Malware Configuration And Payload Extraction

Related tags

Security related resources CAPEv2
Overview

CAPE: Malware Configuration And Payload Extraction

CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to detect malware based on payload signatures, as well as automating many of the goals of malware reverse engineering and threat intelligence.

There is a community version online which is free for anyone to try:

https://capesandbox.com/submit

CAPE can detect a number of malware techniques or behaviours, as well as specific malware families, from its initial run on a sample. This detection may then trigger a further run with a specific package, in order to extract the malware payload and possibly its configuration, for further analysis.

CAPE works by controlling malware via a bespoke debugger and API hooks. Detection to trigger a CAPE package can be based on API or Yara signatures. The debugger uses Yara signatures or API hooks to allow breakpoints to be set on individual instructions, memory regions or function calls. Once a region of interest is reached, it can be manipulated and dumped for processing and analysis, and possibly configuration parsing.

The techniques or behaviours that CAPE detects and has packages for include:

  • Process injection
    • Shellcode injection
    • DLL injection
    • Process Hollowing
    • Process Doppelganging
  • Decompression of executable modules in memory
  • Extraction of executable modules or shellcode in memory

Packages for these behaviours will dump the payloads being injected, extracted or decompressed for further analysis. This is often the malware payload in unpacked form.

CAPE automatically creates a process dump for each process, or, in the case of a DLL, the DLL's module image in memory. This is useful for samples packed with simple packers, where often the module image dump is fully unpacked. Yara signatures may trigger on the process dumps, possibly resulting in submission with a specific package or configuration parsing.

CAPE also has a package which can dynamically unpack samples that use 'hacked' (modified) UPX, very popular with malware authors. These samples are run in CAPE's debugger until their OEP (original entry point), whereupon they are dumped, fixed and their imports are automatically reconstructed, ready for analysis.

Currently CAPE has specific packages dumping configuration and payloads for the following malware families:

  • PlugX
  • EvilGrab
  • Sedreco
  • Cerber
  • TrickBot
  • Hancitor
  • Ursnif
  • QakBot

CAPE has config parsers/decoders for the following malware families, whose payloads are automatically extracted by a behavioural package:

  • Emotet
  • RedLeaf
  • ChChes
  • HttpBrowser
  • Enfal
  • PoisonIvy
  • Screech
  • TSCookie
  • Dridex
  • SmokeLoader

Many other malware families have their payloads automatically extracted by behavioural packages, for which CAPE uses Yara signatures to detect the payloads. This list is growing, and includes:

  • Azorult, Formbook, Ryuk, Hermes, Shade, Remcos, Ramnit, Gootkit, QtBot, ZeroT, WanaCry, NetTraveler, Locky, BadRabbit, Magniber, Redsip, Kronos, PetrWrap, Kovter, Azer, Petya, Dreambot, Atlas, NanoLocker, Mole, Codoso, Cryptoshield, Loki, Jaff, IcedID, Scarab, Cutlet, RokRat, OlympicDestroyer, Gandcrab, Fareit, ZeusPanda, AgentTesla, Imminent, Arkei, Sorgu, tRat, T5000, TClient, TreasureHunter.

Configuration data may be output from either family packages, or in payloads resulting from behavioural packages. Configuration parsing may then be performed on this by virtue of Yara-based detection, and config parsing based on either of CAPE's config parsing frameworks, the RATDecoders framework from malwareconfig.com and DC3-MWCP (Defense Cyber Crime Center - Malware Configuration Parser). The many parsers/decoders from malwareconfig.com are also included, comprising among many others: Sakula, DarkComet, PredatorPain and PoisonIvy. Thanks to Kevin Breen/TechAnarchy for this framework and parsers (https://github.com/kevthehermit/RATDecoders), and to DC3 for their framework (https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP). Special thanks to Jason Reaves (@sysopfb) for the TrickBot parser and Fabien Perigaud for the PlugX parser.

Utility features are also included: 'DumpOnAPI' allows a module to be dumped when it calls a specific API function which can be specified in the web interface. 'DumpConfigRegion' allows the memory region containing C2 information or other config data to be dumped for commonly used API calls. These options can be useful for quickly unpacking/dumping novel samples or configs. The breakpoint options 'bp0' through 'bp3' allow quick access to the debugger by accepting RVA or VA values to set breakpoints, whereupon a short instruction trace will be output. Alternatively 'break-on-return' allows for a breakpoint on the return address of a hooked API. An optional 'base-on-api' parameter allows the image base to be set by API call.

The CAPE debugger allows breakpoints to be set on read, write or execute of a memory address or region, as well as single-step mode. This allows fine control over malware execution until it is possible to dump the memory regions of interest, containing code or configuration data. Breakpoints can be set dynamically by package code, API hooks or Yara signatures. Thanks to the embedded distorm library the debugger can output the disassembly of instructions during single-step mode or when breakpoints are hit, resulting in instruction traces.

Processes, modules and memory regions can variously be dumped by CAPE through use of a simple API. These dumps can then be scanned and parsed for configuration information. Executable modules are fixed on being dumped, and may also have their imports automatically reconstructed (based on Scylla: https://github.com/NtQuery/Scylla). Packages can be written based on API hooks, the CAPE debugger, or a combination of both. There are a number of other behavioural and malware family packages and parsers currently in the works, so watch this space.

The repository containing the code for the monitor DLLs which form the basis of these packages is a distinct one: https://github.com/kevoreilly/capemon. This repository is organised in branches for the various packages.

Please contribute to this project by helping create new packages for further malware families, packers, techniques or configuration parsers.

CAPEv2!

A huge thank you to @D00m3dR4v3n for single-handedly porting CAPE to Python 3.

  • Python3
    • agent.py is tested with python (3.7.2|3.8) x86. You should use x86 python version inside of the VM!
    • host tested with python3 version 3.6.8

Installation recommendations and scripts for optimal performance

  1. For best compability we strongly suggest installing on Ubuntu 20.04 LTS
  2. KVM is recommended as hypervisor, replace <W00T> to real pattern
  • sudo ./kvm-qemu.sh all <username> | tee kvm-qemu.log
  1. To install CAPE itself, cape2.sh with all optimizations
  • sudo ./cape2.sh base cape | tee cape.log
  1. Reboot and enjoy

* All scripts contain help -h, but please check the scripts to understand what they are doing.

requirements.txt is decprecated now in favour of the script

How to create VMs with virt-manager

Virtual machine core dependecy

How to update

  • CAPE: git pull
  • community: python3 utils/community.py -waf see -h before to ensure you understand

How to upgrade with a lot of custom small modifications that can't be public?

With rebase

git add --all
git commit -m '[STASH]'
git pull --rebase origin master
# fix conflict (rebase) if needed
git reset HEAD~1

With merge

# make sure kevoreilly repo has been added as a remote (only needs to be done once)
git remote add kevoreilly https://github.com/kevoreilly/CAPEv2.git
# make sure all your changes are commited on the branch which you will be merging
git commit -a -m '<your commit message goes here>'
# fetch changes from kevoreilly repo
git fetch kevoreilly
# merge kevoreilly master branch into your current branch
git merge kevoreilly/master
# fix merge conflicts if needed
# push to your repo if desired
git push

Docs

Comments
  • 32bit executable stuck in pending stage

    32bit executable stuck in pending stage

    About accounts on capesandbox.com

    • Issues isn't the way to ask for account acctivation. Ping capesandbox in Twitter with your username

    This is opensource and you getting free support so be friendly!

    • Free support from doomedraven ended, no whiskey no support. For something he updated the documentation :)

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [x] I am running the latest version
    • [x] I checked the documentation and found no answer
    • [x] I checked to make sure that this issue has not already been filed
    • [x] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [x] I'm have read all configs with all optional parts

    Expected Behavior

    Cape2 to finish processing the scanned file and generate a report or some event happening in the analysis machine.

    cape2@ubuntu:~/Desktop$ file ChromeSetup.exe 
ChromeSetup.exe: PE32 executable (GUI) Intel 80386, for MS Windows

    Current Behavior

    Stuck in the pending stage from Web UI.

    Failure Information (for bugs)

    It looks like the process has exited with error code 1. However, the UI is still up and stuck in the pending stage.

    cape2@ubuntu:~$ systemctl status cape
● cape.service - CAPE
     Loaded: loaded (/lib/systemd/system/cape.service; enabled; vendor preset: >
     Active: activating (auto-restart) (Result: exit-code) since Sat 2021-08-14>
       Docs: https://github.com/kevoreilly/CAPEv2
    Process: 927 ExecStart=/usr/bin/python3 cuckoo.py (code=exited, status=1/FA>
   Main PID: 927 (code=exited, status=1/FAILURE)

Aug 14 09:27:13 ubuntu systemd[1]: cape.service: Main process exited, code=exit>
Aug 14 09:27:13 ubuntu systemd[1]: cape.service: Failed with result 'exit-code'.
lines 1-9/9 (END)

    Steps to Reproduce

    Follow the steps here to install:
Installation recommendations and scripts for optimal performance
For best compability we strongly suggest installing on Ubuntu 20.04 LTS
KVM is recommended as hypervisor, replace <W00T> to real pattern
sudo ./kvm-qemu.sh all <username> | tee kvm-qemu.log
To install CAPE itself, cape2.sh with all optimizations
sudo ./cape2.sh base cape | tee cape.log
Reboot and enjoy

    However, instead of using qemu, I have set up several VMs in the same custom VMNet.

