scrublullz
commented
2 years ago I was able to get full execution in my Win10 VM's if any data from them could help.
Closed doomedraven closed 2 years ago
scrublullz
commented
2 years ago I was able to get full execution in my Win10 VM's if any data from them could help.
doomedraven
commented
2 years ago What win10 build and version?
El jue., 23 jun. 2022 20:25, Scrub Lullz @.***> escribió:
I was able to get full execution in my Win10 VM's if any data from them could help.
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/910#issuecomment-1164733858, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH36QVDUDYXTPSRTPAN3VQSTZ5ANCNFSM5YT2VNXA . You are receiving this because you authored the thread.Message ID: @.***>
scrublullz
commented
2 years ago Version 21H1 OS Build 19043.1023 Office 2010
ClaudioWayne
commented
2 years ago Can you share analysis.log and behavioral analysis section? Do you see process tree similar like this:
scrublullz
commented
2 years ago 
I'll rerun and grab logs.
scrublullz
commented
2 years ago analysis.log:
2022-06-22 19:20:11,121 [root] INFO: Date set to: 20220623T18:15:24, timeout set to: 200
2022-06-22 19:20:11,137 [root] DEBUG: Starting analyzer from: C:\tmp6tkbn3gc
2022-06-22 19:20:11,137 [root] DEBUG: Storing results at: C:\PrUGuHE
2022-06-22 19:20:11,137 [root] DEBUG: Pipe server name: \\.\PIPE\xyAiVVG
2022-06-22 19:20:11,137 [root] DEBUG: Python path: C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32
2022-06-22 19:20:11,137 [root] INFO: Analysis package "doc" has been specified
2022-06-22 19:20:11,137 [root] DEBUG: Importing analysis package "doc"...
2022-06-22 19:20:11,152 [root] DEBUG: Initializing analysis package "doc"...
2022-06-22 19:20:11,152 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2022-06-22 19:20:11,152 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2022-06-22 19:20:11,152 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader option
2022-06-22 19:20:11,152 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader_64 option
2022-06-22 19:20:11,199 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2022-06-22 19:20:11,199 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2022-06-22 19:20:11,199 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2022-06-22 19:20:11,215 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2022-06-22 19:20:11,231 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2022-06-22 19:20:11,231 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2022-06-22 19:20:11,231 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2022-06-22 19:20:11,246 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2022-06-22 19:20:11,246 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2022-06-22 19:20:11,263 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2022-06-22 19:20:11,263 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2022-06-22 19:20:11,324 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2022-06-22 19:20:11,324 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2022-06-22 19:20:11,340 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2022-06-22 19:20:11,340 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2022-06-22 19:20:11,340 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2022-06-22 19:20:11,340 [root] DEBUG: Initialized auxiliary module "Browser"
2022-06-22 19:20:11,340 [root] DEBUG: Trying to start auxiliary module "Browser"...
2022-06-22 19:20:11,355 [root] DEBUG: Started auxiliary module "Browser"
2022-06-22 19:20:11,355 [root] DEBUG: Started auxiliary module Browser
2022-06-22 19:20:11,355 [root] DEBUG: Initialized auxiliary module "Curtain"
2022-06-22 19:20:11,355 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2022-06-22 19:20:11,355 [root] DEBUG: Started auxiliary module "Curtain"
2022-06-22 19:20:11,355 [root] DEBUG: Started auxiliary module Curtain
2022-06-22 19:20:11,355 [root] DEBUG: Initialized auxiliary module "DigiSig"
2022-06-22 19:20:11,355 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2022-06-22 19:20:11,355 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2022-06-22 19:20:11,622 [modules.auxiliary.digisig] DEBUG: File format not recognized
2022-06-22 19:20:11,622 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2022-06-22 19:20:11,637 [root] DEBUG: Started auxiliary module "DigiSig"
2022-06-22 19:20:11,637 [root] DEBUG: Started auxiliary module DigiSig
2022-06-22 19:20:11,637 [root] DEBUG: Initialized auxiliary module "Disguise"
2022-06-22 19:20:11,637 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2022-06-22 19:20:11,637 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 5] Access is denied
2022-06-22 19:20:11,637 [root] DEBUG: Initialized auxiliary module "Evtx"
2022-06-22 19:20:11,637 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2022-06-22 19:20:11,637 [root] DEBUG: Started auxiliary module "Evtx"
2022-06-22 19:20:11,637 [root] DEBUG: Started auxiliary module Evtx
2022-06-22 19:20:11,637 [root] WARNING: Auxiliary module FilePickup was not implemented: 'Config' object has no attribute 'file_pickup'
2022-06-22 19:20:11,637 [root] DEBUG: Initialized auxiliary module "Human"
2022-06-22 19:20:11,637 [root] DEBUG: Trying to start auxiliary module "Human"...
2022-06-22 19:20:11,653 [root] DEBUG: Started auxiliary module "Human"
2022-06-22 19:20:11,653 [root] DEBUG: Started auxiliary module Human
2022-06-22 19:20:11,653 [root] WARNING: Auxiliary module Permissions was not implemented: 'Config' object has no attribute 'file_pickup'
2022-06-22 19:20:11,653 [root] DEBUG: Initialized auxiliary module "Procmon"
2022-06-22 19:20:11,653 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2022-06-22 19:20:11,653 [root] DEBUG: Started auxiliary module "Procmon"
2022-06-22 19:20:11,653 [root] DEBUG: Started auxiliary module Procmon
2022-06-22 19:20:11,653 [root] DEBUG: Initialized auxiliary module "Screenshots"
2022-06-22 19:20:11,668 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2022-06-22 19:20:11,668 [root] DEBUG: Started auxiliary module "Screenshots"
2022-06-22 19:20:11,668 [root] DEBUG: Started auxiliary module Screenshots
2022-06-22 19:20:11,668 [root] DEBUG: Initialized auxiliary module "Sysmon"
2022-06-22 19:20:11,668 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2022-06-22 19:20:11,668 [root] DEBUG: Started auxiliary module "Sysmon"
2022-06-22 19:20:11,668 [root] DEBUG: Started auxiliary module Sysmon
2022-06-22 19:20:11,668 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2022-06-22 19:20:11,668 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2022-06-22 19:20:11,668 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2022-06-22 19:20:11,668 [lib.api.process] INFO: Monitor config for process 696: C:\tmp6tkbn3gc\dll\696.ini
2022-06-22 19:20:11,668 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2022-06-22 19:20:11,668 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:20:11,730 [root] DEBUG: Loader: Injecting process 696 with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:11,730 [root] DEBUG: Error 5 (0x5) - InjectDll: Failed to open process: Access is denied.
2022-06-22 19:20:11,730 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:11,730 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets"
2022-06-22 19:20:11,730 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2022-06-22 19:20:11,730 [root] DEBUG: Initialized auxiliary module "Usage"
2022-06-22 19:20:11,730 [root] DEBUG: Trying to start auxiliary module "Usage"...
2022-06-22 19:20:11,730 [root] DEBUG: Started auxiliary module "Usage"
2022-06-22 19:20:11,730 [root] DEBUG: Started auxiliary module Usage
2022-06-22 19:20:12,184 [root] INFO: Restarting WMI Service
2022-06-22 19:20:12,308 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\JOHNQU~1\AppData\Local\Temp\emotet.doc" /q" with pid 3096
2022-06-22 19:20:12,308 [lib.api.process] INFO: Monitor config for process 3096: C:\tmp6tkbn3gc\dll\3096.ini
2022-06-22 19:20:12,324 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp6tkbn3gc\dll\IKfHLon.dll, loader C:\tmp6tkbn3gc\bin\qOLwdtE.exe
2022-06-22 19:20:12,355 [root] DEBUG: Loader: Injecting process 3096 (thread 1612) with C:\tmp6tkbn3gc\dll\IKfHLon.dll.
2022-06-22 19:20:12,355 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:20:12,355 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\IKfHLon.dll.
2022-06-22 19:20:12,371 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3096
2022-06-22 19:20:14,387 [lib.api.process] INFO: Successfully resumed process with pid 3096
2022-06-22 19:20:14,621 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:20:14,621 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:20:14,637 [root] DEBUG: Initialising Yara...
2022-06-22 19:20:14,637 [root] DEBUG: YaraInit: Compiled 18 rule files
2022-06-22 19:20:14,637 [root] DEBUG: YaraInit: Compiled rules saved to file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:20:14,637 [root] DEBUG: InternalYaraScan: Scanning 0x77590000, size 0x1a219c
2022-06-22 19:20:14,668 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-06-22 19:20:14,668 [root] DEBUG: Monitor initialised: 32-bit capemon loaded in process 3096 at 0x72430000, thread 1612, image base 0x2fdd0000, stack from 0x566000-0x570000
2022-06-22 19:20:14,668 [root] DEBUG: Commandline: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\JOHNQU~1\AppData\Local\Temp\emotet.doc" /q
2022-06-22 19:20:14,683 [root] DEBUG: Microsoft Office settings enabled.
2022-06-22 19:20:14,715 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:20:14,715 [root] INFO: Loaded monitor into process with pid 3096
2022-06-22 19:20:14,731 [root] DEBUG: DLL loaded at 0x72320000: C:\Windows\SYSTEM32\ninput (0x54000 bytes).
2022-06-22 19:20:14,731 [root] DEBUG: caller_dispatch: Adding region at 0x2FDD0000 to caller regions list (ntdll::LdrGetDllHandle returns to 0x2FDD111F, thread 1612).
2022-06-22 19:20:14,731 [root] DEBUG: caller_dispatch: Dump of calling region at 0x2FDD0000 skipped (ntdll::LdrGetDllHandle returns to 0x2FDD111F mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE).
2022-06-22 19:20:14,777 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\SYSTEM32\WTSAPI32 (0xf000 bytes).
2022-06-22 19:20:14,793 [root] DEBUG: DLL loaded at 0x732C0000: C:\Windows\SYSTEM32\MSIMG32 (0x6000 bytes).
2022-06-22 19:20:14,793 [root] DEBUG: DLL loaded at 0x70EF0000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2022-06-22 19:20:14,809 [root] DEBUG: DLL loaded at 0x6FB50000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1394000 bytes).
2022-06-22 19:20:14,824 [root] DEBUG: DLL loaded at 0x710A0000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127f000 bytes).
2022-06-22 19:20:14,840 [root] DEBUG: DLL loaded at 0x6E960000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11ea000 bytes).
2022-06-22 19:20:14,871 [root] DEBUG: DLL loaded at 0x6E750000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.844_none_11adecdf30011423\Comctl32 (0x210000 bytes).
2022-06-22 19:20:14,871 [root] INFO: Disabling sleep skipping.
2022-06-22 19:20:14,965 [root] DEBUG: DLL unloaded from 0x75630000.
2022-06-22 19:20:14,981 [root] DEBUG: DLL loaded at 0x6E720000: C:\Windows\SYSTEM32\srpapi (0x25000 bytes).
2022-06-22 19:20:15,043 [root] DEBUG: DLL loaded at 0x6E660000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2022-06-22 19:20:15,074 [root] DEBUG: DLL loaded at 0x771F0000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2022-06-22 19:20:15,105 [root] DEBUG: DLL loaded at 0x6E510000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2022-06-22 19:20:15,121 [root] DEBUG: DLL loaded at 0x6E4B0000: C:\Windows\system32\mscoree (0x52000 bytes).
2022-06-22 19:20:15,137 [root] DEBUG: DLL loaded at 0x6E420000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2022-06-22 19:20:15,137 [root] DEBUG: DLL unloaded from 0x76AA0000.
2022-06-22 19:20:15,168 [root] DEBUG: DLL loaded at 0x6E400000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2022-06-22 19:20:15,184 [root] DEBUG: DLL loaded at 0x76850000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2022-06-22 19:20:15,199 [root] DEBUG: DLL loaded at 0x77060000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2022-06-22 19:20:15,215 [root] DEBUG: DLL loaded at 0x6E3C0000: C:\Windows\System32\netprofm (0x31000 bytes).
2022-06-22 19:20:15,246 [root] DEBUG: DLL loaded at 0x6E3B0000: C:\Windows\System32\npmproxy (0xa000 bytes).
2022-06-22 19:20:15,277 [root] DEBUG: DLL loaded at 0x73FA0000: C:\Windows\SYSTEM32\IPHLPAPI (0x32000 bytes).
2022-06-22 19:20:15,277 [root] DEBUG: DLL loaded at 0x771E0000: C:\Windows\System32\NSI (0x7000 bytes).
2022-06-22 19:20:15,293 [root] DEBUG: DLL loaded at 0x6E390000: C:\Windows\SYSTEM32\dhcpcsvc6 (0x14000 bytes).
2022-06-22 19:20:15,293 [root] DEBUG: DLL loaded at 0x73EE0000: C:\Windows\SYSTEM32\dhcpcsvc (0x16000 bytes).
2022-06-22 19:20:15,309 [root] DEBUG: DLL loaded at 0x6E2F0000: C:\Windows\SYSTEM32\DNSAPI (0x92000 bytes).
2022-06-22 19:20:15,340 [root] DEBUG: DLL loaded at 0x6E260000: C:\Windows\SYSTEM32\sxs (0x88000 bytes).
2022-06-22 19:20:15,356 [root] DEBUG: DLL loaded at 0x76660000: C:\Windows\System32\coml2 (0x5e000 bytes).
2022-06-22 19:20:15,387 [root] DEBUG: DLL loaded at 0x6E250000: C:\Windows\SYSTEM32\windows.staterepositorycore (0xc000 bytes).
2022-06-22 19:20:15,465 [root] DEBUG: api-rate-cap: NtQueryKey hook disabled due to rate.
2022-06-22 19:20:15,481 [root] DEBUG: api-rate-cap: NtOpenKeyEx hook disabled due to rate.
2022-06-22 19:20:17,215 [root] DEBUG: DLL unloaded from 0x77030000.
2022-06-22 19:20:17,215 [root] DEBUG: DLL loaded at 0x6E200000: C:\Windows\SYSTEM32\POWRPROF (0x44000 bytes).
2022-06-22 19:20:17,231 [root] DEBUG: DLL loaded at 0x6E1F0000: C:\Windows\SYSTEM32\UMPDC (0xd000 bytes).
