:\Windows\SYSTEM32\Iphlpapi (0x3b000 bytes).
2023-12-19 11:45:05,183 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD1B90000: C:\Windows\System32\Shell32 (0x73f000 bytes).
2023-12-19 11:45:05,183 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x230 and local view 0x0000029C396E0000 to global list.
2023-12-19 11:45:05,214 [root] DEBUG: 6084: api-rate-cap: LdrGetProcedureAddressForCaller hook disabled due to rate
2023-12-19 11:45:05,214 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x238 and local view 0x0000029C37320000 to global list.
2023-12-19 11:45:05,229 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x240 and local view 0x0000029C397A0000 to global list.
2023-12-19 11:45:05,245 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x248 and local view 0x0000029C37390000 to global list.
2023-12-19 11:45:05,261 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x250 and local view 0x0000029C39850000 to global list.
2023-12-19 11:45:05,276 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x258 and local view 0x0000029C39980000 to global list.
2023-12-19 11:45:05,276 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x260 and local view 0x0000029C374E0000 to global list.
2023-12-19 11:45:05,276 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x268 and local view 0x0000029C37500000 to global list.
2023-12-19 11:45:05,292 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x270 and local view 0x0000029C38A80000 to global list.
2023-12-19 11:45:05,292 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x274 and local view 0x00007FFCD3080000 to global list.
2023-12-19 11:45:05,292 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD3080000: C:\Windows\System32\SHCORE (0xad000 bytes).
2023-12-19 11:45:05,307 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x280 and local view 0x00007FFCC9E20000 to global list.
2023-12-19 11:45:05,307 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC9E20000: C:\Windows\SYSTEM32\SHUNIMPL (0xa000 bytes).
2023-12-19 11:45:05,307 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x284 and local view 0x00007FFCC9E20000 to global list.
2023-12-19 11:45:05,307 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC9E20000: C:\Windows\SYSTEM32\SHUNIMPL (0xa000 bytes).
2023-12-19 11:45:05,323 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC9E20000: C:\Windows\SYSTEM32\SHUNIMPL (0xa000 bytes).
2023-12-19 11:45:05,323 [root] DEBUG: 6084: MapSectionViewHandler: Updated local view to 0x0000029C39AB0000 for section view with handle 0x280.
2023-12-19 11:45:05,354 [root] DEBUG: 6084: MapSectionViewHandler: Updated local view to 0x0000029C3A200000 for section view with handle 0x284.
2023-12-19 11:45:05,370 [root] DEBUG: 6084: RtlDispatchException: skipped instruction at 0x00007FF66AA51D68 writing to ntdll (0x00007FFCD39FC9E0 - 0x00000000000CC9E0)
2023-12-19 11:45:05,448 [root] INFO: Disabling sleep skipping.
2023-12-19 11:45:05,464 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x2ac and local view 0x0000029C38AE0000 to global list.
2023-12-19 11:45:05,464 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0B60000: C:\Windows\SYSTEM32\MSASN1 (0x12000 bytes).
2023-12-19 11:45:05,464 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x2bc and local view 0x00007FFCCEF70000 to global list.
2023-12-19 11:45:05,479 [root] DEBUG: 6084: DLL loaded at 0x00007FFCCEF70000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2023-12-19 11:45:05,479 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD3710000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2023-12-19 11:45:05,495 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC7950000: C:\Windows\SYSTEM32\wbemcomn (0x92000 bytes).
2023-12-19 11:45:05,495 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC79F0000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2023-12-19 11:45:05,513 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC4600000: C:\Windows\system32\wbem\fastprox (0x10b000 bytes).
2023-12-19 11:45:05,557 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC4560000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2023-12-19 11:45:07,122 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC3930000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2023-12-19 11:45:07,122 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x378 and local view 0x00007FFCD0F10000 to global list.
2023-12-19 11:45:07,137 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0F10000: C:\Windows\SYSTEM32\USERENV (0x2e000 bytes).
2023-12-19 11:45:07,137 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x37c and local view 0x00007FFCD0F90000 to global list.
2023-12-19 11:45:07,153 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0F90000: C:\Windows\SYSTEM32\profapi (0x1f000 bytes).
2023-12-19 11:45:09,080 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0730000: C:\Windows\system32\mswsock (0x6a000 bytes).