    1. Have installed the deps for Guest and changed the network configuration from: [https://capev2.readthedocs.io/en/latest/installation/guest_physical/requirements.html]
    2. Have ensured that the VMs are able to ping each other (Firewall off)
    3. Have ensured that the agent are listening to port 8000 by running netstat -ano
    4. Changed cuckoo.conf
    # Specify the name of the machinery module to use, this module will
# define the interaction between Cuckoo and your virtualization software
# of choice.
machinery = physical
...
[resultserver]
# The Result Server is used to receive in real time the behavioral logs
# produced by the analyzer.
# Specify the IP address of the host. The analysis machines should be able
# to contact the host through such address, so make sure it's valid.
# NOTE: if you set resultserver IP to 0.0.0.0 you have to set the option
# `resultserver_ip` for all your virtual machines in machinery configuration.
ip = 0.0.0.0
    1. Changed physical.conf
    [physical01]
# Specify the label name of the current machine as specified in your
# physical machine configuration.
label = physical01

# Specify the operating system platform used by current machine
# [windows/darwin/linux].
platform = windows

# Specify the IP address of the current machine. Make sure that the IP address
# is valid and that the host machine is able to reach it. If not, the analysis
# will fail.
ip = 192.168.1.2

# If you have not provided a resultserver in cuckoo.conf you can do it here
# If you are using machinery "multi" you may have multiple networks connected to your CAPE host
# and thus multiple possible ways for your analysis machines to connect so you can specify the
# IP and port here
resultserver_ip = 192.168.1.1
resultserver_port = 2042

    Context

    Currently, using the machines with VMware Workstation in an offline environment. Guest machines DNS and Gateway are set to Cape Machine

    | Question | Answer |------------------|-------------------- | Git commit | commit 5399fc958cf728cda1229d6795f1a3326f0609fb (HEAD -> master, origin/master, origin/HEAD) Author: doomedraven [email protected] Date: Tue Aug 3 08:18:50 2021 +0200 Update views.py | OS version | Ubuntu 20.04

    Failure Logs

    Please include any relevant log snippets or files here.

    opened by OtisOat 64
  • Question about deployment CAPE on Azure environment

    Question about deployment CAPE on Azure environment

    Question about deployment CAPE on Azure environment

    • I am read the documentation present https://capev2.readthedocs.io/en/latest/installation/host/cloud.html.

    This is opensource and you getting free support so be friendly!

    • Free support from doomedraven ended, no whiskey no support. For something he updated the documentation :)

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [x] I am running the latest version
    • [x] I did read the README!
    • [x] I checked the documentation and found no answer
    • [x] I checked to make sure that this issue has not already been filed
    • [x] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [x] I'm have read all configs with all optional parts

    Expected Behavior

    Install the CAPE on Azure environment. Understand what reequipments addcional I need to meet

    Current Behavior

    I am read the documentation present https://capev2.readthedocs.io/en/latest/installation/host/cloud.html. And also I am read and try understand the configurations presents on config path in specific the az.conf And for last but not less import I review the cape2.sh But I still have some questions.

    1. For Azure environment is still necessary install the libvirt and KVM, before?
    2. Any advice for Azure installation?

    Failure Information (for bugs)

    Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

    opened by rleal124 62
  • API for Distributed CAPE doesn't run due to

    API for Distributed CAPE doesn't run due to "'yara' is not defined" error.

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [x] I am running the latest version
    • [x] I checked the documentation and found no answer
    • [x] I checked to make sure that this issue has not already been filed
    • [x] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [x] I'm have read all configs with all optional parts

    Expected Behavior

    Ultimately, I want to make a Distributed CAPE. I created dist.ini for that, so I want to run the API and add a node from a worker.

    Current Behavior

    It was set with reference to this manual. https://capev2.readthedocs.io/en/latest/usage/dist.html?highlight=dist

    When I execute the API with the following command, I get an error that yara is not defined. Of course, the worker doesn't recognize it either ... uwsgi --ini /opt/CAPEv2/utils/dist.ini

    yara-python is installed.

    (venv-cape) root@cape-master:~# pip list |grep yara
yara-python               4.1.0
(venv-cape) root@cape-master:~#

    yara can also be imported.

    (venv-cape) root@cape-master:~# python
Python 3.8.5 (default, May 27 2021, 13:30:53)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
>>> print(yara.__version__)
4.1.0
>>>

    However, when I run the API, the following debug appears.

    (venv-cape) root@cape-master:~# uwsgi --ini /opt/CAPEv2/utils/dist.ini
[uWSGI] getting INI configuration from /opt/CAPEv2/utils/dist.ini
*** Starting uWSGI 2.0.19.1 (64bit) on [Wed Jul 28 03:06:17 2021] ***
compiled with version: 9.3.0 on 26 July 2021 09:56:08
os: Linux-5.8.0-55-generic #62~20.04.1-Ubuntu SMP Wed Jun 2 08:55:04 UTC 2021
nodename: cape-master
machine: x86_64
clock source: unix
pcre jit disabled
detected number of CPU cores: 4
current working directory: /root
detected binary path: /usr/local/bin/uwsgi
chdir() to /opt/CAPEv2/utils
your processes number limit is 31609
your memory page size is 4096 bytes
 *** WARNING: you have enabled harakiri without post buffering. Slow upload could be rejected on post-unbuffered webservers ***
detected max file descriptor number: 1048576
lock engine: pthread robust mutexes
thunder lock: disabled (you can enable it with --thunder-lock)
uwsgi socket 0 bound to TCP address 0.0.0.0:9003 fd 3
setuid() to 1000
Python version: 3.8.5 (default, May 27 2021, 13:30:53)  [GCC 9.3.0]
Python main interpreter initialized at 0x562299f363c0
python threads support enabled
your server socket listen backlog is limited to 100 connections
your mercy for graceful operations on workers is 60 seconds
mapped 229488 bytes (224 KB) for 5 cores
*** Operational MODE: threaded ***
*** uWSGI is running in multiple interpreter mode ***
spawned uWSGI master process (pid: 2916)
spawned uWSGI worker 1 (pid: 2917, cores: 5)
writing pidfile to /tmp/dist.pid
writing pidfile to /tmp/dist.pid
*** Stats server enabled on 127.0.0.1:9191 fd: 9 ***
mounting dist.py on /
Traceback (most recent call last):
  File "/opt/CAPEv2/utils/../lib/cuckoo/common/objects.py", line 814, in init_yara
    File.yara_rules[category] = yara.compile(filepaths=rules, externals=externals)
NameError: name 'yara' is not defined

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "dist.py", line 33, in <module>
    from lib.cuckoo.common.config import Config
  File "/opt/CAPEv2/utils/../lib/cuckoo/common/config.py", line 11, in <module>
    from lib.cuckoo.common.objects import Dictionary
  File "/opt/CAPEv2/utils/../lib/cuckoo/common/objects.py", line 834, in <module>
    init_yara()
  File "/opt/CAPEv2/utils/../lib/cuckoo/common/objects.py", line 815, in init_yara
    except yara.Error as e:
NameError: name 'yara' is not defined
OOPS ! failed loading app in worker 1 (pid 2917) :( trying again...
DAMN ! worker 1 (pid: 2917) died :( trying respawn ...
Respawned uWSGI worker 1 (new pid: 2919)
mounting dist.py on /

    I can't even try to add a node from a worker curl http://X.X.X.X:9003/node -F name=worker -F url=http://10.64.180.161:8000/apiv2/

    dist.ini is set like this.

    [uwsgi]
    plugins = /usr/lib/uwsgi/plugins/python3_plugin.so
    callable = app
    ;change this patch if is different
    chdir = /opt/CAPEv2/utils
    master = true
    mount = /=dist.py
    threads = 5
    workers = 2
    manage-script-name = true
    ; if you will use with nginx, comment next line
    socket = 0.0.0.0:9003
    safe-pidfile = /tmp/dist.pid
    protocol=http
    enable-threads = true
    lazy = true
    timeout = 600
    chmod-socket = 664
    chown-socket = cape:cape
    gui = cape
    uid = cape
    harakiri = 30
    hunder-lock = True
    stats = 127.0.0.1:9191
    opened by ai-suzuki 47
  • Neverending pending tasks

    Neverending pending tasks

    In short, I believe that the whole logic behind def fetch(self, machine, label): is utterly wrong.

    A) before - ok source B) now - bad source

    By just comparing on what is going inside, previously argument machine has been used to find the result in a proper way (by filtering rows inside the query), while now, first PENDING task is fetched in hope that its machine column will match the label or machine argument. This is plain wrong for many reasons. In our case, this causes neverending pending tasks (i.e. that fetch() is always returning None)

    As I've seen that lots of changes have been made in last 30 days, some even in hope to fix this issue, my recommendation is reread everything for couple of times and then try to write it properly.