2022-06-22 19:20:17,231 [root] DEBUG: DLL unloaded from 0x6E200000.
2022-06-22 19:20:17,293 [root] DEBUG: DLL loaded at 0x74E00000: C:\Windows\SYSTEM32\Wldp (0x24000 bytes).
2022-06-22 19:20:17,293 [root] DEBUG: DLL loaded at 0x74E30000: C:\Windows\SYSTEM32\windows.storage (0x609000 bytes).
2022-06-22 19:20:17,308 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:17,324 [root] DEBUG: DLL loaded at 0x76490000: C:\Windows\System32\CFGMGR32 (0x3b000 bytes).
2022-06-22 19:20:17,324 [root] DEBUG: DLL unloaded from 0x74E30000.
2022-06-22 19:20:17,340 [root] DEBUG: DLL unloaded from 0x759D0000.
2022-06-22 19:20:17,340 [root] DEBUG: DLL loaded at 0x6E120000: C:\Windows\system32\propsys (0xc2000 bytes).
2022-06-22 19:20:17,418 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\Normal.dotm
2022-06-22 19:20:17,418 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
2022-06-22 19:20:17,465 [root] DEBUG: DLL loaded at 0x6DF40000: C:\Windows\System32\msxml6 (0x1dd000 bytes).
2022-06-22 19:20:17,543 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2022-06-22 19:20:17,621 [root] DEBUG: DLL loaded at 0x74AD0000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2022-06-22 19:20:17,621 [root] DEBUG: DLL loaded at 0x6DB60000: C:\Windows\SYSTEM32\CoreMessaging (0x9b000 bytes).
2022-06-22 19:20:17,637 [root] DEBUG: DLL loaded at 0x6DA80000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes).
2022-06-22 19:20:17,652 [root] DEBUG: DLL loaded at 0x6DC00000: C:\Windows\SYSTEM32\CoreUIComponents (0x27e000 bytes).
2022-06-22 19:20:17,652 [root] DEBUG: DLL loaded at 0x6DE80000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2022-06-22 19:20:17,746 [root] DEBUG: DLL unloaded from 0x74440000.
2022-06-22 19:20:17,793 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Temp\emotet.doc
2022-06-22 19:20:17,809 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Temp\~$emotet.doc
2022-06-22 19:20:17,887 [root] DEBUG: DLL loaded at 0x6DA50000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT532.CNV (0x2f000 bytes).
2022-06-22 19:20:17,918 [root] DEBUG: DLL loaded at 0x6DA30000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-22 19:20:17,918 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:17,934 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst4E9F.tmp size is 0, Max size: 100000000
2022-06-22 19:20:17,949 [root] DEBUG: DLL unloaded from 0x6DA30000.
2022-06-22 19:20:17,965 [root] DEBUG: DLL unloaded from 0x6DA50000.
2022-06-22 19:20:17,980 [root] DEBUG: DLL loaded at 0x6DA40000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT632.CNV (0x3d000 bytes).
2022-06-22 19:20:17,996 [root] DEBUG: DLL loaded at 0x6DA20000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-22 19:20:17,996 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,012 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst4EEE.tmp size is 0, Max size: 100000000
2022-06-22 19:20:18,043 [root] DEBUG: DLL unloaded from 0x6DA20000.
2022-06-22 19:20:18,043 [root] DEBUG: DLL unloaded from 0x6DA40000.
2022-06-22 19:20:18,059 [root] DEBUG: DLL loaded at 0x6DA50000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT532.CNV (0x2f000 bytes).
2022-06-22 19:20:18,121 [root] DEBUG: DLL loaded at 0x6DA30000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,137 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,152 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst4F7C.tmp size is 0, Max size: 100000000
2022-06-22 19:20:18,152 [root] DEBUG: DLL unloaded from 0x6DA30000.
2022-06-22 19:20:18,168 [root] DEBUG: DLL unloaded from 0x6DA50000.
2022-06-22 19:20:18,184 [root] DEBUG: DLL loaded at 0x6DA40000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT632.CNV (0x3d000 bytes).
2022-06-22 19:20:18,184 [root] DEBUG: DLL loaded at 0x6DA20000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,199 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,199 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst4FBB.tmp size is 0, Max size: 100000000
2022-06-22 19:20:18,215 [root] DEBUG: DLL unloaded from 0x6DA20000.
2022-06-22 19:20:18,231 [root] DEBUG: DLL unloaded from 0x6DA40000.
2022-06-22 19:20:18,262 [root] DEBUG: DLL loaded at 0x6DA70000: C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv (0x8000 bytes).
2022-06-22 19:20:18,262 [root] DEBUG: DLL unloaded from 0x6DA70000.
2022-06-22 19:20:18,277 [root] DEBUG: DLL loaded at 0x6DA70000: C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv (0x8000 bytes).
2022-06-22 19:20:18,293 [root] DEBUG: DLL loaded at 0x6DA70000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV (0xa000 bytes).
2022-06-22 19:20:18,293 [root] DEBUG: DLL loaded at 0x6DA50000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,309 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,309 [root] DEBUG: DLL unloaded from 0x6DA50000.
2022-06-22 19:20:18,309 [root] DEBUG: DLL unloaded from 0x6DA70000.
2022-06-22 19:20:18,324 [root] DEBUG: DLL loaded at 0x6DA70000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv (0xd000 bytes).
2022-06-22 19:20:18,340 [root] DEBUG: DLL loaded at 0x6DA50000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\WPFT532.CNV (0x2f000 bytes).
2022-06-22 19:20:18,340 [root] DEBUG: DLL loaded at 0x6DA30000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,355 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,355 [root] DEBUG: DLL unloaded from 0x6DA30000.
2022-06-22 19:20:18,355 [root] DEBUG: DLL unloaded from 0x6DA50000.
2022-06-22 19:20:18,371 [root] DEBUG: DLL loaded at 0x6DA40000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\WPFT632.CNV (0x3d000 bytes).
2022-06-22 19:20:18,387 [root] DEBUG: DLL loaded at 0x6DA20000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,387 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,387 [root] DEBUG: DLL unloaded from 0x6DA20000.
2022-06-22 19:20:18,402 [root] DEBUG: DLL unloaded from 0x6DA40000.
2022-06-22 19:20:18,418 [root] DEBUG: DLL loaded at 0x6DA50000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT532.CNV (0x2f000 bytes).
2022-06-22 19:20:18,433 [root] DEBUG: DLL loaded at 0x6DA30000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,433 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,433 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst50A7.tmp size is 0, Max size: 100000000
2022-06-22 19:20:18,449 [root] DEBUG: DLL unloaded from 0x6DA30000.
2022-06-22 19:20:18,449 [root] DEBUG: DLL unloaded from 0x6DA50000.
2022-06-22 19:20:18,465 [root] DEBUG: DLL loaded at 0x6DA40000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT632.CNV (0x3d000 bytes).
2022-06-22 19:20:18,480 [root] DEBUG: DLL loaded at 0x6DA20000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-22 19:20:18,496 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:20:18,496 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst50E6.tmp size is 0, Max size: 100000000
2022-06-22 19:20:18,512 [root] DEBUG: DLL unloaded from 0x6DA20000.
2022-06-22 19:20:18,527 [root] DEBUG: DLL unloaded from 0x6DA40000.
2022-06-22 19:20:18,730 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\22A5025F.wmf
2022-06-22 19:20:18,746 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\22A5025F.wmf size is 452, Max size: 100000000
2022-06-22 19:20:18,793 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\39AA1AC5.wmf
2022-06-22 19:20:18,793 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\39AA1AC5.wmf size is 452, Max size: 100000000
2022-06-22 19:20:18,840 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C11BDE1B.wmf
2022-06-22 19:20:18,856 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C11BDE1B.wmf size is 452, Max size: 100000000
2022-06-22 19:20:18,887 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8238B9E1.wmf
2022-06-22 19:20:18,887 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8238B9E1.wmf size is 452, Max size: 100000000
2022-06-22 19:20:18,902 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A90F797.wmf
2022-06-22 19:20:18,918 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A90F797.wmf size is 452, Max size: 100000000
2022-06-22 19:20:18,949 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7CCF1CBD.wmf
2022-06-22 19:20:18,949 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7CCF1CBD.wmf size is 452, Max size: 100000000
2022-06-22 19:20:18,981 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\177F4AD3.wmf
2022-06-22 19:20:18,996 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\177F4AD3.wmf size is 452, Max size: 100000000
2022-06-22 19:20:19,027 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\952D9F59.wmf
2022-06-22 19:20:19,027 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\952D9F59.wmf size is 452, Max size: 100000000
2022-06-22 19:20:19,058 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BAF393CF.wmf
2022-06-22 19:20:19,058 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BAF393CF.wmf size is 452, Max size: 100000000
2022-06-22 19:20:19,106 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E24C5DB5.wmf
2022-06-22 19:20:19,106 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E24C5DB5.wmf size is 452, Max size: 100000000
2022-06-22 19:20:19,137 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\98C84E8B.wmf
2022-06-22 19:20:19,137 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\98C84E8B.wmf size is 452, Max size: 100000000
2022-06-22 19:20:19,199 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\83F733D1.wmf
2022-06-22 19:20:19,199 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\83F733D1.wmf size is 452, Max size: 100000000
2022-06-22 19:20:19,246 [root] DEBUG: DLL unloaded from 0x77590000.
2022-06-22 19:20:19,293 [root] DEBUG: DLL loaded at 0x6D9E0000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10 (0x9e000 bytes).
2022-06-22 19:20:19,356 [root] DEBUG: DLL loaded at 0x6D870000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1023_none_d94e0b13e107593b\GdiPlus (0x169000 bytes).
2022-06-22 19:20:19,356 [root] DEBUG: DLL unloaded from 0x75630000.
2022-06-22 19:20:19,371 [root] DEBUG: DLL loaded at 0x6D6F0000: C:\Windows\SYSTEM32\WindowsCodecs (0x171000 bytes).
2022-06-22 19:20:19,402 [root] DEBUG: DLL loaded at 0x6D4D0000: C:\Windows\system32\d3d11 (0x1e0000 bytes).
2022-06-22 19:20:19,418 [root] DEBUG: DLL loaded at 0x6D360000: C:\Windows\system32\dcomp (0x165000 bytes).
2022-06-22 19:20:19,434 [root] DEBUG: DLL loaded at 0x6D6B0000: C:\Windows\system32\dataexchange (0x31000 bytes).
2022-06-22 19:20:19,449 [root] DEBUG: DLL loaded at 0x6D1D0000: C:\Windows\system32\twinapi.appcore (0x18f000 bytes).
2022-06-22 19:20:19,512 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\SYSTEM32\msvcp110_win (0x65000 bytes).
2022-06-22 19:20:19,527 [root] DEBUG: DLL loaded at 0x6D140000: C:\Windows\SYSTEM32\policymanager (0x83000 bytes).
2022-06-22 19:20:19,527 [root] DEBUG: caller_dispatch: Adding region at 0x6D140000 to caller regions list (ntdll::NtProtectVirtualMemory returns to 0x6D154A88, thread 1884).
2022-06-22 19:20:19,527 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6D140000 skipped (ntdll::NtProtectVirtualMemory returns to 0x6D154A88 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\policymanager.dll).
2022-06-22 19:20:19,543 [root] DEBUG: DLL loaded at 0x6D010000: C:\Windows\System32\FM20 (0x12d000 bytes).
2022-06-22 19:20:19,543 [root] DEBUG: caller_dispatch: Adding region at 0x6D010000 to caller regions list (ntdll::LdrLoadDll returns to 0x6D03E07D, thread 1612).
2022-06-22 19:20:19,543 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6D010000...
2022-06-22 19:20:19,543 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6D010000 skipped (ntdll::LdrLoadDll returns to 0x6D03E07D mapped as \Device\HarddiskVolume2\Windows\SysWOW64\FM20.DLL).
2022-06-22 19:20:19,793 [root] DEBUG: api-rate-cap: NtQueryValueKey hook disabled due to rate.
2022-06-22 19:20:19,949 [root] DEBUG: caller_dispatch: Adding region at 0x00470000 to caller regions list (ntdll::RtlSetCurrentTransaction returns to 0x00567440, thread 1612).
2022-06-22 19:20:19,949 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00470000 skipped (ntdll::RtlSetCurrentTransaction returns to 0x00567440).
2022-06-22 19:20:19,965 [root] DEBUG: DLL loaded at 0x6CD80000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2022-06-22 19:20:19,965 [root] DEBUG: caller_dispatch: Adding region at 0x6CD80000 to caller regions list (kernel32::HeapCreate returns to 0x6CE56A22, thread 1612).
2022-06-22 19:20:19,965 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6CD80000...
2022-06-22 19:20:19,965 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6CD80000 skipped (kernel32::HeapCreate returns to 0x6CE56A22 mapped as \Device\HarddiskVolume2\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL).
2022-06-22 19:20:19,981 [root] DEBUG: DLL loaded at 0x0D640000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2022-06-22 19:20:22,933 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Temp\Word8.0\MSForms.exd
2022-06-22 19:20:23,090 [root] DEBUG: DLL loaded at 0x0BBA0000: C:\Windows\System32\fm20ENU (0x8000 bytes).
2022-06-22 19:20:23,106 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3056: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-22 19:20:23,106 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3056
2022-06-22 19:20:23,106 [lib.api.process] INFO: Monitor config for process 3056: C:\tmp6tkbn3gc\dll\3056.ini
2022-06-22 19:20:23,106 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:20:23,136 [root] DEBUG: Loader: Injecting process 3056 (thread 3452) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:23,136 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:20:23,136 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:23,136 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3056
2022-06-22 19:20:23,136 [root] DEBUG: DLL unloaded from 0x77590000.
2022-06-22 19:20:23,152 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3056
2022-06-22 19:20:23,152 [lib.api.process] INFO: Monitor config for process 3056: C:\tmp6tkbn3gc\dll\3056.ini
2022-06-22 19:20:23,152 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:20:23,168 [root] DEBUG: Loader: Injecting process 3056 (thread 3452) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:23,168 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:20:23,168 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:23,168 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3056
2022-06-22 19:20:23,168 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3056
2022-06-22 19:20:23,168 [lib.api.process] INFO: Monitor config for process 3056: C:\tmp6tkbn3gc\dll\3056.ini
2022-06-22 19:20:23,168 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:20:23,184 [root] DEBUG: Loader: Injecting process 3056 (thread 3452) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:23,184 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:20:23,184 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:20:23,184 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3056
2022-06-22 19:20:23,261 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:20:23,261 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:20:23,261 [root] INFO: Disabling sleep skipping.