2023-12-19 11:45:09,095 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC2CC0000: C:\Windows\system32\napinsp (0x17000 bytes).
2023-12-19 11:45:09,095 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC2B10000: C:\Windows\system32\pnrpnsp (0x1b000 bytes).
2023-12-19 11:45:09,111 [root] DEBUG: 6084: DLL loaded at 0x00007FFCBE3C0000: C:\Windows\system32\wshbth (0x15000 bytes).
2023-12-19 11:45:09,111 [root] DEBUG: 6084: DLL loaded at 0x00007FFCCCA30000: C:\Windows\system32\NLAapi (0x1d000 bytes).
2023-12-19 11:45:09,111 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0470000: C:\Windows\SYSTEM32\DNSAPI (0xcc000 bytes).
2023-12-19 11:45:09,111 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD2DC0000: C:\Windows\System32\NSI (0x8000 bytes).
2023-12-19 11:45:09,126 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC2AF0000: C:\Windows\System32\winrnr (0x12000 bytes).
2023-12-19 11:45:09,142 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC8CF0000: C:\Windows\System32\fwpuclnt (0x7f000 bytes).
2023-12-19 11:45:09,142 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC8670000: C:\Windows\System32\rasadhlp (0xa000 bytes).
2023-12-19 11:45:10,159 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC5630000: C:\Windows\SYSTEM32\SRVCLI (0x28000 bytes).
2023-12-19 11:45:10,191 [root] DEBUG: 616: DLL loaded at 0x00007FFCC9CF0000: C:\Windows\SYSTEM32\dhcpcsvc6 (0x17000 bytes).
2023-12-19 11:45:10,191 [root] DEBUG: 616: DLL loaded at 0x00007FFCC9CD0000: C:\Windows\SYSTEM32\dhcpcsvc (0x1d000 bytes).
2023-12-19 11:45:10,222 [root] DEBUG: 6084: DLL loaded at 0x00007FFCC2410000: C:\Windows\SYSTEM32\cscapi (0x12000 bytes).
2023-12-19 11:45:10,222 [root] DEBUG: 6084: DLL loaded at 0x00007FFCD0460000: C:\Windows\SYSTEM32\NETUTILS (0xc000 bytes).
2023-12-19 11:45:10,488 [root] INFO: Added new file to list with pid None and path C:\DumpStack.log
2023-12-19 11:45:10,550 [root] INFO: Added new file to list with pid None and path C:\ProgramData\ntuser.pol
2023-12-19 11:45:10,597 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\7-zip.chm
2023-12-19 11:45:10,613 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\7z.sfx
2023-12-19 11:45:10,644 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\7zCon.sfx
2023-12-19 11:45:10,659 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\History.txt
2023-12-19 11:45:10,691 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\License.txt
2023-12-19 11:45:10,706 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\readme.txt
2023-12-19 11:45:10,737 [root] INFO: Added new file to list with pid None and path C:\Program Files (x86)\Python312-32\LICENSE.txt
2023-12-19 11:45:10,769 [root] INFO: Added new file to list with pid None and path C:\Program Files (x86)\Python312-32\NEWS.txt
2023-12-19 11:45:10,800 [root] INFO: Added new file to list with pid None and path C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag
2023-12-19 11:45:10,831 [root] INFO: Added new file to list with pid None and path C:\Users\Default\NTUSER.DAT
2023-12-19 11:45:10,863 [root] INFO: Added new file to list with pid None and path C:\Users\Default\NTUSER.DAT.LOG1
2023-12-19 11:45:10,878 [root] INFO: Added new file to list with pid None and path C:\Users\Default\NTUSER.DAT.LOG2
2023-12-19 11:45:10,894 [root] INFO: Added new file to list with pid None and path C:\Users\Default\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
2023-12-19 11:45:10,925 [root] INFO: Added new file to list with pid None and path C:\Users\Default\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
2023-12-19 11:45:10,940 [root] INFO: Added new file to list with pid None and path C:\Users\Default\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
2023-12-19 11:45:10,956 [root] INFO: Added new file to list with pid None and path C:\Users\John\agent.py
2023-12-19 11:45:10,988 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\af.txt
2023-12-19 11:45:11,019 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\an.txt
2023-12-19 11:45:11,019 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\ar.txt
2023-12-19 11:45:11,050 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\ast.txt
2023-12-19 11:45:11,050 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\az.txt
2023-12-19 11:45:11,066 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\ba.txt
2023-12-19 11:45:11,081 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\be.txt
2023-12-19 11:45:11,097 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\bg.txt
2023-12-19 11:45:11,113 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\bn.txt
2023-12-19 11:45:11,128 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\br.txt
2023-12-19 11:45:11,144 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\ca.txt
2023-12-19 11:45:11,160 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\co.txt