    For start, fetch function's argument machine (and that new one label) should be used as a filter inside the query, and not as a if condition against the first fetched row. This is like doing a SQL query by fetching first row from SELECT statement, and then doing the filtering of that first row for a given WHERE condition. This is bad

    p.s. don't mind if I've been too harsh here. You are still doing an awesome job

    opened by stamparm 46
  • Could not find a registered machine

    Could not find a registered machine

    • [X] I am running the latest version
    • [X] I checked the documentation and found no answer
    • [X] I checked to make sure that this issue has not already been filed
    • [X] I'm reporting the issue to the correct repository (for multi-repository projects)

    Expected Behavior

    Uploading the sample to the guest.

    Current Behavior

    When uploading before I was getting this error (https://pastebin.com/gKegGDiA - password: ezJkdy1Fpv), now I don't receive any error but the sample is stuck in pending (also added tags=x64 in virtualbox.conf)

    Steps to Reproduce

    I followed this post: https://notes.netbytesec.com/2020/12/cape-sandbox-installation-from-0-to-hero.html

    Context

    | Question | Answer |------------------|-------------------- | Git commit | commit 14b9a992f86124801a7e328a2c4a9879a2ce6c95 | OS version | Ubuntu 20.10

    Failure Logs

    When starting the webserver I receive these warnings:

    WARNINGS:
account.EmailAddress: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the AccountConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
account.EmailConfirmation: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the AccountConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
openid.OpenIDNonce: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the AppConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
openid.OpenIDStore: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the AppConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
otp_totp.TOTPDevice: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the AppConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
socialaccount.SocialAccount: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the SocialAccountConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
socialaccount.SocialApp: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the SocialAccountConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
socialaccount.SocialToken: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the SocialAccountConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.
users.UserProfile: (models.W042) Auto-created primary key used when not defining a primary key type, by default 'django.db.models.AutoField'.
	HINT: Configure the DEFAULT_AUTO_FIELD setting or the UsersConfig.default_auto_field attribute to point to a subclass of AutoField, e.g. 'django.db.models.BigAutoField'.