2022-06-22 19:20:23,261 [root] DEBUG: Initialising Yara...
2022-06-22 19:20:23,261 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:20:23,261 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDFEB90000, size 0x1f4546
2022-06-22 19:20:23,261 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-06-22 19:20:23,277 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 3056 at 0x00007FFDDC260000, thread 3452, image base 0x00007FF7B2360000, stack from 0x00000000001A5000-0x00000000001B0000
2022-06-22 19:20:23,277 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 8192
2022-06-22 19:20:23,340 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:20:23,340 [root] INFO: Loaded monitor into process with pid 3056
2022-06-22 19:20:23,340 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC930000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331, thread 3452).
2022-06-22 19:20:23,340 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC930000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-22 19:20:23,340 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFEB90000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFEC63E73, thread 3452).
2022-06-22 19:20:23,340 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFEB90000 skipped (ntdll::NtClose returns to 0x00007FFDFEC63E73 mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-06-22 19:20:23,355 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF7B2360000 to caller regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61, thread 3452).
2022-06-22 19:20:23,355 [root] DEBUG: YaraScan: Scanning 0x00007FF7B2360000, size 0x26326
2022-06-22 19:20:23,355 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FF7B2360000 skipped (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61 mapped as \Device\HarddiskVolume2\Windows\splwow64.exe).
2022-06-22 19:20:23,355 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCC00000 to caller regions list (msvcrt::memcpy returns to 0x00007FFDFCC308BA, thread 3452).
2022-06-22 19:20:23,355 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCC00000 skipped (msvcrt::memcpy returns to 0x00007FFDFCC308BA mapped as \Device\HarddiskVolume2\Windows\System32\msvcrt.dll).
2022-06-22 19:20:23,355 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCDE0000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B, thread 3948).
2022-06-22 19:20:23,355 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCDE0000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-22 19:21:24,287 [root] DEBUG: DLL unloaded from 0x733F0000.
2022-06-22 19:21:24,349 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\33D2155C.wmf
2022-06-22 19:21:24,443 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6C29BDAD.wmf
2022-06-22 19:21:24,506 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A5968FCA.wmf
2022-06-22 19:21:24,584 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\70A9C943.wmf
2022-06-22 19:21:24,662 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\65AEA68.wmf
2022-06-22 19:21:24,724 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\702B5749.wmf
2022-06-22 19:21:24,818 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7D1B84B6.wmf
2022-06-22 19:21:24,896 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\470C413F.wmf
2022-06-22 19:21:24,896 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\470C413F.wmf size is 430, Max size: 100000000
2022-06-22 19:21:24,974 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DCC56A34.wmf
2022-06-22 19:21:24,974 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DCC56A34.wmf size is 430, Max size: 100000000
2022-06-22 19:21:25,052 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3D6B1CA5.wmf
2022-06-22 19:21:25,115 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\97F73262.wmf
2022-06-22 19:21:25,178 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\21329AFB.wmf
2022-06-22 19:21:25,271 [root] DEBUG: DLL loaded at 0x6CCC0000: C:\Windows\SYSTEM32\wbemcomn (0x74000 bytes).
2022-06-22 19:21:25,287 [root] DEBUG: DLL loaded at 0x6CD40000: C:\Windows\system32\wbem\wbemdisp (0x3f000 bytes).
2022-06-22 19:21:25,287 [root] DEBUG: caller_dispatch: Adding region at 0x6CCC0000 to caller regions list (ntdll::LdrLoadDll returns to 0x6CCD81AD, thread 1612).
2022-06-22 19:21:25,287 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6CCC0000...
2022-06-22 19:21:25,287 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6CCC0000 skipped (ntdll::LdrLoadDll returns to 0x6CCD81AD mapped as \Device\HarddiskVolume2\Windows\SysWOW64\wbemcomn.dll).
2022-06-22 19:21:25,302 [lib.api.process] INFO: Monitor config for process 828: C:\tmp6tkbn3gc\dll\828.ini
2022-06-22 19:21:25,302 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:21:25,318 [root] DEBUG: Loader: Injecting process 828 with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:21:25,318 [root] DEBUG: Error 5 (0x5) - InjectDll: Failed to open process: Access is denied.
2022-06-22 19:21:25,318 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:21:27,334 [lib.api.process] INFO: Monitor config for process 848: C:\tmp6tkbn3gc\dll\848.ini
2022-06-22 19:21:27,334 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:21:27,350 [root] DEBUG: Loader: Injecting process 848 with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:21:27,350 [root] DEBUG: Error 5 (0x5) - InjectDll: Failed to open process: Access is denied.
2022-06-22 19:21:27,350 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:21:29,365 [root] DEBUG: caller_dispatch: Adding region at 0x6CD40000 to caller regions list (ntdll::LdrLoadDll returns to 0x6CD4EBE2, thread 1612).
2022-06-22 19:21:29,381 [root] DEBUG: DLL loaded at 0x6CCB0000: C:\Windows\system32\wbem\wbemprox (0xd000 bytes).
2022-06-22 19:21:29,396 [root] DEBUG: DLL loaded at 0x6CC90000: C:\Windows\system32\wbem\wmiutils (0x1d000 bytes).
2022-06-22 19:21:29,396 [root] DEBUG: caller_dispatch: Adding region at 0x6CCB0000 to caller regions list (ntdll::LdrGetDllHandle returns to 0x6CCB1D42, thread 1612).
2022-06-22 19:21:29,412 [root] DEBUG: DLL loaded at 0x6CC80000: C:\Windows\system32\wbem\wbemsvc (0x10000 bytes).
2022-06-22 19:21:29,427 [root] DEBUG: DLL loaded at 0x6CBB0000: C:\Windows\system32\wbem\fastprox (0xc9000 bytes).
2022-06-22 19:21:29,443 [root] DEBUG: caller_dispatch: Adding region at 0x6CBB0000 to caller regions list (ntdll::NtProtectVirtualMemory returns to 0x6CBE0D2E, thread 1612).
2022-06-22 19:21:29,443 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6CBB0000 skipped (ntdll::NtProtectVirtualMemory returns to 0x6CBE0D2E mapped as \Device\HarddiskVolume2\Windows\SysWOW64\wbem\fastprox.dll).
2022-06-22 19:21:29,459 [root] DEBUG: DLL loaded at 0x6CB90000: C:\Windows\SYSTEM32\amsi (0x12000 bytes).
2022-06-22 19:21:29,459 [root] DEBUG: caller_dispatch: Adding region at 0x6CB90000 to caller regions list (ntdll::NtProtectVirtualMemory returns to 0x6CB99ED0, thread 1612).
2022-06-22 19:21:29,459 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6CB90000 skipped (ntdll::NtProtectVirtualMemory returns to 0x6CB99ED0 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\amsi.dll).
2022-06-22 19:21:29,459 [root] DEBUG: caller_dispatch: Adding region at 0x6CC80000 to caller regions list (ntdll::NtProtectVirtualMemory returns to 0x6CC88EA8, thread 1612).
2022-06-22 19:21:29,568 [root] DEBUG: DLL loaded at 0x6CAF0000: C:\Windows\SYSTEM32\TextShaping (0x94000 bytes).
2022-06-22 19:21:29,599 [root] DEBUG: DLL loaded at 0x6CAD0000: C:\Windows\SYSTEM32\edputil (0x1b000 bytes).
2022-06-22 19:21:29,724 [root] DEBUG: DLL loaded at 0x6C8C0000: C:\Windows\SYSTEM32\DWrite (0x20c000 bytes).
2022-06-22 19:21:29,724 [root] DEBUG: caller_dispatch: Adding region at 0x6C8C0000 to caller regions list (ntdll::RtlSetCurrentTransaction returns to 0x6C931042, thread 1612).
2022-06-22 19:21:29,724 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6C8C0000...
2022-06-22 19:21:29,724 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6C8C0000 skipped (ntdll::RtlSetCurrentTransaction returns to 0x6C931042 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\DWrite.dll).
2022-06-22 19:21:31,834 [root] DEBUG: DLL loaded at 0x6C880000: C:\Program Files (x86)\Microsoft Office\Office14\msproof7 (0x39000 bytes).
2022-06-22 19:21:31,834 [root] DEBUG: caller_dispatch: Adding region at 0x6C880000 to caller regions list (ntdll::LdrGetDllHandle returns to 0x6C89607F, thread 1612).
2022-06-22 19:21:31,834 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6C880000...
2022-06-22 19:21:31,834 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6C880000 skipped (ntdll::LdrGetDllHandle returns to 0x6C89607F mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\Office14\msproof7.dll).
2022-06-22 19:21:31,849 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
2022-06-22 19:21:31,927 [root] DEBUG: DLL unloaded from 0x6E400000.
2022-06-22 19:21:31,927 [root] DEBUG: DLL unloaded from 0x76960000.
2022-06-22 19:21:31,990 [root] DEBUG: DLL unloaded from 0x6E400000.
2022-06-22 19:21:32,506 [root] DEBUG: DLL loaded at 0x74930000: C:\Windows\SYSTEM32\CRYPTSP (0x13000 bytes).
2022-06-22 19:21:32,506 [root] DEBUG: caller_dispatch: Adding region at 0x74930000 to caller regions list (ntdll::LdrLoadDll returns to 0x74934D82, thread 1884).
2022-06-22 19:21:32,506 [root] DEBUG: caller_dispatch: Dump of calling region at 0x74930000 skipped (ntdll::LdrLoadDll returns to 0x74934D82 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\cryptsp.dll).
2022-06-22 19:21:32,521 [root] DEBUG: DLL loaded at 0x73E50000: C:\Windows\system32\rsaenh (0x2f000 bytes).
2022-06-22 19:21:32,521 [root] DEBUG: caller_dispatch: Adding region at 0x73E50000 to caller regions list (ntdll::LdrLoadDll returns to 0x73E57547, thread 1884).
2022-06-22 19:21:32,521 [root] DEBUG: caller_dispatch: Dump of calling region at 0x73E50000 skipped (ntdll::LdrLoadDll returns to 0x73E57547 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\rsaenh.dll).
2022-06-22 19:21:36,004 [root] DEBUG: DLL loaded at 0x3F100000: C:\Program Files (x86)\Microsoft Office\OFFICE14\PROOF\1033\MSGR3EN (0x311000 bytes).
2022-06-22 19:21:36,004 [root] DEBUG: caller_dispatch: Adding region at 0x3F100000 to caller regions list (ntdll::NtQueryLicenseValue returns to 0x3F3995C8, thread 1708).
2022-06-22 19:21:36,004 [root] DEBUG: caller_dispatch: Scanning calling region at 0x3F100000...
2022-06-22 19:21:36,004 [root] DEBUG: caller_dispatch: Dump of calling region at 0x3F100000 skipped (ntdll::NtQueryLicenseValue returns to 0x3F3995C8 mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL).
2022-06-22 19:21:52,223 [root] DEBUG: DLL unloaded from 0x6D1D0000.
2022-06-22 19:21:52,223 [root] DEBUG: DLL unloaded from 0x6CD80000.
2022-06-22 19:21:52,238 [root] DEBUG: DLL unloaded from 0x6D1D0000.
2022-06-22 19:21:52,270 [root] DEBUG: DLL unloaded from 0x766C0000.
2022-06-22 19:22:00,973 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3764: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-22 19:22:00,973 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3764
2022-06-22 19:22:00,973 [lib.api.process] INFO: Monitor config for process 3764: C:\tmp6tkbn3gc\dll\3764.ini
2022-06-22 19:22:00,988 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,004 [root] DEBUG: Loader: Injecting process 3764 (thread 4164) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,004 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:22:01,004 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,004 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3764
2022-06-22 19:22:01,004 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3764
2022-06-22 19:22:01,004 [lib.api.process] INFO: Monitor config for process 3764: C:\tmp6tkbn3gc\dll\3764.ini
2022-06-22 19:22:01,004 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,019 [root] DEBUG: Loader: Injecting process 3764 (thread 4164) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,019 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,019 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,019 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3764
2022-06-22 19:22:01,019 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3764
2022-06-22 19:22:01,019 [lib.api.process] INFO: Monitor config for process 3764: C:\tmp6tkbn3gc\dll\3764.ini
2022-06-22 19:22:01,019 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,035 [root] DEBUG: Loader: Injecting process 3764 (thread 4164) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,035 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,035 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,035 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3764
2022-06-22 19:22:01,066 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:22:01,066 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:22:01,066 [root] INFO: Disabling sleep skipping.
2022-06-22 19:22:01,066 [root] DEBUG: Initialising Yara...
2022-06-22 19:22:01,066 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:22:01,066 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDFEB90000, size 0x1f4546
2022-06-22 19:22:01,066 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-06-22 19:22:01,066 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 3764 at 0x00007FFDDC260000, thread 4164, image base 0x00007FF7B2360000, stack from 0x0000000000B55000-0x0000000000B60000
2022-06-22 19:22:01,082 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 8192
2022-06-22 19:22:01,129 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:22:01,129 [root] INFO: Loaded monitor into process with pid 3764
2022-06-22 19:22:01,129 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC930000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331, thread 4164).
2022-06-22 19:22:01,144 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC930000...
2022-06-22 19:22:01,176 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC930000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-22 19:22:01,176 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFEB90000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFEC63E73, thread 4164).
2022-06-22 19:22:01,176 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFEB90000 skipped (ntdll::NtClose returns to 0x00007FFDFEC63E73 mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-06-22 19:22:01,191 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF7B2360000 to caller regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61, thread 4164).
2022-06-22 19:22:01,191 [root] DEBUG: YaraScan: Scanning 0x00007FF7B2360000, size 0x26326
2022-06-22 19:22:01,191 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FF7B2360000 skipped (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61 mapped as \Device\HarddiskVolume2\Windows\splwow64.exe).