2023-12-19 11:45:11,224 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\cs.txt
2023-12-19 11:45:11,255 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\cy.txt
2023-12-19 11:45:11,287 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\da.txt
2023-12-19 11:45:11,302 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\de.txt
2023-12-19 11:45:11,318 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\el.txt
2023-12-19 11:45:11,334 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\en.ttt
2023-12-19 11:45:11,349 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\eo.txt
2023-12-19 11:45:11,365 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\es.txt
2023-12-19 11:45:11,380 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\et.txt
2023-12-19 11:45:11,396 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\eu.txt
2023-12-19 11:45:11,412 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\ext.txt
2023-12-19 11:45:11,427 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\fa.txt
2023-12-19 11:45:11,443 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\fi.txt
2023-12-19 11:45:11,474 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\fr.txt
2023-12-19 11:45:11,490 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\fur.txt
2023-12-19 11:45:11,506 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\fy.txt
2023-12-19 11:45:11,536 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\ga.txt
2023-12-19 11:45:11,552 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\gl.txt
2023-12-19 11:45:11,568 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\gu.txt
2023-12-19 11:45:11,599 [root] INFO: Added new file to list with pid None and path C:\Program Files\7-Zip\Lang\he.txt
2023-12-19 11:45:11,599 [root] DEBUG: 6084: Dropped file limit reached.
2023-12-19 11:45:12,426 [root] DEBUG: 6084: DLL loaded at 0x00007FFCCEA70000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2023-12-19 11:45:16,765 [root] DEBUG: 6084: OpenProcessHandler: Injection info created for Pid 6040, handle 0x9cc.
2023-12-19 11:45:16,765 [root] DEBUG: 6084: OpenProcessHandler: Image base for process 6040 (handle 0x9cc): 0x00007FF792910000.
2023-12-19 11:45:16,781 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x9bc and local view 0x0000029C3C370000 to global list.
2023-12-19 11:45:16,796 [root] DEBUG: 6084: OpenProcessHandler: Injection info created for Pid 3392, handle 0x9a8.
2023-12-19 11:45:16,796 [root] DEBUG: 6084: OpenProcessHandler: Image base for process 3392 (handle 0x9a8): 0x00007FF792910000.
2023-12-19 11:45:16,812 [root] DEBUG: 6084: OpenProcessHandler: Injection info created for Pid 976, handle 0x8c4.
2023-12-19 11:45:16,812 [root] DEBUG: 6084: OpenProcessHandler: Image base for process 976 (handle 0x8c4): 0x00007FF792910000.
2023-12-19 11:45:16,812 [root] DEBUG: 6084: OpenProcessHandler: Injection info created for Pid 6684, handle 0x8bc.
2023-12-19 11:45:16,827 [root] DEBUG: 6084: OpenProcessHandler: Image base for process 6684 (handle 0x8bc): 0x00007FF792910000.
2023-12-19 11:45:16,827 [root] DEBUG: 6084: OpenProcessHandler: Injection info created for Pid 6708, handle 0x9ac.
2023-12-19 11:45:16,827 [root] DEBUG: 6084: OpenProcessHandler: Image base for process 6708 (handle 0x9ac): 0x00007FF792910000.
2023-12-19 11:45:16,843 [root] DEBUG: 6084: OpenProcessHandler: Injection info created for Pid 4724, handle 0x8b8.
2023-12-19 11:45:16,843 [root] DEBUG: 6084: OpenProcessHandler: Image base for process 4724 (handle 0x8b8): 0x00007FF792910000.
2023-12-19 11:45:32,760 [root] INFO: Process with pid 3392 has terminated
2023-12-19 11:45:32,775 [root] INFO: Process with pid 976 has terminated
2023-12-19 11:45:32,775 [root] INFO: Process with pid 6684 has terminated
2023-12-19 11:45:32,775 [root] INFO: Process with pid 6708 has terminated
2023-12-19 11:45:32,775 [root] INFO: Process with pid 4724 has terminated
2023-12-19 11:45:32,806 [root] DEBUG: 6084: MapSectionViewHandler: Added section view with handle 0x8bc and local view 0x0000029C3C370000 to global list.
2023-12-19 11:45:35,940 [root] DEBUG: 6084: api-cap: NtSetInformationFile hook disabled due to count: 5000
2023-12-19 11:45:36,643 [root] DEBUG: 6084: api-cap: NtQueryInformationFile hook disabled due to count: 5000
2023-12-19 11:45:40,147 [root] DEBUG: 6084: api-cap: NtWriteFile hook disabled due to count: 5000
2023-12-19 11:45:41,238 [root] DEBUG: 6084: api-cap: NtClose hook disabled due to count: 5000
2023-12-19 11:45:41,519 [root] DEBUG: 6084: api-cap: NtCreateFile hook disabled due to count: 5000
2023-12-19 11:45:42,381 [root] DEBUG: 6084: api-cap: NtReadFile hook disabled due to count: 5000
2023-12-19 11:45:44,737 [root] DEBUG: 6084: api-cap: CryptGenRandom hook disabled due to count: 5000
2023-12-19 11:45:47,712 [root] DEBUG: 6084: api-cap: FindNextFileW hook disabled due to count: 5000