    python3 cuckoo.py -d

    2021-05-05 13:45:18,138 [root] DEBUG: Importing modules...
pywin32 is not installed (only is required if you want to use MS Excel)
2021-05-05 13:45:18,525 [root] DEBUG: Imported "auxiliary" modules:
2021-05-05 13:45:18,525 [root] DEBUG: 	 `-- Sniffer
2021-05-05 13:45:18,525 [root] DEBUG: Imported "processing" modules:
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPE
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- AnalysisInfo
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- BehaviorAnalysis
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Curtain
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Debug
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Deduplicate
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Dropped
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- NetworkAnalysis
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- ProcDump
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- ProcessMemory
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Static
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Strings
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- Suricata
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- TargetInfo
2021-05-05 13:45:18,526 [root] DEBUG: 	 `-- VirusTotal
2021-05-05 13:45:18,526 [root] DEBUG: Imported "signatures" modules:
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPEDetectedThreat
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPE_Compression
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPE_Decryption
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPE_Doppelganging
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPE_EvilGrab
2021-05-05 13:45:18,526 [root] DEBUG: 	 |-- CAPE_Injection
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_InjectionCreateRemoteThread
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_InjectionProcessHollowing
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_InjectionSetWindowLong
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_PlugX
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_RegBinary
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_TransactedHollowing
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- CAPE_Unpacker
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AccessesMailslot
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AccessesNetlogonRegkey
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AccessesSysvol
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AddsAdminUser
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AddsUser
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- OverwritesAdminPassword
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- Alphacrypt_APIs
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- Andromeda_APIs
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- anomalous_deletefile
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AntiAnalysisDetectFile
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AntiAnalysisDetectReg
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- QihooDetectLibs
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AhnlabDetectLibs
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- AvastDetectLibs
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- BitdefenderDetectLibs
2021-05-05 13:45:18,527 [root] DEBUG: 	 |-- BullguardDetectLibs
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- ModifiesAttachmentManager
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiAVDetectFile
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiAVDetectReg
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- EmsisoftDetectLibs
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- QurbDetectLibs
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiAVServiceStop
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiAVSRP
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiDBGDevices
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiDBGWindows
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_addvectoredexceptionhandler
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- APIOverrideDetectLibs
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_checkremotedebuggerpresent
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_debugactiveprocess
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_gettickcount
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_guardpages
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_ntcreatethreadex
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- BullguardDetectLibs
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_ntsetinformationthread
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_outputdebugstring
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- antidebug_setunhandledexceptionfilter
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- WineDetectReg
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- WineDetectFunc
2021-05-05 13:45:18,528 [root] DEBUG: 	 |-- AntiSandboxCheckUserdomain
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiCuckoo
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- CuckooDetectFiles
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- CuckooCrash
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- FortinetDetectFiles
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- SandboxJoeAnubisDetectFiles
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- HookMouse
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiSandboxRestart
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- SandboxieDetectLibs
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntisandboxSboxieMutex
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiSandboxSboxieObjects
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiSandboxScriptTimer
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiSandboxSleep
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- SunbeltDetectFiles
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- SunbeltDetectLibs
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiSandboxSuspend
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- ThreatTrackDetectFiles
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- Unhook
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- KnownVirustotal
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- BochsDetectKeys
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiVMDirectoryObjects
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiVMBios
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- AntiVMCPU
2021-05-05 13:45:18,529 [root] DEBUG: 	 |-- DiskInformation
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- SetupAPIDiskInformation
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- AntiVMDiskReg
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- AntiVMSCSI
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- AntiVMServices
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- AntiVMSystem
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- HyperVDetectKeys
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- ParallelsDetectKeys
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VBoxDetectDevices
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VBoxDetectFiles
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VBoxDetectKeys
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VBoxDetectLibs
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VBoxDetectProvname
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VBoxDetectWindow
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VMwareDetectDevices
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VMwareDetectEvent
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VMwareDetectFiles
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VMwareDetectKeys
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VMwareDetectLibs
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VMwareDetectMutexes
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VPCDetectFiles
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VPCDetectKeys
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- VPCDetectMutex
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- XenDetectKeys
2021-05-05 13:45:18,530 [root] DEBUG: 	 |-- APISpamming
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- GulpixBehavior
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- KetricanRegkeys
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- OkrumMutexes
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- BadCerts
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- BadSSLCerts
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- Cridex
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- Geodo
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- Prinimalka
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- SpyEyeMutexes
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- ZeusMutexes
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- ZeusP2P
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- ZeusURL
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- BCDEditCommand
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- BetaBot_APIs
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- BitcoinOpenCL
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- AccessesPrimaryPartition
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- Bootkit
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- DirectHDDAccess
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- PhysicalDriveAccess
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- SuspiciousIoctlSCSIPassthough
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- AthenaHttp
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- DirtJumper
2021-05-05 13:45:18,531 [root] DEBUG: 	 |-- Drive
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- Drive2
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- Madness
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- Ruskill
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- BrowserAddon
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- BrowserHelperObject
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- BrowserNeeded
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- ModifyProxy
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- BrowserScanbox
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- BrowserSecurity
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- browser_startpage
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- OdbcconfBypass
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- RegSrv32SquiblydooDLLLoad
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- SquiblydooBypass
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- SquiblytwoBypass
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- BypassFirewall
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- UACBypassCMSTP
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- UACBypassCMSTPCOM
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- UACBypassDelegateExecuteSdclt
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- UACBypassEventvwr
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- UACBypassFodhelper
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- CAPEExtractedConfig
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- CAPEExtractedContent
2021-05-05 13:45:18,532 [root] DEBUG: 	 |-- CarberpMutexes
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- Cerber_APIs
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- Chimera_APIs
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- ClamAV
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- ClearsLogs
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- ClickfraudCookies
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- ClickfraudVolume
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CmdlineObfuscation
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CmdlineSwitches
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CmdlineTerminate
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CommandLineForFilesWildCard
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CommandLineHTTPLink
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CommandLineLongString
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CommandLineReversedHTTPLink
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- LongCommandline
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- PowershellRenamedCommandLine
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CodeLux_APIs
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- SystemAccountDisoveryCMD
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- SystemInfoDiscoveryCMD
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- SystemInfoDiscoveryPWSH
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- SystemNetworkDiscoveryCMD
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- SystemNetworkDiscoveryPWSH
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- SystemUserDisoveryCMD
2021-05-05 13:45:18,533 [root] DEBUG: 	 |-- CompilesDotNetCode
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CopiesSelf
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CreatesExe
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CreatesLargeKey
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CreatesNullValue
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- EnablesWDigest
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- FileCredentialStoreAccess
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- LsassCredentialDumping
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- RegistryCredentialDumping
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- RegistryCredentialStoreAccess
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- RegistryLSASecretsAccess
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CriticalProcess
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CryptominingStratumCommand
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- MINERS
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CryptoWall_APIs
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CVE_2014_6332
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CVE2015_2419_JS
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CVE_2016_0189
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CVE_2016_7200
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- CypherITMutexes
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- DarkCometRegkeys
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- DeadConnect
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- DeadLink
2021-05-05 13:45:18,534 [root] DEBUG: 	 |-- DebugsSelf
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DecoyDocument
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DecoyImage
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DeepFreezeMutex
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DeletesSelf
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DeletesShadowCopies
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DeletesSystemStateBackup
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DEPBypass
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DEPDisable
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesAppVirtualiztion
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesAppLaunch
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesAutomaticAppTermination
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesBackups
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesBrowserWarn
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesContextMenus
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesCPLDisplay
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesMappedDrivesAutodisconnect
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesEventLogging
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisableFolderOptions
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesNotificationCenter
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesPowerOptions
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesRestoreDefaultState
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisableRunCommand
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesSmartScreen
2021-05-05 13:45:18,535 [root] DEBUG: 	 |-- DisablesSPDY
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesStartMenuSearch
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesSystemRestore
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesUAC
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesWER
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesWFP
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesWindowsDefender
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesWindowsDefenderLogging
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- RemovesWindowsDefenderContextMenu
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- WindowsDefenderPowerShell
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesWindowsUpdate
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DisablesWindowsFirewall
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- AndromutMutexes
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DownloaderCabby
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- GuLoaderAPIs
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- PhorpiexMutexes
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- ProtonBotMutexes
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- Dridex_APIs
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- DriverLoad
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- Dropper
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- EXEDropper_JS
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- dynamic_function_loading
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- Dyre_APIs
2021-05-05 13:45:18,536 [root] DEBUG: 	 |-- Angler_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Gondad_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- HeapSpray_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Java_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Neutrino_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Nuclear_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- RIG_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Silverlight_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Sundown_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Virtualcheck_JS
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- EncryptedIOC
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Excel4MacroUrls
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Crash
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- ProcessCreationSuspiciousLocation
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- exploit_getbasekerneladdress
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- exploit_gethaldispatchtable
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- ExploitHeapspray
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- KoadicAPIs
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- KoadicNetworkActivity
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- FamilyProxyBack
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Modiloader_APIs
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- MappedDrivesUAC
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- SystemMetrics
2021-05-05 13:45:18,537 [root] DEBUG: 	 |-- Generic_Phish
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- Gootkit_APIs
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- H1N1_APIs
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- Hancitor_APIs
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- HawkEye_APIs
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- HidesRecycleBinIcon
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- HTTP_Request
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- NetworkHTTPS
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- ApocalypseStealerFileBehavior
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- ArkeiFiles
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- AzorultMutexes
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- BitcoinWallet
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- BrowserStealer
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- InfostealerBrowserPassword
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- CryptBotFiles
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- CryptBotNetwork
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- EchelonFiles
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- FTPStealer
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- IMStealer
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- KeyLogger
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- EmailStealer
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- MassLoggerArtifacts
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- MassLoggerFiles
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- MassLoggerVersion
2021-05-05 13:45:18,538 [root] DEBUG: 	 |-- PoullightFiles
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- PurpleWaveMutexes
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- PurpleWaveNetworkAcivity
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- QuilClipperMutexes
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- QuilClipperNetworkBehavior
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- QulabFiles
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- QulabMutexes
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- raccoon
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- CapturesScreenshot
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- vidar
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- InjectionCRT
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- InjectionExplorer
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- InjectionExtension
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- InjectionNetworkTraffic
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- InjectionRUNPE
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- InjectionRWX
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- injection_themeinitapihook
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- Internet_Dropper
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- IPC_NamedPipe
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- JS_Phish
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- JS_SuspiciousRedirect
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- KazyBot_APIs
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- Kelihos_APIs
2021-05-05 13:45:18,539 [root] DEBUG: 	 |-- Kibex_APIs
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- Kovter_APIs
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- KrakenMutexes
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- DisableRegedit
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- DisableTaskMgr
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- Locky_APIs
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- malicious_dynamic_function_loading
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- EncryptPCInfo
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- EnryptDataAgentTeslaHTTP
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- EnryptDataAgentTeslaHTTPT2
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- EnryptDataNanoCore
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MartiansIE
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MartiansOffice
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MimicsAgent
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MimicsExtension
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MimicsFiletime
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MimicsIcon
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MasqueradesProcessName
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- MimikatzModules
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- ModifiesCerts
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- DotNetCLRUsageLogKnob
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- Modifies_HostFile
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- ModifiesOEMInformation
2021-05-05 13:45:18,540 [root] DEBUG: 	 |-- ModifySecurityCenterWarnings
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- ModifiesUACNotify
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- ModifiesDesktopWallpaper
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- move_file_on_reboot
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- Multiple_UA
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkAnomaly
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkBIND
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSGeneric
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSPasteSite
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSSocialMedia
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSTempStorageSite
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSTempURLDNS
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSURLShortenerSite
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTPSUserAgent
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCSMTPSExfil
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCSMTPSGeneric
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCountryDistribution
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkMultipleDirectIPConnections
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkCnCHTTP
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkDGA
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkDGAFraunhofer
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkDNSBlockChain
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkDNSIDN
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkDNSOpenNIC
2021-05-05 13:45:18,541 [root] DEBUG: 	 |-- NetworkDNSPasteSite
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDNSReverseProxy
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDNSSuspiciousQueryType
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDNSTempFileService
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDNSTempURLDNS
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDNSTunnelingRequest
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDNSURLShortener
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDOHTLS
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkDocumentHTTP
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkExcessiveUDP
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- ExplorerHTTP
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkHTTP
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkICMP
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkIRC
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- NetworkSMTP
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- Tor
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- TorHiddenService
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- TorGateway
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- Nymaim_APIs
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- Office_Code_Page
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- OfficeAddinLoading
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- OfficeCOMLoad
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- OfficeDotNetLoad
2021-05-05 13:45:18,542 [root] DEBUG: 	 |-- OfficePerfKey
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeVBLLoad
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeWMILoad
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeCVE201711882
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeCVE201711882Network
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeFlashLoad
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficePostScript
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- Office_Macro
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeMacroAutoExecution
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeMacroIOC
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeMacroMaliciousPredition
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeMacroSuspicious
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- RTFASLRBypass
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- RTFAnomalyCharacterSet
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- RTFAnomalyVersion
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- RTFEmbeddedContent
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- RTFEmbeddedOfficeFile
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- RTFExploitStatic
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeSecurity
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeAnamalousFeature
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeDDECommand
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeSuspiciousProcesses
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- OfficeWriteEXE
2021-05-05 13:45:18,543 [root] DEBUG: 	 |-- BuildLangID
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ResourceLangID
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- PackerUnknownPESectionName
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ArmadilloMutex
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ArmadilloRegKey
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ASPackPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- AspireCryptPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- BedsProtectorPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ConfuserPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- EnigmaPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- PackerEntropy
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- MPressPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- NatePacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- NsPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- SmartAssemblyPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- SpicesPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ThemidaPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ThemidaPackedSection
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- TitanPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- UPXCompressed
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- VMPPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- YodaPacked
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- PDF_Annot_URLs
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- ADS
2021-05-05 13:45:18,544 [root] DEBUG: 	 |-- Autorun
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- Autorun_scheduler
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceSafeBoot
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceBootexecute
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceRegistryScript
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceIFEO
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceSilentProcessExit
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceRDPRegistry
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceService
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PersistenceShimDatabase
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- Polymorphic
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- Pony_APIs
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowerpoolMutexes
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowerShellNetworkConnection
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowerShellScriptBlockLogging
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowershellCommandSuspicious
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowershellRenamed
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowershellReversed
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PowershellVariableObfuscation
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PunchPlusPlusPCREs
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- PreventsSafeboot
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- CmdlineProcessDiscovery
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- CreateToolhelp32SnapshotProcessModuleEnumeration
2021-05-05 13:45:18,545 [root] DEBUG: 	 |-- EmumeratesRunningProcesses
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- ProcessInterest
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- ProcessNeeded
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- Procmem_Yara
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- MassDataEncryption
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- CryptoMixMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- DharmaMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareDMALocker
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareExtensions
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareFileModifications
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareFiles
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- FonixMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- GandCrabMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- GermanWiperMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- MedusaLockerMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- MedusaLockerRegkeys
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareMessage
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareMessageMultipleLocations
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- NemtyMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- NemtyNetworkActivity
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- NemtyNote
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- NemtyRegkeys
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- PYSAMutexes
2021-05-05 13:45:18,546 [root] DEBUG: 	 |-- RansomwareRadamant
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- RansomwareRecyclebin
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- RevilMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- SatanMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- SnakeRansomMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- sodinokibi
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- StopRansomMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- BeebusMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- BlackRATAPIs
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- BlackRATMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- BlackRATNetworkActivity
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- BlackRATRegistryKeys
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- CRATMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- DCRatAPIs
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- DCRatFiles
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- DCRatMutex
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- FynloskiMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- KaraganyEventObjects
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- KaraganyFiles
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- LimeRATMutexes
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- LimeRATRegkeys