2022-06-22 19:22:01,191 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCC00000 to caller regions list (msvcrt::memcpy returns to 0x00007FFDFCC308BA, thread 4164).
2022-06-22 19:22:01,191 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCC00000 skipped (msvcrt::memcpy returns to 0x00007FFDFCC308BA mapped as \Device\HarddiskVolume2\Windows\System32\msvcrt.dll).
2022-06-22 19:22:01,191 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCDE0000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B, thread 1408).
2022-06-22 19:22:01,191 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCDE0000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-22 19:22:01,207 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3764
2022-06-22 19:22:01,207 [root] DEBUG: GetHookCallerBase: thread 4164, return address 0x00007FFDFEBED9D4, allocation base 0x00007FFDFEB90000.
2022-06-22 19:22:01,207 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B2360000.
2022-06-22 19:22:01,207 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-22 19:22:01,207 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B2360000.
2022-06-22 19:22:01,207 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000CAA0.
2022-06-22 19:22:01,207 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2022-06-22 19:22:01,222 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFBC10000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFBC1226F, thread 4164).
2022-06-22 19:22:01,222 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFBC10000...
2022-06-22 19:22:01,222 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFBC10000 skipped (ntdll::NtClose returns to 0x00007FFDFBC1226F mapped as \Device\HarddiskVolume2\Windows\System32\cryptbase.dll).
2022-06-22 19:22:01,222 [root] DEBUG: DLL unloaded from 0x00007FFDFCF70000.
2022-06-22 19:22:01,222 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC820000 to caller regions list (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F, thread 4164).
2022-06-22 19:22:01,222 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC820000...
2022-06-22 19:22:01,222 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC820000 skipped (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F mapped as \Device\HarddiskVolume2\Windows\System32\gdi32full.dll).
2022-06-22 19:22:01,222 [root] INFO: Process with pid 3764 has terminated
2022-06-22 19:22:01,238 [root] DEBUG: DLL unloaded from 0x733F0000.
2022-06-22 19:22:01,238 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3596: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-22 19:22:01,238 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3596
2022-06-22 19:22:01,238 [lib.api.process] INFO: Monitor config for process 3596: C:\tmp6tkbn3gc\dll\3596.ini
2022-06-22 19:22:01,254 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,254 [root] DEBUG: Loader: Injecting process 3596 (thread 3296) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,254 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:22:01,254 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,269 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3596
2022-06-22 19:22:01,269 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3596
2022-06-22 19:22:01,269 [lib.api.process] INFO: Monitor config for process 3596: C:\tmp6tkbn3gc\dll\3596.ini
2022-06-22 19:22:01,269 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,285 [root] DEBUG: Loader: Injecting process 3596 (thread 3296) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,285 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,285 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,285 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3596
2022-06-22 19:22:01,285 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3596
2022-06-22 19:22:01,285 [lib.api.process] INFO: Monitor config for process 3596: C:\tmp6tkbn3gc\dll\3596.ini
2022-06-22 19:22:01,285 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,301 [root] DEBUG: Loader: Injecting process 3596 (thread 3296) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,301 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,301 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,301 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3596
2022-06-22 19:22:01,316 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:22:01,316 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:22:01,332 [root] INFO: Disabling sleep skipping.
2022-06-22 19:22:01,332 [root] DEBUG: Initialising Yara...
2022-06-22 19:22:01,332 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:22:01,332 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDFEB90000, size 0x1f4546
2022-06-22 19:22:01,332 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-06-22 19:22:01,332 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 3596 at 0x00007FFDDC260000, thread 3296, image base 0x00007FF7B2360000, stack from 0x0000000000CF5000-0x0000000000D00000
2022-06-22 19:22:01,332 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 8192
2022-06-22 19:22:01,395 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:22:01,395 [root] INFO: Loaded monitor into process with pid 3596
2022-06-22 19:22:01,395 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC930000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331, thread 3296).
2022-06-22 19:22:01,395 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC930000...
2022-06-22 19:22:01,395 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC930000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFEB90000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFEC63E73, thread 3296).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFEB90000 skipped (ntdll::NtClose returns to 0x00007FFDFEC63E73 mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF7B2360000 to caller regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61, thread 3296).
2022-06-22 19:22:01,410 [root] DEBUG: YaraScan: Scanning 0x00007FF7B2360000, size 0x26326
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FF7B2360000 skipped (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61 mapped as \Device\HarddiskVolume2\Windows\splwow64.exe).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCC00000 to caller regions list (msvcrt::memcpy returns to 0x00007FFDFCC308BA, thread 3296).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCC00000 skipped (msvcrt::memcpy returns to 0x00007FFDFCC308BA mapped as \Device\HarddiskVolume2\Windows\System32\msvcrt.dll).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCDE0000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B, thread 3336).
2022-06-22 19:22:01,410 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCDE0000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-22 19:22:01,425 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3596
2022-06-22 19:22:01,425 [root] DEBUG: GetHookCallerBase: thread 3296, return address 0x00007FFDFEBED9D4, allocation base 0x00007FFDFEB90000.
2022-06-22 19:22:01,425 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B2360000.
2022-06-22 19:22:01,425 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-22 19:22:01,425 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B2360000.
2022-06-22 19:22:01,425 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000CAA0.
2022-06-22 19:22:01,425 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2022-06-22 19:22:01,425 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFBC10000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFBC1226F, thread 3296).
2022-06-22 19:22:01,425 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFBC10000...
2022-06-22 19:22:01,441 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFBC10000 skipped (ntdll::NtClose returns to 0x00007FFDFBC1226F mapped as \Device\HarddiskVolume2\Windows\System32\cryptbase.dll).
2022-06-22 19:22:01,441 [root] DEBUG: DLL unloaded from 0x00007FFDFCF70000.
2022-06-22 19:22:01,441 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC820000 to caller regions list (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F, thread 3296).
2022-06-22 19:22:01,441 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC820000...
2022-06-22 19:22:01,441 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC820000 skipped (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F mapped as \Device\HarddiskVolume2\Windows\System32\gdi32full.dll).
2022-06-22 19:22:01,441 [root] INFO: Process with pid 3596 has terminated
2022-06-22 19:22:01,457 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5100: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-22 19:22:01,457 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 5100
2022-06-22 19:22:01,457 [lib.api.process] INFO: Monitor config for process 5100: C:\tmp6tkbn3gc\dll\5100.ini
2022-06-22 19:22:01,457 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,473 [root] DEBUG: Loader: Injecting process 5100 (thread 496) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,473 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:22:01,473 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,488 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 5100
2022-06-22 19:22:01,488 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 5100
2022-06-22 19:22:01,488 [lib.api.process] INFO: Monitor config for process 5100: C:\tmp6tkbn3gc\dll\5100.ini
2022-06-22 19:22:01,488 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,504 [root] DEBUG: Loader: Injecting process 5100 (thread 496) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,504 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,504 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,504 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 5100
2022-06-22 19:22:01,519 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 5100
2022-06-22 19:22:01,519 [lib.api.process] INFO: Monitor config for process 5100: C:\tmp6tkbn3gc\dll\5100.ini
2022-06-22 19:22:01,519 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,535 [root] DEBUG: Loader: Injecting process 5100 (thread 496) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,535 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,535 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,535 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 5100
2022-06-22 19:22:01,551 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:22:01,551 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:22:01,566 [root] INFO: Disabling sleep skipping.
2022-06-22 19:22:01,566 [root] DEBUG: Initialising Yara...
2022-06-22 19:22:01,566 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:22:01,566 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDFEB90000, size 0x1f4546
2022-06-22 19:22:01,566 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-06-22 19:22:01,566 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 5100 at 0x00007FFDDC260000, thread 496, image base 0x00007FF7B2360000, stack from 0x00000000003A5000-0x00000000003B0000
2022-06-22 19:22:01,582 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 8192
2022-06-22 19:22:01,629 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:22:01,629 [root] INFO: Loaded monitor into process with pid 5100
2022-06-22 19:22:01,644 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC930000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331, thread 496).
2022-06-22 19:22:01,644 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC930000...
2022-06-22 19:22:01,644 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC930000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-22 19:22:01,644 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFEB90000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFEC63E73, thread 496).
2022-06-22 19:22:01,644 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFEB90000 skipped (ntdll::NtClose returns to 0x00007FFDFEC63E73 mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-06-22 19:22:01,644 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF7B2360000 to caller regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61, thread 496).
2022-06-22 19:22:01,660 [root] DEBUG: YaraScan: Scanning 0x00007FF7B2360000, size 0x26326
2022-06-22 19:22:01,660 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FF7B2360000 skipped (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61 mapped as \Device\HarddiskVolume2\Windows\splwow64.exe).
2022-06-22 19:22:01,660 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCC00000 to caller regions list (msvcrt::memcpy returns to 0x00007FFDFCC308BA, thread 496).
2022-06-22 19:22:01,660 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCC00000 skipped (msvcrt::memcpy returns to 0x00007FFDFCC308BA mapped as \Device\HarddiskVolume2\Windows\System32\msvcrt.dll).
2022-06-22 19:22:01,660 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCDE0000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B, thread 3472).
2022-06-22 19:22:01,660 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCDE0000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-22 19:22:01,660 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 5100
2022-06-22 19:22:01,676 [root] DEBUG: GetHookCallerBase: thread 496, return address 0x00007FFDFEBED9D4, allocation base 0x00007FFDFEB90000.
2022-06-22 19:22:01,676 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B2360000.
2022-06-22 19:22:01,676 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-22 19:22:01,676 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B2360000.
2022-06-22 19:22:01,676 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000CAA0.
2022-06-22 19:22:01,676 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2022-06-22 19:22:01,676 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFBC10000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFBC1226F, thread 496).
2022-06-22 19:22:01,692 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFBC10000...
2022-06-22 19:22:01,692 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFBC10000 skipped (ntdll::NtClose returns to 0x00007FFDFBC1226F mapped as \Device\HarddiskVolume2\Windows\System32\cryptbase.dll).
2022-06-22 19:22:01,692 [root] DEBUG: DLL unloaded from 0x00007FFDFCF70000.
2022-06-22 19:22:01,692 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC820000 to caller regions list (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F, thread 496).
2022-06-22 19:22:01,692 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC820000...
2022-06-22 19:22:01,692 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC820000 skipped (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F mapped as \Device\HarddiskVolume2\Windows\System32\gdi32full.dll).
2022-06-22 19:22:01,692 [root] INFO: Process with pid 5100 has terminated
2022-06-22 19:22:01,707 [root] DEBUG: CreateProcessHandler: Injection info set for new process 900: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-22 19:22:01,707 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 900
2022-06-22 19:22:01,707 [lib.api.process] INFO: Monitor config for process 900: C:\tmp6tkbn3gc\dll\900.ini
2022-06-22 19:22:01,707 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,722 [root] DEBUG: Loader: Injecting process 900 (thread 4596) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,722 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:22:01,722 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,738 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 900
2022-06-22 19:22:01,738 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 900
2022-06-22 19:22:01,738 [lib.api.process] INFO: Monitor config for process 900: C:\tmp6tkbn3gc\dll\900.ini
2022-06-22 19:22:01,738 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,754 [root] DEBUG: Loader: Injecting process 900 (thread 4596) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,754 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,754 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,754 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 900
2022-06-22 19:22:01,754 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 900
2022-06-22 19:22:01,754 [lib.api.process] INFO: Monitor config for process 900: C:\tmp6tkbn3gc\dll\900.ini
2022-06-22 19:22:01,754 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:01,770 [root] DEBUG: Loader: Injecting process 900 (thread 4596) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,770 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:01,770 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:01,785 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 900
2022-06-22 19:22:01,800 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:22:01,800 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:22:01,800 [root] INFO: Disabling sleep skipping.
2022-06-22 19:22:01,800 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:22:01,800 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDFEB90000, size 0x1f4546
2022-06-22 19:22:01,863 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:22:01,863 [root] INFO: Loaded monitor into process with pid 900
2022-06-22 19:22:01,863 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC930000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331, thread 4596).
2022-06-22 19:22:01,879 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC930000...
2022-06-22 19:22:01,879 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC930000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-22 19:22:01,879 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFEB90000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFEC63E73, thread 4596).
2022-06-22 19:22:01,879 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFEB90000 skipped (ntdll::NtClose returns to 0x00007FFDFEC63E73 mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-06-22 19:22:01,879 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF7B2360000 to caller regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61, thread 4596).
2022-06-22 19:22:01,879 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FF7B2360000 skipped (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B236CC61 mapped as \Device\HarddiskVolume2\Windows\splwow64.exe).
2022-06-22 19:22:01,895 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCC00000 to caller regions list (msvcrt::memcpy returns to 0x00007FFDFCC308BA, thread 4596).
2022-06-22 19:22:01,895 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCC00000 skipped (msvcrt::memcpy returns to 0x00007FFDFCC308BA mapped as \Device\HarddiskVolume2\Windows\System32\msvcrt.dll).
2022-06-22 19:22:01,895 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCDE0000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B, thread 4480).
2022-06-22 19:22:01,895 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCDE0000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-22 19:22:01,895 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 900
2022-06-22 19:22:01,895 [root] DEBUG: GetHookCallerBase: thread 4596, return address 0x00007FFDFEBED9D4, allocation base 0x00007FFDFEB90000.
2022-06-22 19:22:01,910 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B2360000.
2022-06-22 19:22:01,910 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-22 19:22:01,910 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B2360000.
2022-06-22 19:22:01,910 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000CAA0.
2022-06-22 19:22:01,910 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2022-06-22 19:22:01,910 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFBC10000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFBC1226F, thread 4596).
2022-06-22 19:22:01,910 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFBC10000...
2022-06-22 19:22:01,926 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFBC10000 skipped (ntdll::NtClose returns to 0x00007FFDFBC1226F mapped as \Device\HarddiskVolume2\Windows\System32\cryptbase.dll).
2022-06-22 19:22:01,926 [root] DEBUG: DLL unloaded from 0x00007FFDFCF70000.
2022-06-22 19:22:01,926 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC820000 to caller regions list (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F, thread 4596).
2022-06-22 19:22:01,926 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC820000...
2022-06-22 19:22:01,941 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC820000 skipped (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F mapped as \Device\HarddiskVolume2\Windows\System32\gdi32full.dll).