cuckoo.conf

The only change on in the cuckoo.conf file from the cuckoo.conf.default file is the ip address of the results server, which I've set to the host only KVM network of 10.10.1.1

kvm.conf

Nothing too much change in this file, only specifiy the analysis VM guest

cape@capev2:/opt/CAPEv2$ diff conf/cuckoo.conf conf/cuckoo.conf.default
118c118
< ip = 10.10.1.1
---
> ip = 192.168.1.1
167c167
< connection = postgresql://cape:SuperPuperSecret@localhost:5432/cape
---
> connection =
180c180
< default = 300
---
> default = 200
cape@capev2:/opt/CAPEv2$ diff conf/kvm.conf conf/kvm.conf.default
7c7
< interface = virbr1
---
> interface = virbr0
12c12
< label = win10
---
> label = cuckoo1
22c22
< ip = 10.10.1.10
---
> ip = 192.168.122.105
30c30
< tags = win10
---
> # tags = winxp,acrobat_reader_6
35c35
< snapshot = win10_base
---
> # snapshot = Snapshot1
63c63
< arch = x64
---
> arch = x86

auxiliary.conf

Only thing changed was turning off the sniffer, I think that was causing some issues.

[sniffer]
# Enable or disable the use of an external sniffer (tcpdump) [yes/no].
enabled = no

[doomedraven]

Hello, sorry for delay, i was able to reproduce it, thank you for reporting it, fixed here https://github.com/kevoreilly/CAPEv2/commit/c972a9b631119afd6671ab6417852d629e596670

update and restart web service systemctl restart cape-web