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- LodaRATFileBehavior
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- LuminosityRAT
2021-05-05 13:45:18,547 [root] DEBUG: 	 |-- ModiRATBehavior
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- NanocoreRAT
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- netwire
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- NjratRegkeys
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- ObliquekRATFiles
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- ObliquekRATMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- ObliquekRATNetworkActivity
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- OrcusRAT
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- ParallaxMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- PcClientMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- PlugxMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- PoisonIvyMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- QuasarMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- RatsnifMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- SpynetRat
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- TrochilusRATAPIs
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- VenomRAT
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- WarzoneRATFiles
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- WarzoneRATRegkeys
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- XpertRATFiles
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- XpertRATMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- XtremeMutexes
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- ReadsSelf
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- Recon_Beacon
2021-05-05 13:45:18,548 [root] DEBUG: 	 |-- CheckIP
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- Fingerprint
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- InstalledApps
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- SystemInfo
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- Accesses_RecycleBin
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemcosFiles
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemcosMutexes
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemcosRegkeys
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RDPTCPKey
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- UsesRDPClip
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- UsesRemoteDesktopSession
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemovesNetworkingIcon
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemovesPinnedPrograms
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemovesSecurityAndMaintenanceIcon
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemovesStartMenuDefaults
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemovesUsernameStartMenu
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- RemovesZoneIdADS
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- SpicyHotPotBehavior
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- ScriptCreatedProcess
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- ScriptNetworkActvity
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- SuspiciousJSScript
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- Secure_Login_Phish
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- SecurityXploded_Modules
2021-05-05 13:45:18,549 [root] DEBUG: 	 |-- SetsAutoconfigURL
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- Shifu_APIs
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- InstallsWinpcap
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- SpoofsProcname
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- CreatesAutorunInf
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StackPivot
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StackPivotFileCreated
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StackPivotProcessCreate
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- Authenticode
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- InvalidAuthenticodeSignature
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- DotNetAnomaly
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- Static_Java
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- Static_PDF
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- PEAnomaly
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- PECompileTimeStomping
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StaticPEPDBPath
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- RATConfig
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- VersionInfoAnomaly
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StealthChildProc
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StealthFile
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StealthHiddenExtension
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StealthHiddenReg
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StealthHideNotifications
2021-05-05 13:45:18,550 [root] DEBUG: 	 |-- StealthNetwork
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- StealthTimeout
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- StealthWebHistory
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Hidden_Window
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- SuricataAlert
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- sysinternals_psexec
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- sysinternals_tools
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- TampersETW
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- TampersPowerShellLogging
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Flame
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- TerritorialDisputeSIGs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Tinba_APIs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- TrickBotTaskDelete
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- TrickBotMutexes
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- FleerCivetMutexes
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- LokibotMutexes
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- UrsnifBehavior
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Troldesh_APIs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Upatre_APIs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Ursnif_APIs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- UserEnum
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- ADFind
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Vawtrak_APIs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Vawtrak_APIs
2021-05-05 13:45:18,551 [root] DEBUG: 	 |-- Virus
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- NeshtaFiles
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- NeshtaMutexes
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- NeshtaRegKeys
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- RenamerMutexes
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolDevicetree1
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolHandles1
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolLdrModules1
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolLdrModules2
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolMalfind1
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolMalfind2
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolModscan1
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolSvcscan1
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolSvcscan2
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- VolSvcscan3
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- Webmail_Phish
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- OWAWebShellFiles
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- WebShellFiles
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- WebShellProcesses
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- PersistsDotNetDevUtility
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- SpwansDotNetDevUtiliy
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- WHOIS_Create
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- AltersWindowsUtility
2021-05-05 13:45:18,552 [root] DEBUG: 	 |-- DotNETCSCBuild
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- MultipleExplorerInstances
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- OverwritesAccessibilityUtility
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- ScriptToolExecuted
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- SuspiciousCertutilUse
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- SuspiciousCommandTools
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- SuspiciousMpCmdRunUse
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- SuspiciousPingUse
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilities
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesAppCmd
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesCSVDELDFIDE
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesCipher
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesClickOnce
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesDSQuery
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesFinger
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesMode
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesNTDSutil
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesNltest
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesScheduler
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- UsesWindowsUtilitiesXcopy
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- WMICCommandSuspicious
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- ScrconsWMIScriptConsumer
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- WMICreateProcess
2021-05-05 13:45:18,553 [root] DEBUG: 	 |-- WMIScriptProcess
2021-05-05 13:45:18,554 [root] DEBUG: 	 `-- AllapleMutexes
2021-05-05 13:45:18,554 [root] DEBUG: Imported "reporting" modules:
2021-05-05 13:45:18,554 [root] DEBUG: 	 |-- BinGraph
2021-05-05 13:45:18,554 [root] DEBUG: 	 |-- JsonDump
2021-05-05 13:45:18,554 [root] DEBUG: 	 |-- MAEC41Report
2021-05-05 13:45:18,554 [root] DEBUG: 	 |-- Malheur
2021-05-05 13:45:18,554 [root] DEBUG: 	 |-- MongoDB
2021-05-05 13:45:18,554 [root] DEBUG: 	 |-- PCAP2CERT
2021-05-05 13:45:18,554 [root] DEBUG: 	 `-- SubmitCAPE
2021-05-05 13:45:18,554 [root] DEBUG: Imported "feeds" modules:
2021-05-05 13:45:18,554 [root] DEBUG: 	 `-- AbuseCH_SSL
2021-05-05 13:45:18,554 [root] DEBUG: Imported "machinery" modules:
2021-05-05 13:45:18,554 [root] DEBUG: 	 `-- VirtualBox
2021-05-05 13:45:18,554 [root] DEBUG: Checking for locked tasks...
2021-05-05 13:45:18,654 [root] DEBUG: Initializing Yara...
2021-05-05 13:45:18,688 [root] DEBUG: 	 |-- binaries AutoIT.yar
2021-05-05 13:45:18,689 [root] DEBUG: 	 |-- binaries EcrimePackerStub.yar
2021-05-05 13:45:18,689 [root] DEBUG: 	 |-- binaries Generic_Phishing_PDF.yar
2021-05-05 13:45:18,689 [root] DEBUG: 	 |-- binaries HeavensGate.yar
2021-05-05 13:45:18,689 [root] DEBUG: 	 |-- binaries IEuser_author_doc.yar
2021-05-05 13:45:18,689 [root] DEBUG: 	 |-- binaries LNK_Ruleset.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries MalScript_Tricks.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries OLEfile_in_CAD_FAS_LSP.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries RoyalRoad_RTF.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries Webshell_in_image.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries embedded.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries indicator_packed.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries indicator_suspicious.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries indicator_tools.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries ole_vba.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries shellcodes.yar
2021-05-05 13:45:18,690 [root] DEBUG: 	 |-- binaries vmdetect.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory Exploit_HT_Flash_Vars.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory Exploit_HT_VRename.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory adgholas.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory angler.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory astrum.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2013_2551.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2014_0515.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2014_0569.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2014_6332.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2015_0016.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2015_2419.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2015_2545.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2015_5122.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2016_0189.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory cve_2016_3298.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory darkcomet.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory eitest.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory flash_exploits.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory kazybot.yar
2021-05-05 13:45:18,717 [root] DEBUG: 	 |-- memory neutrino.yar
2021-05-05 13:45:18,718 [root] DEBUG: 	 |-- memory nuclear.yar
2021-05-05 13:45:18,718 [root] DEBUG: 	 |-- memory rig.yar
2021-05-05 13:45:18,718 [root] DEBUG: 	 |-- memory shellcodes.yar
2021-05-05 13:45:18,718 [root] DEBUG: 	 |-- memory sundown.yar
2021-05-05 13:45:18,755 [root] DEBUG: 	 |-- CAPE AAR.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE APT27.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE AcidRain.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Adfind.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Adzok.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE AgentTesla.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Alfonso.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE AlienCrypter.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE AlienSpy.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Amadey.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Ap0calypse.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Apocalypse.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Arcom.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Arechclient2.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Arkei.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Aspire.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE AsyncRat.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Atlas.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Aurora.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Avaddon.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Avalon.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Azer.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Azorult.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE BACKSPACE.yar
2021-05-05 13:45:18,756 [root] DEBUG: 	 |-- CAPE Babuk.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BackNet.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BackOffLoader.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BackOffPOS.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BadRabbit.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE Baldr.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE Bandook.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE Bazar.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BazarLoaderNim.yara
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BetaBot.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BitPaymer.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BitRAT.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BitterRAT.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BlackNET.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BlackNix.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BlackShades.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BlackshadesRAT.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BlueBanana.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE Bobik.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE Bozok.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BreakStaf.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE BuerLoader.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE Buran.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE CRAT.yar
2021-05-05 13:45:18,757 [root] DEBUG: 	 |-- CAPE CasperTroy.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Cerber.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE ChChes.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE ChaChaDDoS.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Chuwi.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE ClientMesh.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Clop.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CobaltStrike.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CobaltStrikeBeacon.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Codoso.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CoinMiningBot.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Confucius_B.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Conti.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CoreBot.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Covenant.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CryLock.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CryptBot.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CryptoLocker.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CryptoStealerGo.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Cryptoshield.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE Cutlet.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE CyberGate.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE DCRat.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE DTstealer.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE DanaBot.yar
2021-05-05 13:45:18,758 [root] DEBUG: 	 |-- CAPE DarkComet.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE DarkRAT.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Dharma.yara
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE DoejoCrypt.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE DoppelPaymer.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Downloaders.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Dreambot.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Dridex.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE DridexLoader.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE DridexV4.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Duke.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Echelon.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Egregor.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Ekans.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Emotet.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Emotet_Loader.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Enfal.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE EnigmaStub.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Epsilon.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE EternalRomance.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE EvilGrab.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Exaramel.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE ExpressCMS.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE FYAnti.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE Fabookie.yar
2021-05-05 13:45:18,759 [root] DEBUG: 	 |-- CAPE FakeWMI.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Fareit.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Farfli.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Ficker.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE FirebirdRAT.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Fonix.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Formbook.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE FujinamaRAT.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE GDriveRAT.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Gandcrab.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Gaudox.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE GetCrypt.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Godzilla.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE GoldenAxe.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE GoldenSpy.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Gootkit.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Greame.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Guidlma.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Guloader.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Gulpix.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE HDLocker.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Hancitor.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE HawkEye.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE HawkEyev9.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE Hermes.yar
2021-05-05 13:45:18,760 [root] DEBUG: 	 |-- CAPE HiddenVNC.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE HiddenWasp.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE HttpBrowser.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE HyperBro.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IAmTheKingKeylogger.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IAmTheKingKingOfHearts.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IAmTheKingScrCap.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IRCBot.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE ISRStealer.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IcedID.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IcedIDStage1.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE IcedIDStage2.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Imminent.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Impacket.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Infinity.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE JSSLoader.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Jaff.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE JavaDropper.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE JoeGo.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE KPortScan.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Karagany.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Karkoff.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE KeyBase.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE KillMBR.yar
2021-05-05 13:45:18,761 [root] DEBUG: 	 |-- CAPE Kimsuky.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Kinsing.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Kitty.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE KoadicBAT.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE KoadicDOC.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE KoadicJS.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Konni.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Kovter.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Kpot.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Kronos.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LCPDot.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LaZagne.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Laturo.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LegionLocker.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LimeRAT.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Lockbit.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Locky.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Loki.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LostDoor.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LuminosityLink.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE LuxNet.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE M00nD3v.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Magniber.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Maktub.yar
2021-05-05 13:45:18,762 [root] DEBUG: 	 |-- CAPE Mangzamel.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE MassLogger.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Matiex.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Maze.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE MedusaLocker.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE MegaCortex.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Megumin.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Meteorite.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Meterpreter.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE MoDiRAT.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Mole.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NETEAGLE.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NLBrute.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NWorm.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NanoCore.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NanoLocker.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Nefilim.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Nemty.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NetTraveler.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE NetWire.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Netwalker.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Niribu.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Nitol.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE ObliqueRAT.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE Octopus.yar
2021-05-05 13:45:18,763 [root] DEBUG: 	 |-- CAPE OrcusRAT.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Orion.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Osno.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE OzoneRAT.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PLEAD.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PYSA.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Pafish.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Pandora.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Paradox.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Parallax.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PatchWork.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PetrWrap.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Petya.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Phobos.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Phoenix.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Phorpiex.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PillowMint.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Plasma.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Plurox.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PoisonIvy.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Polar.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PoshKeylogger.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE Poullight.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PowerPool.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE PredatorPain.yar
2021-05-05 13:45:18,764 [root] DEBUG: 	 |-- CAPE ProLock.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE ProtonBot.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE Punisher.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE PureLoader.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE Purge.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE PurpleWave.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE PyInstaller.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE Pyrogenic.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE PythoRAT.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE QRat.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE QakBot.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE QnapCrypt.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE QuasarRAT.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE QuasarStealer.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE QuilClipper.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE Qulab.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE RCSession.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE RDPWrap.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE REvil.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE RHttpCtrl.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE Raccoon.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE RagnarLocker.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE Ramnit.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE RansomEXX.yar
2021-05-05 13:45:18,765 [root] DEBUG: 	 |-- CAPE RanumBot.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RanzyLocker.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Rasftuby.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Ratty.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RedLeaf.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RedLine.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Redsip.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Remcos.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RemoteUtilitiesRAT.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Renamer.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Responder.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Retefe.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RevCodeRAT.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RevengeRAT.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Rietspoof.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Robbinhood.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RokRat.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE RunningRAT.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Ryuk.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE S05Kitty.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE STOP.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Sakula.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Salfram.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Scarab.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Sedreco.yar
2021-05-05 13:45:18,766 [root] DEBUG: 	 |-- CAPE Seduploader.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE Sfile.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE ShadowTech.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SlothfulMedia.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SmallNet.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE Sn0wLogger.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE Snake.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE Snatch.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SoftCNApp.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SpyEye.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SpyGate.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SteamHook.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE StormKitty.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE StrongPity.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE Sub7Nation.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SunCrypt.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE SunShuttle.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE T5000.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE TAIDOOR.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE TClient.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE TJKeylogger.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE TManager.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE TRAT.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE TSCookie.yar
2021-05-05 13:45:18,767 [root] DEBUG: 	 |-- CAPE Taurus.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Tefosteal.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Thanos.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Torisma.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE TreasureHunter.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE TrickBot.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE TrickbotModule.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE UPX.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Ursnif.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Ursnif3.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE VMProtectStub.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE VSSDestroy.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Varenyky.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Vertex.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Vidar.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE VirusRat.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Vovalex.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE W1RAT.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE WSHRAT.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE WanaCry.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Warezov.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE WarzoneRAT.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE WellMess.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE Windows_Credentials_Editor.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE WobbyChipMBR.yar
2021-05-05 13:45:18,768 [root] DEBUG: 	 |-- CAPE XiaoBa.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Xorist.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE XpertRAT.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Xtreme.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Zegost.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Zeoticus.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Zeppelin.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE ZeroT.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE ZeusPanda.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Ziggy.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE Zloader.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE adWind.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE iTranslator.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE jRat.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE kiwi_passwords.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE njRat.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE tRat.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE unrecom.yar
2021-05-05 13:45:18,769 [root] DEBUG: 	 |-- CAPE xRAT.yar
2021-05-05 13:45:18,827 [lib.cuckoo.core.scheduler] INFO: Using "virtualbox" machine manager with max_analysis_count=0, max_machines_count=10, and max_vmstartup_count=5
2021-05-05 13:45:19,041 [modules.machinery.virtualbox] DEBUG: Stopping vm CAPE - Analyzer
2021-05-05 13:45:19,041 [modules.machinery.virtualbox] DEBUG: Getting status for CAPE - Analyzer
2021-05-05 13:45:19,083 [modules.machinery.virtualbox] DEBUG: VBoxManage returns error checking status for machine CAPE - Analyzer: VBoxManage: error: Could not find a registered machine named 'CAPE - Analyzer'
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: "FindMachine(Bstr(VMNameOrUuid).raw(), machine.asOutParam())" at line 2714 of file VBoxManageInfo.cpp