2022-06-22 19:22:01,941 [root] INFO: Process with pid 900 has terminated
2022-06-22 19:22:02,363 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3240: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-22 19:22:02,363 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3240
2022-06-22 19:22:02,363 [lib.api.process] INFO: Monitor config for process 3240: C:\tmp6tkbn3gc\dll\3240.ini
2022-06-22 19:22:02,363 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:02,394 [root] DEBUG: Loader: Injecting process 3240 (thread 4668) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:02,394 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-22 19:22:02,394 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:02,394 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3240
2022-06-22 19:22:02,394 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3240
2022-06-22 19:22:02,394 [lib.api.process] INFO: Monitor config for process 3240: C:\tmp6tkbn3gc\dll\3240.ini
2022-06-22 19:22:02,410 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:02,426 [root] DEBUG: Loader: Injecting process 3240 (thread 4668) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:02,426 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:02,426 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:02,426 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3240
2022-06-22 19:22:02,441 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 3240
2022-06-22 19:22:02,441 [lib.api.process] INFO: Monitor config for process 3240: C:\tmp6tkbn3gc\dll\3240.ini
2022-06-22 19:22:02,441 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp6tkbn3gc\dll\hqmfbNV.dll, loader C:\tmp6tkbn3gc\bin\KMHLjmgy.exe
2022-06-22 19:22:02,457 [root] DEBUG: Loader: Injecting process 3240 (thread 4668) with C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:02,457 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-22 19:22:02,457 [root] DEBUG: Successfully injected DLL C:\tmp6tkbn3gc\dll\hqmfbNV.dll.
2022-06-22 19:22:02,457 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3240
2022-06-22 19:22:02,472 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-22 19:22:02,488 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-22 19:22:02,488 [root] DEBUG: Initialising Yara...
2022-06-22 19:22:02,488 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp6tkbn3gc\data\yara\capemon.yac
2022-06-22 19:22:02,488 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDFEB90000, size 0x1f4546
2022-06-22 19:22:02,488 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-06-22 19:22:02,504 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 3240 at 0x00007FFDDC260000, thread 4668, image base 0x00007FF7B2360000, stack from 0x0000000000D25000-0x0000000000D30000
2022-06-22 19:22:02,504 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 8192
2022-06-22 19:22:02,551 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-22 19:22:02,566 [root] INFO: Loaded monitor into process with pid 3240
2022-06-22 19:22:02,566 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC930000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331, thread 4668).
2022-06-22 19:22:02,566 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC930000...
2022-06-22 19:22:02,566 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC930000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFDFC970331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-22 19:22:02,566 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFEB90000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFEC63E73, thread 4668).
2022-06-22 19:22:02,582 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFCDE0000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B, thread 1564).
2022-06-22 19:22:02,582 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFCDE0000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFDFCDEF72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-22 19:22:02,582 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3240
2022-06-22 19:22:02,582 [root] DEBUG: GetHookCallerBase: thread 4668, return address 0x00007FFDFEBED9D4, allocation base 0x00007FFDFEB90000.
2022-06-22 19:22:02,582 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF7B2360000.
2022-06-22 19:22:02,582 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-22 19:22:02,582 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF7B2360000.
2022-06-22 19:22:02,597 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000CAA0.
2022-06-22 19:22:02,597 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x0.
2022-06-22 19:22:02,597 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFBC10000 to caller regions list (ntdll::NtClose returns to 0x00007FFDFBC1226F, thread 4668).
2022-06-22 19:22:02,597 [root] DEBUG: DLL unloaded from 0x00007FFDFCF70000.
2022-06-22 19:22:02,613 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDFC820000 to caller regions list (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F, thread 4668).
2022-06-22 19:22:02,613 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDFC820000...
2022-06-22 19:22:02,613 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDFC820000 skipped (ntdll::NtOpenKey returns to 0x00007FFDFC852C4F mapped as \Device\HarddiskVolume2\Windows\System32\gdi32full.dll).
2022-06-22 19:22:02,613 [root] INFO: Process with pid 3240 has terminated
2022-06-22 19:22:03,223 [root] DEBUG: caller_dispatch: Adding region at 0x6CAF0000 to caller regions list (ntdll::NtAllocateVirtualMemory returns to 0x6CB4B792, thread 1612).
2022-06-22 19:22:03,238 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6CAF0000 skipped (ntdll::NtAllocateVirtualMemory returns to 0x6CB4B792 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\TextShaping.dll).
2022-06-22 19:22:06,089 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\FBD4E0C0.wmf
2022-06-22 19:22:07,651 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8E1BE9C1.wmf
2022-06-22 19:22:08,042 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2A66C4CE.wmf
2022-06-22 19:22:08,449 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\51C01277.wmf
2022-06-22 19:22:08,870 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BBB5A0C.wmf
2022-06-22 19:22:09,230 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B9905A9D.wmf
2022-06-22 19:22:09,605 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C9C427FA.wmf
2022-06-22 19:22:09,980 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4E4DA3B3.wmf
2022-06-22 19:22:10,417 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E5A5A218.wmf
2022-06-22 19:22:10,776 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7C56CB39.wmf
2022-06-22 19:22:11,136 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BDF207E6.wmf
2022-06-22 19:22:11,511 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D9E60AAF.wmf
2022-06-22 19:22:13,511 [modules.auxiliary.human] INFO: Closing Office window
2022-06-22 19:22:13,558 [root] DEBUG: DLL unloaded from 0x6D1D0000.
2022-06-22 19:22:13,589 [root] DEBUG: DLL unloaded from 0x766C0000.
2022-06-22 19:22:13,621 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\~$emotet.doc size is 162, Max size: 100000000
2022-06-22 19:22:13,652 [root] DEBUG: DLL unloaded from 0x3F100000.
2022-06-22 19:22:13,698 [root] DEBUG: DLL unloaded from 0x6E510000.
2022-06-22 19:22:13,870 [root] DEBUG: DLL unloaded from 0x75900000.
2022-06-22 19:22:13,870 [root] DEBUG: DLL unloaded from 0x6CD40000.
2022-06-22 19:22:13,886 [root] DEBUG: DLL unloaded from 0x767B0000.
2022-06-22 19:22:13,886 [root] DEBUG: DLL unloaded from 0x6CD80000.
2022-06-22 19:22:13,886 [root] DEBUG: DLL unloaded from 0x0D640000.
2022-06-22 19:22:13,902 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EEC6EDE2-BCA5-49CB-B19F-0F5A76F6BDCD}.tmp
2022-06-22 19:22:13,902 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6ABC6DC3-9B72-4311-9F62-CFEF5754120E}.tmp
2022-06-22 19:22:13,902 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{FEAAABCE-A76B-46D0-8551-5FA8C8672DB3}.tmp
2022-06-22 19:22:13,918 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{EEC6EDE2-BCA5-49CB-B19F-0F5A76F6BDCD}.tmp size is 0, Max size: 100000000
2022-06-22 19:22:13,948 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\~$Normal.dotm size is 162, Max size: 100000000
2022-06-22 19:22:13,964 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6ABC6DC3-9B72-4311-9F62-CFEF5754120E}.tmp size is 1024, Max size: 100000000
2022-06-22 19:22:13,980 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{FEAAABCE-A76B-46D0-8551-5FA8C8672DB3}.tmp size is 1536, Max size: 100000000
2022-06-22 19:22:13,996 [root] DEBUG: DLL unloaded from 0x6E200000.
2022-06-22 19:22:13,996 [root] DEBUG: DLL unloaded from 0x767B0000.
2022-06-22 19:22:13,996 [root] DEBUG: DLL unloaded from 0x766C0000.
2022-06-22 19:22:13,996 [root] DEBUG: DLL unloaded from 0x6E510000.
2022-06-22 19:22:13,996 [root] DEBUG: DLL unloaded from 0x6C880000.
2022-06-22 19:22:14,011 [root] DEBUG: DLL unloaded from 0x6E4B0000.
2022-06-22 19:22:14,011 [root] DEBUG: DLL unloaded from 0x74920000.
2022-06-22 19:22:14,011 [root] DEBUG: DLL unloaded from 0x76AA0000.
2022-06-22 19:22:14,011 [root] DEBUG: DLL unloaded from 0x6E420000.
2022-06-22 19:22:14,011 [root] DEBUG: DLL unloaded from 0x05090000.
2022-06-22 19:22:14,027 [root] DEBUG: DLL unloaded from 0x2FDD0000.
2022-06-22 19:22:14,027 [root] DEBUG: DLL unloaded from 0x73460000.
2022-06-22 19:22:14,027 [root] DEBUG: DLL unloaded from 0x75630000.
2022-06-22 19:22:14,073 [root] DEBUG: DLL unloaded from 0x75EA0000.
2022-06-22 19:22:14,073 [root] DEBUG: DLL unloaded from 0x74B70000.
2022-06-22 19:22:14,073 [root] DEBUG: DLL unloaded from 0x6E510000.
2022-06-22 19:22:14,089 [root] DEBUG: DLL unloaded from 0x767B0000.
2022-06-22 19:22:14,089 [root] DEBUG: DLL unloaded from 0x733F0000.
2022-06-22 19:22:14,089 [root] DEBUG: DLL unloaded from 0x75630000.
2022-06-22 19:22:14,089 [root] DEBUG: DLL unloaded from 0x73A40000.
2022-06-22 19:22:14,105 [root] DEBUG: DLL unloaded from 0x75600000.
2022-06-22 19:22:14,105 [root] DEBUG: DLL unloaded from 0x73460000.
2022-06-22 19:22:14,121 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D9E60AAF.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,136 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BDF207E6.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,151 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7C56CB39.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,167 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E5A5A218.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,183 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4E4DA3B3.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,214 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C9C427FA.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,245 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B9905A9D.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,261 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7BBB5A0C.wmf size is 430, Max size: 100000000
2022-06-22 19:22:14,308 [root] DEBUG: Dropped file limit reached.
2022-06-22 19:22:14,308 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3096
2022-06-22 19:22:14,308 [root] DEBUG: GetHookCallerBase: thread 1612, return address 0x2FDD1625, allocation base 0x2FDD0000.
2022-06-22 19:22:14,324 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2FDD0000.
2022-06-22 19:22:14,339 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010FC.
2022-06-22 19:22:14,355 [lib.common.results] INFO: File C:\PrUGuHE\CAPE\3096_510117308923462022 size is 1416704, Max size: 100000000
2022-06-22 19:22:14,370 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x159e00.
2022-06-22 19:22:14,402 [root] DEBUG: DLL unloaded from 0x6E510000.
2022-06-22 19:22:14,402 [root] DEBUG: DLL unloaded from 0x772D0000.
2022-06-22 19:22:14,402 [root] DEBUG: DLL unloaded from 0x6E120000.
2022-06-22 19:22:14,417 [root] DEBUG: api-rate-cap: LdrGetDllHandle hook disabled due to rate.
2022-06-22 19:22:14,417 [root] DEBUG: DLL unloaded from 0x6E720000.
2022-06-22 19:22:14,417 [root] DEBUG: DLL unloaded from 0x75600000.
2022-06-22 19:22:14,433 [root] DEBUG: DLL unloaded from 0x72320000.
2022-06-22 19:22:14,433 [root] INFO: Process with pid 3096 has terminated
2022-06-22 19:23:35,168 [root] INFO: Analysis timeout hit, terminating analysis
2022-06-22 19:23:35,168 [lib.api.process] INFO: Terminate event set for process 3056
2022-06-22 19:23:40,183 [lib.api.process] INFO: Termination confirmed for process 3056
2022-06-22 19:23:40,183 [root] INFO: Terminate event set for process 3056
2022-06-22 19:23:40,183 [root] INFO: Created shutdown mutex
2022-06-22 19:23:41,199 [root] INFO: Shutting down package
2022-06-22 19:23:41,199 [root] INFO: Stopping auxiliary modules
2022-06-22 19:23:41,199 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [Errno 13] Permission denied: 'C:\\curtain.log'
2022-06-22 19:23:41,199 [modules.auxiliary.curtain] ERROR: Curtain log file not found!
2022-06-22 19:23:41,292 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2022-06-22 19:23:41,308 [root] WARNING: Cannot terminate auxiliary module Evtx: [Errno 13] Permission denied: 'C:/windows/Sysnative/winevt/Logs\\Application.evtx'
2022-06-22 19:23:41,448 [lib.common.results] WARNING: File C:\PrUGuHE\bin\procmon.xml doesn't exist anymore
2022-06-22 19:23:41,448 [root] INFO: Finishing auxiliary modules
2022-06-22 19:23:41,448 [root] INFO: Shutting down pipe server and dumping dropped files
2022-06-22 19:23:41,464 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\Normal.dotm size is 20513, Max size: 100000000
2022-06-22 19:23:41,480 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\emotet.doc size is 143202, Max size: 100000000
2022-06-22 19:23:41,495 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\Word8.0\MSForms.exd size is 166724, Max size: 100000000
2022-06-22 19:23:41,511 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\33d2155c.wmf does not exist, skipping
2022-06-22 19:23:41,511 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\6c29bdad.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\a5968fca.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\70a9c943.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\65aea68.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\702b5749.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\7d1b84b6.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\3d6b1ca5.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\97f73262.wmf does not exist, skipping
2022-06-22 19:23:41,527 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\21329afb.wmf does not exist, skipping
2022-06-22 19:23:41,527 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC size is 24, Max size: 100000000
2022-06-22 19:23:41,542 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\fbd4e0c0.wmf does not exist, skipping
2022-06-22 19:23:41,542 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\8e1be9c1.wmf does not exist, skipping
2022-06-22 19:23:41,542 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\2a66c4ce.wmf does not exist, skipping
2022-06-22 19:23:41,542 [root] WARNING: File at path c:\users\johnquser\appdata\local\microsoft\windows\inetcache\content.mso\51c01277.wmf does not exist, skipping
2022-06-22 19:23:41,542 [root] WARNING: Folder at path "C:\PrUGuHE\debugger" does not exist, skipping
2022-06-22 19:23:41,542 [root] WARNING: Folder at path "C:\PrUGuHE\tlsdump" does not exist, skipping
2022-06-22 19:23:41,558 [root] INFO: Analysis completedCannot execute auxiliary module Disguise: [WinError 5] Access is denied Error 5 (0x5) - InjectDll: Failed to open process: Access is denied. Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
Yes, i had these acces denied failures too. I guess your agent does not have elevated rights. Same output in process tree. I manged to run agent elevated, but then i got some bluescreens. For cape agent in WIN10 see https://capev2.readthedocs.io/en/latest/installation/guest/agent.html
kevoreilly
commented
2 years ago The best method of installing the agent is still debatable after this documentation was updated recently. I personally do not use a method that involves scheduled tasks - there is in fact no actual need for automating the agent launch but I have achieved it by placing an elevated shortcut in startup in combination with disabling UAC. But just launching the agent by hand prior to snapshot is perfectly sufficient.