2021-05-05 13:45:20,220 [modules.machinery.virtualbox] DEBUG: VBoxManage exited with error powering off the machine
2021-05-05 13:45:20,220 [modules.machinery.virtualbox] DEBUG: Getting status for CAPE - Analyzer
2021-05-05 13:45:20,266 [modules.machinery.virtualbox] DEBUG: VBoxManage returns error checking status for machine CAPE - Analyzer: VBoxManage: error: Could not find a registered machine named 'CAPE - Analyzer'
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: "FindMachine(Bstr(VMNameOrUuid).raw(), machine.asOutParam())" at line 2714 of file VBoxManageInfo.cpp

2021-05-05 13:45:20,285 [lib.cuckoo.common.abstracts] DEBUG: Waiting 0 cuckooseconds for machine CAPE - Analyzer to switch to status ['poweroff', 'aborted', 'saved']
2021-05-05 13:45:21,286 [modules.machinery.virtualbox] DEBUG: Getting status for CAPE - Analyzer
2021-05-05 13:45:21,333 [modules.machinery.virtualbox] DEBUG: VBoxManage returns error checking status for machine CAPE - Analyzer: VBoxManage: error: Could not find a registered machine named 'CAPE - Analyzer'
VBoxManage: error: Details: code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001), component VirtualBoxWrap, interface IVirtualBox, callee nsISupports
VBoxManage: error: Context: "FindMachine(Bstr(VMNameOrUuid).raw(), machine.asOutParam())" at line 2714 of file VBoxManageInfo.cpp

    The original name of the machine was "CAPE - Analyzer" then I renamed it to "win7", modifying the label in virtualbox.conf with win7 or CAPE - Analyzer gives the same error.

    opened by Finch4 41
  • CapeV2 Azure Machinery / Windows 10 - No detection

    CapeV2 Azure Machinery / Windows 10 - No detection

    About accounts on capesandbox.com

    • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

    This is open source and you are getting free support so be friendly!

    • Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [x] I am running the latest version
    • [x] I did read the README!
    • [x] I checked the documentation and found no answer
    • [x] I checked to make sure that this issue has not already been filed
    • [x] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [x] I have read and checked all configs (with all optional parts)

    Expected Behavior

    Detection of formbook malware with yara signatures.

    Current Behavior

    It doesn't seem like yara is detecting the malware sample or reporting it back to the UI in reporting.

    Failure Information (for bugs)

    I am not sure if I am missing something a step for the Windows 10 vm image in Azure or if it is an issue with my cape analyzer. I have read though all the documentation for anything related to setting up Windows 10 with the agent setup. Nothing really pops up in the logs to make me think the analyzer is not working properly. As far as I can tell I have all the yara signatures that you guys are running. I am starting to think that my Windows 10 instance just won't detonate the malware correctly, but I do see the call out to .tk domain in the suri logs so I know it has to be partially detonating.

    Steps to Reproduce

    Please provide detailed steps for reproducing the issue.

    1. I am pulling known samples known to be detected by capesandbox.com.
    2. Running the analysis as I normally would.

    Context

    Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

    | Question | Answer |------------------|--------------------

    | OS version | Ubuntu 20.04, Windows 10 21h2, Azure Machinery

    Failure Logs

    Analysis Log:

    analysis.log

    Cuckoo Log:

    cuckoo.log

    ![Screenshot 2022-10-26 090536](https://user-images.githubusercontent.com/110566725/198033743-8fe614cf-7d95-4a7c-887e-7e386d2d2de4. ![Screenshot 2022-10-26 090413]( Screenshot 2022-10-26 090555 https://user-images.githubusercontent.com/110566725/198033790-d4b683e6-c621-4b56-90b6-6ca52d302ffb.png) jpg)

    opened by WVAuditors 36
  • Master API do not see registered workers

    Master API do not see registered workers

    • [x] I am running the latest version
    • [x] I checked the documentation and found no answer
    • [x] I checked to make sure that this issue has not already been filed
    • [x] I'm reporting the issue to the correct repository (for multi-repository projects)

    Background

    I am working on a research project, our goal is to collect some data for further processing (ai, analysis, machine learning). We are aiming at portable executable files. We have chosen the capev2 sandbox to analyze.

    At the very end, we want to build a lab with around 50 physical computers. Now I am playing at a smaller scale (up to 10).

    To protect our VMs against VM detection we use vmcloak project. I have generated one snapshot of win 7 using Virtualbox and vmcloak.

    Now I am able to run analysis on 2 computers separately using cape sandbox. But I want to create cluster. So I am trying dist.py.

    I have set up two computers on one network and after some problems, I was able to register master and one worker as mentioned in docs. I did everything step by step - https://capev2.readthedocs.io/en/latest/usage/dist.html#proposed-setup.

    Expected Behavior

    I am expecting that if I register workers through dist API like this, they are seen by the master's API and if I submit some executable to master it will distribute it to all nodes. I hopefully understood well that dist.py works with deprecated API (port 8090) so I am using this master API to submit exe file (pafish) as claimed in docs:

    Submit a new analysis task The method of submission is always the same: by rest api or via web-gui , both only pointing on the “master node”.

    Current Behavior

    I was able to register and enable two machines (master and worker1). If I request GET/node I get two nodes. I followed docs. Now I submit a file to master API on port 8090 - curl -F file=@/path/to/file http://localhost:8090/tasks/create/file and then one more, but it is pending even there are two machines. If I ask for status - http:///localhost:8090/cuckoo/status on master, I get ....machines:{ total: 1, available: 1}...

    If I try curl -F file=@/path/to/file -F machine=worker1 http://localhost:8090/tasks/create/file I see in cuckoo log - Cannot acquire machine: No machines match selection criteria.

    | Question | Answer |------------------|-------------------- | Git commit | f8858cbd793046587d47cd96a8d3e120a95bb36d | OS version | Ubuntu 20.04

    Logs

    cuckoo.log dist.log log.txt process.log

    opened by koubadomik 36
  • Missing distributed machines on CAPEv2 WebUI

    Missing distributed machines on CAPEv2 WebUI

    Expected Behavior

    I'm able to submit sample to a choosen distributed machine from the WebUI as written in the doc:

    This works under the main server web interface/api, so everything is transparent for end user, even if they were analyzer on another server(s)

    Current Behavior

    From the WebUI I'm able only to submit samples to a local (master) machine, the same is true also for the network routing field (the dirty lines, nic names are different from one node to another Screen Shot 2020-10-29 at 14 02 51 )

    Steps to Reproduce

    • Create a 2 node distributed CAPEv2 instance
    • Go to the webui
    • Try to choose the machine where to launch the analysis
    • No machine located in worker nodes are present
    opened by MatteoManzoni 35
  • Is it possible to extract malware configuration without actually running the sample?

    Is it possible to extract malware configuration without actually running the sample?

    Hello,

    I was using the public CAPE instance at capesandbox.com and I came across the option Try to extract config without VM. I couldn't find a description of that option in the documentation (or perhaps, I missed it).

    If that option is checked, does that mean that there will be no execution of the sample, if possible? And if so, which malware families is this option effective for? Usually, one sample would take a few minutes to complete execution. With the Try to extract config without VM option, I was wondering if I could get config information within seconds since there would be no execution.

    Thank you.

    opened by nikhilh-20 35
  • Proxmox Issue

    Proxmox Issue

    Hi, I'm moving forward and am trying to use proxmox. At first run I was missing pip3 proxmoxer. Installed good.

    Before and after I'm getting the following error: 2020-03-11 14:50:31,169 [root] DEBUG: Importing modules... 2020-03-11 14:50:31,184 [volatility.framework.interfaces.layers] DEBUG: Imported python-magic, autodetecting compressed files based on content 2020-03-11 14:50:31,739 [lib.cuckoo.core.plugins] WARNING: Unable to import plugin "modules.machinery.proxmox": cannot import name 'config' WARNING lib.cuckoo.core.plugins: Unable to import plugin "modules.machinery.proxmox": cannot import name 'config' 2020-03-11 14:50:31,739 [root] DEBUG: Imported "auxiliary" modules: 2020-03-11 14:50:31,739 [root] DEBUG: `-- Sniffer

    Did I miss something or is it a lib.cuckoo.core.plugins issue? Thanks alot and beer.io is down :(

    opened by phunki32 35
  • Missing signatures compared to the public instance

    Missing signatures compared to the public instance

    About accounts on capesandbox.com

    • Issues isn't the way to ask for account acctivation. Ping capesandbox in Twitter with your username

    This is opensource and you getting free support so be friendly!

    • Free support from doomedraven ended, no whiskey no support. For something he updated the documentation :)

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [x] I am running the latest version
    • [x] I did read the README!
    • [x] I checked the documentation and found no answer
    • [x] I checked to make sure that this issue has not already been filed
    • [x] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [x] I'm have read all configs with all optional parts
    • [x] I'm have checked discussions section

    Expected Behavior

    I tried to analyze this sample in a new private cape installation. I expected it to show the same signatures.

    cape-correct

    Current Behavior

    screen-cape

    Failure Information (for bugs)

    I tried to reload the signatures several times through community.py with argument -waf but unfortunately it seems that they are not seen. I tried to change the configuration, reinstall the os and cape several times, but the problem is not solved.

    Steps to Reproduce

    Analyze one sample in new fresh installation.

    Context

    I followed the installation and configuration instructions. they seem to be seen also from the web side less signature in the status field than in the public version.

    | Question | Answer |------------------|-------------------- | Git commit | commit ab30a65ef1aa71a068a811b1501c57abe90598ad | OS version | Ubuntu 22.04.1 LTS

    Failure Logs

    cape-log

    opened by simone-co 34
  • I have used pip3 install pyinotify succeeded in the ubuntu16.04 guest machine,but it prompts

    I have used pip3 install pyinotify succeeded in the ubuntu16.04 guest machine,but it prompts "name 'pyinotify' is not defined"

    About accounts on capesandbox.com

    • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

    This is open source and you are getting free support so be friendly!

    • Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [ √] I am running the latest version
    • [ √] I did read the README!
    • [ √] I checked the documentation and found no answer
    • [√ ] I checked to make sure that this issue has not already been filed
    • [ √] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [ √] I have read and checked all configs (with all optional parts)

    Expected Behavior

    it should know the ubuntu16.04_X86 guest machine environment is ok, and run the python file sample

    Current Behavior

    cape analysis encountered an error, and say name 'pyinotify' is not defined, finaly. Finally, the analysis was interrupted

    Failure Information (for bugs)

    File "/tmp9d8n2kzf/analyzer.py", line 358, in success = analyzer.run() File "/tmp9d8n2kzf/analyzer.py", line 184, in run import(name, globals(), locals(), ["dummy"], 0) File "/tmp9d8n2kzf/modules/auxiliary/filecollector.py", line 159, in class EventProcessor(pyinotify.ProcessEvent): NameError: name 'pyinotify' is not defined Traceback (most recent call last): File "/tmp9d8n2kzf/analyzer.py", line 358, in success = analyzer.run() File "/tmp9d8n2kzf/analyzer.py", line 184, in run import(name, globals(), locals(), ["dummy"], 0) File "/tmp9d8n2kzf/modules/auxiliary/filecollector.py", line 159, in class EventProcessor(pyinotify.ProcessEvent): NameError: name 'pyinotify' is not defined

    Steps to Reproduce

    Please provide detailed steps for reproducing the issue.