ClaudioWayne
commented
2 years ago Thx for the hint
scrublullz
commented
2 years ago @ClaudioWayne 100% correct, I did not have the Agent running with elevated privilege, I appreciate the callout. Just fixed it.
ClaudioWayne
commented
2 years ago Did you test the sample with elevated privilege?
scrublullz
commented
2 years ago 2022-06-28 17:31:23,772 [root] INFO: Date set to: 20220629T10:19:41, timeout set to: 200
2022-06-29 10:19:41,094 [root] DEBUG: Starting analyzer from: C:\tmpurzvybzd
2022-06-29 10:19:41,094 [root] DEBUG: Storing results at: C:\GXSBfz
2022-06-29 10:19:41,094 [root] DEBUG: Pipe server name: \\.\PIPE\SfuMTu
2022-06-29 10:19:41,094 [root] DEBUG: Python path: C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32
2022-06-29 10:19:41,094 [root] INFO: Analysis package "doc" has been specified
2022-06-29 10:19:41,094 [root] DEBUG: Importing analysis package "doc"...
2022-06-29 10:19:41,126 [root] DEBUG: Initializing analysis package "doc"...
2022-06-29 10:19:41,126 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL option
2022-06-29 10:19:41,126 [root] INFO: Analyzer: Package modules.packages.doc does not specify a DLL_64 option
2022-06-29 10:19:41,126 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader option
2022-06-29 10:19:41,126 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader_64 option
2022-06-29 10:19:41,313 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2022-06-29 10:19:41,329 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2022-06-29 10:19:41,329 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2022-06-29 10:19:41,344 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2022-06-29 10:19:41,360 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2022-06-29 10:19:41,376 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2022-06-29 10:19:41,376 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2022-06-29 10:19:41,391 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2022-06-29 10:19:41,391 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2022-06-29 10:19:41,422 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2022-06-29 10:19:41,454 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2022-06-29 10:19:41,594 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2022-06-29 10:19:41,610 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2022-06-29 10:19:41,610 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2022-06-29 10:19:41,610 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2022-06-29 10:19:41,610 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2022-06-29 10:19:41,626 [root] DEBUG: Initialized auxiliary module "Browser"
2022-06-29 10:19:41,626 [root] DEBUG: Trying to start auxiliary module "Browser"...
2022-06-29 10:19:41,626 [root] DEBUG: Started auxiliary module "Browser"
2022-06-29 10:19:41,626 [root] DEBUG: Started auxiliary module Browser
2022-06-29 10:19:41,626 [root] DEBUG: Initialized auxiliary module "Curtain"
2022-06-29 10:19:41,626 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2022-06-29 10:19:41,626 [root] DEBUG: Started auxiliary module "Curtain"
2022-06-29 10:19:41,626 [root] DEBUG: Started auxiliary module Curtain
2022-06-29 10:19:41,626 [root] DEBUG: Initialized auxiliary module "DigiSig"
2022-06-29 10:19:41,626 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2022-06-29 10:19:41,626 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2022-06-29 10:19:41,907 [modules.auxiliary.digisig] DEBUG: File format not recognized
2022-06-29 10:19:41,907 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2022-06-29 10:19:41,923 [root] DEBUG: Started auxiliary module "DigiSig"
2022-06-29 10:19:41,923 [root] DEBUG: Started auxiliary module DigiSig
2022-06-29 10:19:41,923 [root] DEBUG: Initialized auxiliary module "Disguise"
2022-06-29 10:19:41,923 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2022-06-29 10:19:41,938 [modules.auxiliary.disguise] INFO: Disguising GUID to 3ba15bcb-d322-4109-b623-b3733c61bb8e
2022-06-29 10:19:41,938 [root] DEBUG: Started auxiliary module "Disguise"
2022-06-29 10:19:41,938 [root] DEBUG: Started auxiliary module Disguise
2022-06-29 10:19:41,938 [root] DEBUG: Initialized auxiliary module "Evtx"
2022-06-29 10:19:41,938 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2022-06-29 10:19:41,954 [root] DEBUG: Started auxiliary module "Evtx"
2022-06-29 10:19:41,954 [root] DEBUG: Started auxiliary module Evtx
2022-06-29 10:19:41,954 [root] WARNING: Auxiliary module FilePickup was not implemented: 'Config' object has no attribute 'file_pickup'
2022-06-29 10:19:41,954 [root] DEBUG: Initialized auxiliary module "Human"
2022-06-29 10:19:41,954 [root] DEBUG: Trying to start auxiliary module "Human"...
2022-06-29 10:19:41,954 [root] DEBUG: Started auxiliary module "Human"
2022-06-29 10:19:41,954 [root] DEBUG: Started auxiliary module Human
2022-06-29 10:19:41,969 [root] WARNING: Auxiliary module Permissions was not implemented: 'Config' object has no attribute 'file_pickup'
2022-06-29 10:19:41,969 [root] DEBUG: Initialized auxiliary module "Procmon"
2022-06-29 10:19:41,969 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2022-06-29 10:19:41,969 [root] DEBUG: Started auxiliary module "Procmon"
2022-06-29 10:19:41,969 [root] DEBUG: Started auxiliary module Procmon
2022-06-29 10:19:41,969 [root] DEBUG: Initialized auxiliary module "Screenshots"
2022-06-29 10:19:41,969 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2022-06-29 10:19:41,969 [root] DEBUG: Started auxiliary module "Screenshots"
2022-06-29 10:19:41,969 [root] DEBUG: Started auxiliary module Screenshots
2022-06-29 10:19:41,969 [root] DEBUG: Initialized auxiliary module "Sysmon"
2022-06-29 10:19:41,969 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2022-06-29 10:19:41,969 [root] DEBUG: Started auxiliary module "Sysmon"
2022-06-29 10:19:41,969 [root] DEBUG: Started auxiliary module Sysmon
2022-06-29 10:19:41,969 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2022-06-29 10:19:41,969 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2022-06-29 10:19:41,985 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 716
2022-06-29 10:19:41,985 [lib.api.process] INFO: Monitor config for process 716: C:\tmpurzvybzd\dll\716.ini
2022-06-29 10:19:41,985 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2022-06-29 10:19:41,985 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpurzvybzd\dll\xmukJfa.dll, loader C:\tmpurzvybzd\bin\XYYzJVVA.exe
2022-06-29 10:19:42,063 [root] DEBUG: Loader: Injecting process 716 with C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:19:42,110 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-29 10:19:42,110 [root] DEBUG: TLS secret dump mode enabled.
2022-06-29 10:19:42,110 [root] INFO: Disabling sleep skipping.
2022-06-29 10:19:42,110 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 716 at 0x00007FFD08D30000, thread 1656, image base 0x00007FF7A96D0000, stack from 0x000000E436774000-0x000000E436780000
2022-06-29 10:19:42,110 [root] DEBUG: Commandline: C:\Windows\system32\lsass.exe
2022-06-29 10:19:42,141 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2022-06-29 10:19:42,141 [root] DEBUG: Successfully injected DLL C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:19:42,157 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 716
2022-06-29 10:19:42,157 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets"
2022-06-29 10:19:42,157 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2022-06-29 10:19:42,251 [root] DEBUG: Initialized auxiliary module "Usage"
2022-06-29 10:19:42,251 [root] DEBUG: Trying to start auxiliary module "Usage"...
2022-06-29 10:19:42,266 [root] DEBUG: Started auxiliary module "Usage"
2022-06-29 10:19:42,266 [root] DEBUG: Started auxiliary module Usage
2022-06-29 10:19:42,594 [root] DEBUG: DLL loaded at 0x00007FFD26880000: C:\Windows\system32\DSROLE (0xa000 bytes).
2022-06-29 10:19:42,594 [root] DEBUG: DLL loaded at 0x00007FFD0D5B0000: C:\Windows\System32\SecureTimeAggregator (0x21000 bytes).
2022-06-29 10:19:43,329 [root] DEBUG: DLL loaded at 0x00007FFD25960000: C:\Windows\System32\cryptnet (0x31000 bytes).
2022-06-29 10:19:47,797 [root] INFO: Restarting WMI Service
2022-06-29 10:19:49,907 [lib.common.common] INFO: Submitted file is missing extension, adding .doc
2022-06-29 10:19:49,922 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" with arguments ""C:\Users\JOHNQU~1\AppData\Local\Temp\c378387344e0a552dc065de6.doc" /q" with pid 4196
2022-06-29 10:19:49,922 [lib.api.process] INFO: Monitor config for process 4196: C:\tmpurzvybzd\dll\4196.ini
2022-06-29 10:19:49,922 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpurzvybzd\dll\IjGtwA.dll, loader C:\tmpurzvybzd\bin\LXzJFxg.exe
2022-06-29 10:19:49,954 [root] DEBUG: Loader: Injecting process 4196 (thread 2456) with C:\tmpurzvybzd\dll\IjGtwA.dll.
2022-06-29 10:19:49,954 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-29 10:19:49,954 [root] DEBUG: Successfully injected DLL C:\tmpurzvybzd\dll\IjGtwA.dll.
2022-06-29 10:19:49,969 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4196
2022-06-29 10:19:51,985 [lib.api.process] INFO: Successfully resumed process with pid 4196
2022-06-29 10:19:52,063 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-29 10:19:52,063 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-29 10:19:52,063 [root] DEBUG: Initialising Yara...
2022-06-29 10:19:52,079 [root] DEBUG: YaraInit: Compiled 18 rule files
2022-06-29 10:19:52,079 [root] DEBUG: YaraInit: Compiled rules saved to file C:\tmpurzvybzd\data\yara\capemon.yac
2022-06-29 10:19:52,079 [root] DEBUG: InternalYaraScan: Scanning 0x77630000, size 0x1a219c
2022-06-29 10:19:52,094 [root] DEBUG: AmsiDumper initialised.
2022-06-29 10:19:52,094 [root] DEBUG: Monitor initialised: 32-bit capemon loaded in process 4196 at 0x724e0000, thread 2456, image base 0x2f7a0000, stack from 0x1356000-0x1360000
2022-06-29 10:19:52,094 [root] DEBUG: Commandline: "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\JOHNQU~1\AppData\Local\Temp\c378387344e0a552dc065de6.doc" /q
2022-06-29 10:19:52,110 [root] DEBUG: Microsoft Office settings enabled.
2022-06-29 10:19:52,126 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-29 10:19:52,126 [root] INFO: Loaded monitor into process with pid 4196
2022-06-29 10:19:52,141 [root] DEBUG: DLL loaded at 0x723D0000: C:\Windows\SYSTEM32\ninput (0x54000 bytes).
2022-06-29 10:19:52,141 [root] DEBUG: caller_dispatch: Adding region at 0x2F7A0000 to caller regions list (ntdll::LdrGetDllHandle returns to 0x2F7A111F, thread 2456).
2022-06-29 10:19:52,141 [root] DEBUG: caller_dispatch: Dump of calling region at 0x2F7A0000 skipped (ntdll::LdrGetDllHandle returns to 0x2F7A111F mapped as \Device\HarddiskVolume2\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE).
2022-06-29 10:19:52,250 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\SYSTEM32\WTSAPI32 (0xf000 bytes).
2022-06-29 10:19:52,250 [root] DEBUG: DLL loaded at 0x6FBF0000: C:\Windows\SYSTEM32\MSIMG32 (0x6000 bytes).
2022-06-29 10:19:52,266 [root] DEBUG: DLL loaded at 0x70FA0000: C:\Program Files (x86)\Microsoft Office\Office14\gfx (0x1ab000 bytes).
2022-06-29 10:19:52,266 [root] DEBUG: DLL loaded at 0x6FC00000: C:\Program Files (x86)\Microsoft Office\Office14\oart (0x1394000 bytes).
2022-06-29 10:19:52,266 [root] DEBUG: DLL loaded at 0x71150000: C:\Program Files (x86)\Microsoft Office\Office14\wwlib (0x127f000 bytes).
2022-06-29 10:19:52,313 [root] DEBUG: DLL loaded at 0x6EA00000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11ea000 bytes).
2022-06-29 10:19:52,344 [root] DEBUG: DLL loaded at 0x6E7F0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.844_none_11adecdf30011423\Comctl32 (0x210000 bytes).
2022-06-29 10:19:52,344 [root] INFO: Disabling sleep skipping.
2022-06-29 10:19:52,422 [root] DEBUG: DLL unloaded from 0x767E0000.
2022-06-29 10:19:52,438 [root] DEBUG: DLL loaded at 0x6E7C0000: C:\Windows\SYSTEM32\srpapi (0x25000 bytes).
2022-06-29 10:19:52,500 [root] DEBUG: DLL loaded at 0x6E700000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSPTLS (0xbc000 bytes).
2022-06-29 10:19:52,532 [root] DEBUG: DLL loaded at 0x76270000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2022-06-29 10:19:52,563 [root] DEBUG: DLL loaded at 0x6E5B0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2022-06-29 10:19:52,579 [root] DEBUG: DLL loaded at 0x6E550000: C:\Windows\system32\mscoree (0x52000 bytes).
2022-06-29 10:19:52,594 [root] DEBUG: DLL loaded at 0x6E4C0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x8d000 bytes).
2022-06-29 10:19:52,594 [root] DEBUG: DLL unloaded from 0x75C50000.
2022-06-29 10:19:52,657 [root] DEBUG: DLL loaded at 0x6E4A0000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2022-06-29 10:19:52,688 [root] DEBUG: DLL loaded at 0x76700000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2022-06-29 10:19:52,688 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\System32\clbcatq (0x7e000 bytes).
2022-06-29 10:19:52,704 [root] DEBUG: DLL loaded at 0x6E460000: C:\Windows\System32\netprofm (0x31000 bytes).
2022-06-29 10:19:52,719 [root] DEBUG: DLL loaded at 0x6E450000: C:\Windows\System32\npmproxy (0xa000 bytes).
2022-06-29 10:19:52,735 [root] DEBUG: DLL loaded at 0x73910000: C:\Windows\SYSTEM32\IPHLPAPI (0x32000 bytes).
2022-06-29 10:19:52,751 [root] DEBUG: DLL loaded at 0x77120000: C:\Windows\System32\NSI (0x7000 bytes).
2022-06-29 10:19:52,751 [root] DEBUG: DLL loaded at 0x6E430000: C:\Windows\SYSTEM32\dhcpcsvc6 (0x14000 bytes).
2022-06-29 10:19:52,751 [root] DEBUG: DLL loaded at 0x73650000: C:\Windows\SYSTEM32\dhcpcsvc (0x16000 bytes).
2022-06-29 10:19:52,766 [root] DEBUG: DLL loaded at 0x6E390000: C:\Windows\SYSTEM32\DNSAPI (0x92000 bytes).
2022-06-29 10:19:52,797 [root] DEBUG: DLL loaded at 0x6E300000: C:\Windows\SYSTEM32\sxs (0x88000 bytes).
2022-06-29 10:19:52,813 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\System32\coml2 (0x5e000 bytes).
2022-06-29 10:19:52,813 [root] DEBUG: DLL loaded at 0x6E2F0000: C:\Windows\SYSTEM32\windows.staterepositorycore (0xc000 bytes).
2022-06-29 10:19:52,844 [root] DEBUG: api-rate-cap: NtOpenKeyEx hook disabled due to rate.
2022-06-29 10:19:55,376 [root] DEBUG: DLL unloaded from 0x770F0000.
2022-06-29 10:19:55,376 [root] DEBUG: DLL loaded at 0x6E2A0000: C:\Windows\SYSTEM32\POWRPROF (0x44000 bytes).
2022-06-29 10:19:55,391 [root] DEBUG: DLL loaded at 0x6E290000: C:\Windows\SYSTEM32\UMPDC (0xd000 bytes).
2022-06-29 10:19:55,391 [root] DEBUG: DLL unloaded from 0x6E2A0000.
2022-06-29 10:19:55,438 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\SYSTEM32\Wldp (0x24000 bytes).
2022-06-29 10:19:55,454 [root] DEBUG: DLL loaded at 0x74EC0000: C:\Windows\SYSTEM32\windows.storage (0x609000 bytes).
2022-06-29 10:19:55,454 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:55,469 [root] DEBUG: DLL loaded at 0x77190000: C:\Windows\System32\CFGMGR32 (0x3b000 bytes).
2022-06-29 10:19:55,469 [root] DEBUG: DLL unloaded from 0x74EC0000.
2022-06-29 10:19:55,469 [root] DEBUG: DLL unloaded from 0x77570000.
2022-06-29 10:19:55,469 [root] DEBUG: DLL loaded at 0x6E1C0000: C:\Windows\system32\propsys (0xc2000 bytes).
2022-06-29 10:19:55,547 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\Normal.dotm
2022-06-29 10:19:55,564 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
2022-06-29 10:19:55,595 [root] DEBUG: DLL loaded at 0x6DFE0000: C:\Windows\System32\msxml6 (0x1dd000 bytes).
2022-06-29 10:19:55,672 [root] DEBUG: DLL loaded at 0x74BA0000: C:\Windows\SYSTEM32\profapi (0x18000 bytes).
2022-06-29 10:19:55,750 [root] DEBUG: DLL loaded at 0x74B70000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2022-06-29 10:19:55,750 [root] DEBUG: DLL loaded at 0x6DC00000: C:\Windows\SYSTEM32\CoreMessaging (0x9b000 bytes).
2022-06-29 10:19:55,766 [root] DEBUG: DLL loaded at 0x6DB20000: C:\Windows\SYSTEM32\wintypes (0xdb000 bytes).
2022-06-29 10:19:55,766 [root] DEBUG: DLL loaded at 0x6DCA0000: C:\Windows\SYSTEM32\CoreUIComponents (0x27e000 bytes).
2022-06-29 10:19:55,782 [root] DEBUG: DLL loaded at 0x6DF20000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2022-06-29 10:19:55,860 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Temp\c378387344e0a552dc065de6.doc
2022-06-29 10:19:55,876 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Temp\~$78387344e0a552dc065de6.doc
2022-06-29 10:19:55,954 [root] DEBUG: DLL loaded at 0x6DAF0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT532.CNV (0x2f000 bytes).
2022-06-29 10:19:55,970 [root] DEBUG: DLL loaded at 0x6DAD0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-29 10:19:55,970 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:55,985 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst9A0B.tmp size is 0, Max size: 100000000
2022-06-29 10:19:55,985 [root] DEBUG: DLL unloaded from 0x6DAD0000.
2022-06-29 10:19:56,001 [root] DEBUG: DLL unloaded from 0x6DAF0000.
2022-06-29 10:19:56,016 [root] DEBUG: DLL loaded at 0x6DAE0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT632.CNV (0x3d000 bytes).
2022-06-29 10:19:56,032 [root] DEBUG: DLL loaded at 0x6DAC0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,032 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,047 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst9A4A.tmp size is 0, Max size: 100000000
2022-06-29 10:19:56,063 [root] DEBUG: DLL unloaded from 0x6DAC0000.
2022-06-29 10:19:56,079 [root] DEBUG: DLL unloaded from 0x6DAE0000.
2022-06-29 10:19:56,094 [root] DEBUG: DLL loaded at 0x6DAF0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT532.CNV (0x2f000 bytes).
2022-06-29 10:19:56,110 [root] DEBUG: DLL loaded at 0x6DAD0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,110 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,141 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst9A99.tmp size is 0, Max size: 100000000
2022-06-29 10:19:56,157 [root] DEBUG: DLL unloaded from 0x6DAD0000.
2022-06-29 10:19:56,173 [root] DEBUG: DLL unloaded from 0x6DAF0000.
2022-06-29 10:19:56,188 [root] DEBUG: DLL loaded at 0x6DAE0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT632.CNV (0x3d000 bytes).
2022-06-29 10:19:56,204 [root] DEBUG: DLL loaded at 0x6DAC0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,204 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,219 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst9AF8.tmp size is 0, Max size: 100000000
2022-06-29 10:19:56,235 [root] DEBUG: DLL unloaded from 0x6DAC0000.
2022-06-29 10:19:56,251 [root] DEBUG: DLL unloaded from 0x6DAE0000.
2022-06-29 10:19:56,266 [root] DEBUG: DLL loaded at 0x6DB10000: C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv (0x8000 bytes).
2022-06-29 10:19:56,266 [root] DEBUG: DLL unloaded from 0x6DB10000.
2022-06-29 10:19:56,282 [root] DEBUG: DLL loaded at 0x6DB10000: C:\Program Files (x86)\Microsoft Office\Office14\Wordcnvpxy.cnv (0x8000 bytes).
2022-06-29 10:19:56,344 [root] DEBUG: DLL loaded at 0x6DB10000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\RECOVR32.CNV (0xa000 bytes).
2022-06-29 10:19:56,360 [root] DEBUG: DLL loaded at 0x6DAF0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,360 [root] DEBUG: api-rate-cap: LdrGetProcedureAddressForCaller hook disabled due to rate.
2022-06-29 10:19:56,360 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,360 [root] DEBUG: DLL unloaded from 0x6DAF0000.
2022-06-29 10:19:56,376 [root] DEBUG: DLL unloaded from 0x6DB10000.
2022-06-29 10:19:56,391 [root] DEBUG: DLL loaded at 0x6DB10000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\Wks9Pxy.cnv (0xd000 bytes).
2022-06-29 10:19:56,391 [root] DEBUG: DLL loaded at 0x6DAF0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\WPFT532.CNV (0x2f000 bytes).
2022-06-29 10:19:56,422 [root] DEBUG: DLL loaded at 0x6DAD0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,422 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,438 [root] DEBUG: DLL unloaded from 0x6DAD0000.
2022-06-29 10:19:56,438 [root] DEBUG: DLL unloaded from 0x6DAF0000.
2022-06-29 10:19:56,454 [root] DEBUG: DLL loaded at 0x6DAE0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\WPFT632.CNV (0x3d000 bytes).
2022-06-29 10:19:56,454 [root] DEBUG: DLL loaded at 0x6DAC0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,454 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,454 [root] DEBUG: DLL unloaded from 0x6DAC0000.
2022-06-29 10:19:56,470 [root] DEBUG: DLL unloaded from 0x6DAE0000.
2022-06-29 10:19:56,485 [root] DEBUG: DLL loaded at 0x6DAF0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT532.CNV (0x2f000 bytes).
2022-06-29 10:19:56,485 [root] DEBUG: DLL loaded at 0x6DAD0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,500 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,500 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst9C22.tmp size is 0, Max size: 100000000
2022-06-29 10:19:56,516 [root] DEBUG: DLL unloaded from 0x6DAD0000.
2022-06-29 10:19:56,516 [root] DEBUG: DLL unloaded from 0x6DAF0000.
2022-06-29 10:19:56,532 [root] DEBUG: DLL loaded at 0x6DAE0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\WPFT632.CNV (0x3d000 bytes).
2022-06-29 10:19:56,548 [root] DEBUG: DLL loaded at 0x6DAC0000: C:\Program Files (x86)\Common Files\Microsoft Shared\TEXTCONV\msconv97 (0x1f000 bytes).
2022-06-29 10:19:56,548 [root] DEBUG: DLL unloaded from 0x2F7A0000.
2022-06-29 10:19:56,563 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\tst9C52.tmp size is 0, Max size: 100000000
2022-06-29 10:19:56,579 [root] DEBUG: DLL unloaded from 0x6DAC0000.
2022-06-29 10:19:56,594 [root] DEBUG: DLL unloaded from 0x6DAE0000.
2022-06-29 10:19:56,860 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C4B0E863.wmf
2022-06-29 10:19:56,860 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C4B0E863.wmf size is 452, Max size: 100000000
2022-06-29 10:19:56,907 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\270E6369.wmf
2022-06-29 10:19:56,907 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\270E6369.wmf size is 452, Max size: 100000000
2022-06-29 10:19:56,938 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\224AC25F.wmf
2022-06-29 10:19:56,938 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\224AC25F.wmf size is 452, Max size: 100000000
2022-06-29 10:19:56,954 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8F15DAC5.wmf
2022-06-29 10:19:56,969 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8F15DAC5.wmf size is 452, Max size: 100000000
2022-06-29 10:19:56,985 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DE3D9E1B.wmf
2022-06-29 10:19:57,001 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DE3D9E1B.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,032 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DE8079E1.wmf
2022-06-29 10:19:57,047 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DE8079E1.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,063 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEEEB797.wmf
2022-06-29 10:19:57,079 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\EEEEB797.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,094 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3FB2DCBD.wmf
2022-06-29 10:19:57,110 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3FB2DCBD.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,126 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\98D90AD3.wmf
2022-06-29 10:19:57,141 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\98D90AD3.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,172 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A6D5F59.wmf
2022-06-29 10:19:57,188 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3A6D5F59.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,220 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB0953CF.wmf
2022-06-29 10:19:57,235 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\BB0953CF.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,251 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C1A81DB5.wmf
2022-06-29 10:19:57,251 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C1A81DB5.wmf size is 452, Max size: 100000000
2022-06-29 10:19:57,282 [root] DEBUG: DLL unloaded from 0x77630000.
2022-06-29 10:19:57,344 [root] DEBUG: DLL loaded at 0x6DA80000: C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\USP10 (0x9e000 bytes).
2022-06-29 10:19:57,423 [root] DEBUG: DLL loaded at 0x6D910000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1023_none_d94e0b13e107593b\GdiPlus (0x169000 bytes).
2022-06-29 10:19:57,423 [root] DEBUG: DLL unloaded from 0x767E0000.
2022-06-29 10:19:57,454 [root] DEBUG: DLL loaded at 0x6D790000: C:\Windows\SYSTEM32\WindowsCodecs (0x171000 bytes).
2022-06-29 10:19:57,579 [root] DEBUG: DLL loaded at 0x6D570000: C:\Windows\system32\d3d11 (0x1e0000 bytes).
2022-06-29 10:19:57,594 [root] DEBUG: DLL loaded at 0x6D400000: C:\Windows\system32\dcomp (0x165000 bytes).
2022-06-29 10:19:57,594 [root] DEBUG: DLL loaded at 0x6D750000: C:\Windows\system32\dataexchange (0x31000 bytes).
2022-06-29 10:19:57,610 [root] DEBUG: DLL loaded at 0x6D270000: C:\Windows\system32\twinapi.appcore (0x18f000 bytes).
2022-06-29 10:19:57,672 [root] DEBUG: DLL loaded at 0x74630000: C:\Windows\SYSTEM32\msvcp110_win (0x65000 bytes).
2022-06-29 10:19:57,688 [root] DEBUG: DLL loaded at 0x6D1E0000: C:\Windows\SYSTEM32\policymanager (0x83000 bytes).
2022-06-29 10:19:57,688 [root] DEBUG: caller_dispatch: Adding region at 0x6D1E0000 to caller regions list (ntdll::NtProtectVirtualMemory returns to 0x6D1F4A88, thread 5912).
2022-06-29 10:19:57,688 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6D1E0000 skipped (ntdll::NtProtectVirtualMemory returns to 0x6D1F4A88 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\policymanager.dll).
2022-06-29 10:19:57,719 [root] DEBUG: DLL loaded at 0x6D0B0000: C:\Windows\System32\FM20 (0x12d000 bytes).
2022-06-29 10:19:57,719 [root] DEBUG: caller_dispatch: Adding region at 0x6D0B0000 to caller regions list (ntdll::LdrLoadDll returns to 0x6D0DE07D, thread 2456).
2022-06-29 10:19:57,735 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6D0B0000...
2022-06-29 10:19:57,735 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6D0B0000 skipped (ntdll::LdrLoadDll returns to 0x6D0DE07D mapped as \Device\HarddiskVolume2\Windows\SysWOW64\FM20.DLL).
2022-06-29 10:19:57,844 [root] DEBUG: api-rate-cap: NtQueryValueKey hook disabled due to rate.
2022-06-29 10:19:58,032 [root] DEBUG: caller_dispatch: Adding region at 0x01260000 to caller regions list (ntdll::RtlSetCurrentTransaction returns to 0x01356DE8, thread 2456).
2022-06-29 10:19:58,032 [root] DEBUG: caller_dispatch: Dump of calling region at 0x01260000 skipped (ntdll::RtlSetCurrentTransaction returns to 0x01356DE8).
2022-06-29 10:19:58,048 [root] DEBUG: DLL loaded at 0x6CE20000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2022-06-29 10:19:58,048 [root] DEBUG: caller_dispatch: Adding region at 0x6CE20000 to caller regions list (kernel32::HeapCreate returns to 0x6CEF6A22, thread 2456).
2022-06-29 10:19:58,048 [root] DEBUG: caller_dispatch: Scanning calling region at 0x6CE20000...
2022-06-29 10:19:58,048 [root] DEBUG: caller_dispatch: Dump of calling region at 0x6CE20000 skipped (kernel32::HeapCreate returns to 0x6CEF6A22 mapped as \Device\HarddiskVolume2\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL).
2022-06-29 10:19:58,063 [root] DEBUG: DLL loaded at 0x0CDF0000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2022-06-29 10:20:01,329 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Temp\Word8.0\MSForms.exd
2022-06-29 10:20:01,454 [root] DEBUG: DLL loaded at 0x0E1F0000: C:\Windows\System32\fm20ENU (0x8000 bytes).
2022-06-29 10:20:01,470 [root] DEBUG: CreateProcessHandler: Injection info set for new process 6056: C:\Windows\splwow64.exe, ImageBase: 0x00000000
2022-06-29 10:20:01,470 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 6056
2022-06-29 10:20:01,470 [lib.api.process] INFO: Monitor config for process 6056: C:\tmpurzvybzd\dll\6056.ini
2022-06-29 10:20:01,470 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpurzvybzd\dll\xmukJfa.dll, loader C:\tmpurzvybzd\bin\XYYzJVVA.exe
2022-06-29 10:20:01,485 [root] DEBUG: Loader: Injecting process 6056 (thread 6060) with C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:20:01,485 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-06-29 10:20:01,485 [root] DEBUG: Successfully injected DLL C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:20:01,501 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 6056
2022-06-29 10:20:01,501 [root] DEBUG: DLL unloaded from 0x77630000.
2022-06-29 10:20:01,501 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 6056
2022-06-29 10:20:01,501 [lib.api.process] INFO: Monitor config for process 6056: C:\tmpurzvybzd\dll\6056.ini
2022-06-29 10:20:01,501 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpurzvybzd\dll\xmukJfa.dll, loader C:\tmpurzvybzd\bin\XYYzJVVA.exe
2022-06-29 10:20:01,516 [root] DEBUG: Loader: Injecting process 6056 (thread 6060) with C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:20:01,516 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-29 10:20:01,516 [root] DEBUG: Successfully injected DLL C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:20:01,516 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 6056
2022-06-29 10:20:01,516 [root] INFO: Announced 64-bit process name: splwow64.exe pid: 6056
2022-06-29 10:20:01,516 [lib.api.process] INFO: Monitor config for process 6056: C:\tmpurzvybzd\dll\6056.ini
2022-06-29 10:20:01,516 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpurzvybzd\dll\xmukJfa.dll, loader C:\tmpurzvybzd\bin\XYYzJVVA.exe
2022-06-29 10:20:01,532 [root] DEBUG: Loader: Injecting process 6056 (thread 6060) with C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:20:01,532 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2022-06-29 10:20:01,532 [root] DEBUG: Successfully injected DLL C:\tmpurzvybzd\dll\xmukJfa.dll.
2022-06-29 10:20:01,532 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 6056
2022-06-29 10:20:01,563 [root] DEBUG: Python path set to 'C:\Users\johnquser\AppData\Local\Programs\Python\Python37-32'.
2022-06-29 10:20:01,563 [root] DEBUG: Dropped file limit defaulting to 100.
2022-06-29 10:20:01,563 [root] INFO: Disabling sleep skipping.
2022-06-29 10:20:01,563 [root] DEBUG: Initialising Yara...
2022-06-29 10:20:01,563 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmpurzvybzd\data\yara\capemon.yac
2022-06-29 10:20:01,563 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFD2D6F0000, size 0x1f4546
2022-06-29 10:20:01,563 [root] DEBUG: AmsiDumper initialised.
2022-06-29 10:20:01,563 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 6056 at 0x00007FFD08D30000, thread 6060, image base 0x00007FF6A7BB0000, stack from 0x0000000000FF6000-0x0000000001000000
2022-06-29 10:20:01,563 [root] DEBUG: Commandline: C:\Windows\splwow64.exe 12288
2022-06-29 10:20:01,626 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-06-29 10:20:01,626 [root] INFO: Loaded monitor into process with pid 6056
2022-06-29 10:20:01,626 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD2B140000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFD2B180331, thread 6060).
2022-06-29 10:20:01,626 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFD2B140000...
2022-06-29 10:20:01,626 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD2B140000 skipped (ntdll::LdrGetProcedureAddressForCaller returns to 0x00007FFD2B180331 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-06-29 10:20:01,626 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD2D6F0000 to caller regions list (ntdll::NtClose returns to 0x00007FFD2D7C3E73, thread 6060).
2022-06-29 10:20:01,626 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD2D6F0000 skipped (ntdll::NtClose returns to 0x00007FFD2D7C3E73 mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-06-29 10:20:01,626 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF6A7BB0000 to caller regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6A7BBCC61, thread 6060).
2022-06-29 10:20:01,641 [root] DEBUG: YaraScan: Scanning 0x00007FF6A7BB0000, size 0x26326
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FF6A7BB0000 skipped (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6A7BBCC61 mapped as \Device\HarddiskVolume2\Windows\splwow64.exe).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD2C450000 to caller regions list (msvcrt::memcpy returns to 0x00007FFD2C4808BA, thread 6060).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD2C450000 skipped (msvcrt::memcpy returns to 0x00007FFD2C4808BA mapped as \Device\HarddiskVolume2\Windows\System32\msvcrt.dll).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD2C160000 to caller regions list (advapi32::LsaOpenPolicy returns to 0x00007FFD2C16F72B, thread 5492).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD2C160000 skipped (advapi32::LsaOpenPolicy returns to 0x00007FFD2C16F72B mapped as \Device\HarddiskVolume2\Windows\System32\advapi32.dll).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD2C2A0000 to caller regions list (ntdll::NtOpenDirectoryObject returns to 0x00007FFD2C2AF641, thread 6060).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD2C2A0000 skipped (ntdll::NtOpenDirectoryObject returns to 0x00007FFD2C2AF641 mapped as \Device\HarddiskVolume2\Windows\System32\rpcrt4.dll).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD2AD20000 to caller regions list (ntdll::NtQueryInformationThread returns to 0x00007FFD2AD25943, thread 6060).
2022-06-29 10:20:01,641 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD2AD20000 skipped (ntdll::NtQueryInformationThread returns to 0x00007FFD2AD25943 mapped as \Device\HarddiskVolume2\Windows\System32\sspicli.dll).
2022-06-29 10:20:01,720 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 4196, handle 0x1c0.
2022-06-29 10:20:01,720 [root] DEBUG: OpenProcessHandler: Handle insufficient to obtain target process name.
2022-06-29 10:20:01,735 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFD1C130000 to caller regions list (msvcrt::memcpy returns to 0x00007FFD1C1314EF, thread 5532).
2022-06-29 10:20:01,735 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFD1C130000 skipped (msvcrt::memcpy returns to 0x00007FFD1C1314EF mapped as \Device\HarddiskVolume2\Windows\System32\winspool.drv).
2022-06-29 10:23:12,954 [root] INFO: Analysis timeout hit, terminating analysis
2022-06-29 10:23:12,954 [lib.api.process] INFO: Terminate event set for process 4196
2022-06-29 10:23:12,954 [root] DEBUG: Terminate Event: Attempting to dump process 4196
2022-06-29 10:23:12,954 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x2F7A0000.
2022-06-29 10:23:12,969 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-29 10:23:12,969 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x2F7A0000.
2022-06-29 10:23:12,969 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010FC.
2022-06-29 10:23:13,016 [lib.common.results] INFO: File C:\GXSBfz\CAPE\4196_4038512231729362022 size is 1416704, Max size: 100000000
2022-06-29 10:23:13,048 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x159e00.
2022-06-29 10:23:13,048 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F1D86A49-245C-469B-A9A2-4612A6D37846}.tmp
2022-06-29 10:23:13,048 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5059A558-DFCA-46AA-A741-FDF9FF939088}.tmp
2022-06-29 10:23:13,048 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{5F803DCA-80F0-46F5-92E3-CDD2B7279D03}.tmp
2022-06-29 10:23:13,048 [root] INFO: Added new file to list with pid None and path C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{64DB182B-A23A-4F57-8A4C-B0A5D5ADAFDA}.tmp
2022-06-29 10:23:13,048 [lib.api.process] INFO: Termination confirmed for process 4196
2022-06-29 10:23:13,048 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 4196
2022-06-29 10:23:13,063 [root] INFO: Terminate event set for process 4196
2022-06-29 10:23:13,063 [lib.api.process] INFO: Terminate event set for process 6056
2022-06-29 10:23:13,063 [root] DEBUG: Terminate Event: Attempting to dump process 6056
2022-06-29 10:23:13,063 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00007FF6A7BB0000.
2022-06-29 10:23:13,063 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2022-06-29 10:23:13,063 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00007FF6A7BB0000.
2022-06-29 10:23:13,063 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000CAA0.
2022-06-29 10:23:13,079 [lib.common.results] INFO: File C:\GXSBfz\CAPE\6056_258313231729362022 size is 138240, Max size: 100000000
2022-06-29 10:23:13,094 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21c00.
2022-06-29 10:23:13,094 [lib.api.process] INFO: Termination confirmed for process 6056
2022-06-29 10:23:13,094 [root] INFO: Terminate event set for process 6056
2022-06-29 10:23:13,094 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 6056
2022-06-29 10:23:13,094 [root] INFO: Created shutdown mutex
2022-06-29 10:23:14,110 [root] INFO: Shutting down package
2022-06-29 10:23:14,110 [root] INFO: Stopping auxiliary modules
2022-06-29 10:23:14,610 [lib.common.results] INFO: File C:\curtain.log size is 13209090, Max size: 100000000
2022-06-29 10:23:14,657 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Application.evtx to zip dump
2022-06-29 10:23:14,844 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\HardwareEvents.evtx to zip dump
2022-06-29 10:23:14,860 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Internet Explorer.evtx to zip dump
2022-06-29 10:23:14,860 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Key Management Service.evtx to zip dump
2022-06-29 10:23:14,860 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\OAlerts.evtx to zip dump
2022-06-29 10:23:14,876 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Security.evtx to zip dump
2022-06-29 10:23:15,282 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Setup.evtx to zip dump
2022-06-29 10:23:15,282 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\System.evtx to zip dump
2022-06-29 10:23:15,376 [modules.auxiliary.evtx] DEBUG: Adding C:/windows/Sysnative/winevt/Logs\Windows PowerShell.evtx to zip dump
2022-06-29 10:23:15,422 [modules.auxiliary.evtx] DEBUG: Uploading evtx.zip to host
2022-06-29 10:23:15,422 [lib.common.results] INFO: File evtx.zip size is 973481, Max size: 100000000
2022-06-29 10:23:15,563 [lib.common.results] WARNING: File C:\GXSBfz\bin\procmon.xml doesn't exist anymore
2022-06-29 10:23:15,563 [root] INFO: Finishing auxiliary modules
2022-06-29 10:23:15,563 [root] INFO: Shutting down pipe server and dumping dropped files
2022-06-29 10:23:15,563 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\Normal.dotm size is 20513, Max size: 100000000
2022-06-29 10:23:15,579 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Roaming\Microsoft\Templates\~$Normal.dotm size is 162, Max size: 100000000
2022-06-29 10:23:15,595 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\c378387344e0a552dc065de6.doc size is 143202, Max size: 100000000
2022-06-29 10:23:15,610 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\~$78387344e0a552dc065de6.doc size is 162, Max size: 100000000
2022-06-29 10:23:15,626 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Temp\Word8.0\MSForms.exd size is 166724, Max size: 100000000
2022-06-29 10:23:15,641 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F1D86A49-245C-469B-A9A2-4612A6D37846}.tmp size is 1536, Max size: 100000000
2022-06-29 10:23:15,657 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{5059A558-DFCA-46AA-A741-FDF9FF939088}.tmp size is 0, Max size: 100000000
2022-06-29 10:23:15,672 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{5F803DCA-80F0-46F5-92E3-CDD2B7279D03}.tmp size is 114688, Max size: 100000000
2022-06-29 10:23:15,688 [lib.common.results] INFO: File C:\Users\johnquser\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{64DB182B-A23A-4F57-8A4C-B0A5D5ADAFDA}.tmp size is 1024, Max size: 100000000
2022-06-29 10:23:15,704 [root] WARNING: Folder at path "C:\GXSBfz\debugger" does not exist, skipping
2022-06-29 10:23:15,704 [root] WARNING: Folder at path "C:\GXSBfz\tlsdump" does not exist, skipping
2022-06-29 10:23:15,704 [root] INFO: Analysis completedLooks like you don't have crashes etc. What about Process Tree and DNS section? Does everything work fine?
doomedraven
commented
2 years ago thanks all
doomedraven
commented
1 year ago Thanks, mine 22h2
El jue., 23 jun. 2022 20:47, Scrub Lullz @.***> escribió:
Version 21H1 OS Build 19043.1023 Office 2010
— Reply to this email directly, view it on GitHub https://github.com/kevoreilly/CAPEv2/issues/910#issuecomment-1164751843, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAOFH33AQ7JMZAIHAKACVODVQSWLFANCNFSM5YT2VNXA . You are receiving this because you authored the thread.Message ID: @.***>
c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e91c9807