    1. step 1 I submitted a python file, specifying that the client is ubuntu16.04_X86. analysis.log

    2. step 2 In tasks_tags table, it always judges my ubuntu16.04 client as a 64 bit system. I have to manually change it to a 32-bit system in mongodb. Obviously, in the machines table, ubuntu16.04 shows that it is indeed a 32-bit system.

    3. step 3 Then it starts to start the client. After tens of seconds, the client shuts down and the log displays an error message.

    Context

    Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

    | Question | Answer |------------------|-------------------- | Git commit | Type $ git log \| head -n1 to find out | OS version | Ubuntu 16.04_X86

    Failure Logs

    Please include any relevant log snippets or files here.

    opened by Yesisyes 12
  • [physical] - Windows 10 - Hangs on Restarting after successful analysis

    [physical] - Windows 10 - Hangs on Restarting after successful analysis

    Windows 10 - Hangs on Restarting after successful analysis.

    Recently I started to have fun with Capev2.

    I am using the physical machinery, and physical machine (hp elite desk 800 g8).

    When analysis is complete, the restore task is sent to Fog server, and the shutdown command is sent from cape server to cape agent via “/execute” route, and it does trigger well on the agent side; however, the machine hangs on a blue screen (not BSOD) with “Restarting” information and it keeps like that forever.

    Remarks: -I tried the newest capemon dlls (it did not fix the issue) -I wrote a powershell script that is triggered before shutdown.exe which checks the status of WMI services (as those are restarted during analysis process) and look for any potentially suspended or non-responding processes or so … but all is always OK. -When analysis is not in progress, the machine can reboot normally

    Always when shutdown is called (via shutdown.exe -r -f -t 0 or via “Restart-Computer -Force”, the reboot hangs … this is the moment when I started to suspect that the issue might be related to capemon.

    In hook_misc.c, we can see that capemon would hook system shutdown/reboot API calls: Ref: https://github.com/kevoreilly/capemon/blob/a1f5bf8e9cb904f32da8ff4801691fbfef2f87e3/hook_misc.c#:~:text=InitiateSystemShutdownExW

    Example:

    HOOKDEF_NOTAIL(WINAPI, InitiateSystemShutdownExW, In_opt LPWSTR lpMachineName, In_opt LPWSTR lpMessage, In DWORD dwTimeout, In BOOL bForceAppsClosed, In BOOL bRebootAfterShutdown, In DWORD dwReason ) { DWORD ret = 0; LOQ_zero("system", "uuiiih", "MachineName", lpMachineName, "Message", lpMessage, "Timeout", dwTimeout, "ForceAppsClosed", bForceAppsClosed, "RebootAfterShutdown", bRebootAfterShutdown, "Reason", dwReason); pipe("SHUTDOWN:"); return ret; }

    Following system shutdown/reboot functions are hooked in “hooks.c” with the same pipe function. Ref: https://github.com/kevoreilly/capemon/blob/da546e668081089480e17755ec83c32cfd53e09f/hooks.c

    #define HOOK_NOTAIL(library, funcname, numargs) {L###library, #funcname, NULL, NULL,
    &New_##funcname, NULL, NULL, TRUE, FALSE, numargs, TRUE}

    HOOK_NOTAIL(ntdll, NtShutdownSystem, 1), HOOK_NOTAIL(ntdll, NtSetSystemPowerState, 3), HOOK_NOTAIL(user32, ExitWindowsEx, 2), HOOK_NOTAIL(advapi32, InitiateShutdownW, 5), HOOK_NOTAIL(advapi32, InitiateSystemShutdownW, 5), HOOK_NOTAIL(advapi32, InitiateSystemShutdownExW, 6),

    Suspected Root Cause:

    Initially I wasted lot of time and evidently missed the fact that new function to be called is declared within the hook itself (dumb me). Hence all shutdown/reboot requests are sent to a named pipe, instead of being executed.

    Once I was able to keep the session in state allowing to execute Process Explorer, and I was looking for CAPEMon DLLs.

    It seems it always remains hooked in the same processes: lsass.exe, svchost.exe and in the process started by the sample (in this case procexp…)

    image

    Once I killed the svchost process, I was able to issue reboot command again which was successfully rebooting the machine.

    I think the root cause is capemon, which eats the restart requests … For some reason the DLL was not unloaded from svchost which seems to be crucial for some reason to perform the reboot.

    Note: Setting “terminate_processes = off to on” in cuckoo.conf + cape restart, does not fix the issue, it brings more problems … there were some errors related to agent or analyzer not being able to stop the process (in a loop until timeout)

    This issue was not previously spotted I guess cause guys are mainly using VMs which are restored from snapshot , not rebooted…

    I started to dig, and capemon would look for specific shutdown mutex… In log.c: https://github.com/kevoreilly/capemon/blob/52377d9be0e3597bca4ee4a0d6bf1a3726d5a8f1/log.c#:~:text=static%20DWORD%20WINAPI-,_logwatcher_thread,-(LPVOID%20param) …

    if (is_shutting_down() == 0) { pipe("CRITICAL:Logging thread was terminated!"); }

    The function “is_shutting_down()”: https://github.com/kevoreilly/capemon/blob/a4c6cde30c12ff35de8c79823542bd2c27224ae4/misc.c#:~:text=int%20is_shutting_down() … mutex_handle = OpenMutex(SYNCHRONIZE, FALSE, g_config.shutdown_mutex); if (mutex_handle != NULL) { log_flush(); CloseHandle(mutex_handle); ret = 1; }

    The “g_config.shutdown_mutex” is assigned a value in config.c by “parse_config_line” function: https://github.com/kevoreilly/capemon/blob/113b1a6d37ffd1f24d0337b361a62d69b90d6baa/config.c#:~:text=strcmp(key%2C-,%22shutdown%2Dmutex%22,-))%20%7B

    else if (!strcmp(key, "shutdown-mutex")) { strncpy(g_config.shutdown_mutex, value, ARRAYSIZE(g_config.shutdown_mutex)); }

    The “value”’s value is read from config file line by line in “read_config” function and processed/assigned to g_config object accordingly depending on the key (as above):

    char buf[32768], config_fname[MAX_PATH], analyzer_path[MAX_PATH]; FILE *fp;

    // look for the config in monitor directory strncpy(analyzer_path, our_dll_path, strlen(our_dll_path)); PathRemoveFileSpec(analyzer_path); // remove filename sprintf(config_fname, "%s\%u.ini", analyzer_path, GetCurrentProcessId());

    fp = fopen(config_fname, "r");

    ....

    memset(buf, 0, sizeof(buf)); while (fgets(buf, sizeof(buf), fp) != NULL) { // cut off the newline char *p = strchr(buf, '\r'); if (p != NULL) *p = 0; p = strchr(buf, '\n'); if (p != NULL) *p = 0;

      parse_config_line(buf);

    }

    From another hand, the cape analyzer.py creates the shutdown mutex: https://github.com/kevoreilly/CAPEv2/blob/ab30a65ef1aa71a068a811b1501c57abe90598ad/analyzer/windows/analyzer.py#:~:text=KERNEL32.CreateMutexA

     KERNEL32.CreateMutexA(None, False, SHUTDOWN_MUTEX)
    log.info("Created shutdown mutex")

    The mutex will be random per each execution SHUTDOWN_MUTEX = f"Global\{random_string(6, 10)}"

    So I do not know why CAPEmon DLLS won’t unload, if shutdown mutex is present …

    Thank you in advance for any recommendations.

    P.S I will try with Windows 7 later on, but would prefer to have it with more decent system.

    🙁 Not following issue template 
    opened by wlmitra 4
  • Need help in configuring the Internet/dirty line and Inetsim

    Need help in configuring the Internet/dirty line and Inetsim

    About accounts on capesandbox.com • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

    This is open source and you are getting free support so be friendly! • Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

    Prerequisites Please answer the following questions for yourself before submitting an issue. • I am running the latest version • I did read the README! • I checked the documentation and found no answer • I checked to make sure that this issue has not already been filed • I'm reporting the issue to the correct repository (for multi-repository projects) • I have read and checked all configs (with all optional parts)

    Expected Behavior I would like to use the internet/dirty line for the analysis but I am unable to find the relevant option in the web/GUI view. Ideally, I want a setup that would provide me options to run analysis through the internet or Inetsim depending on the sample/analysis type. I am not sure if my CAPE configuration is updated with the correct parameters.

    Current Behavior

    Web/GUI View

    cape_int

    I tried to analyze a sample (bat file that I created) that would perform a “nslookup” and use PowerShell to save a webpage on the analysis machine.

    image

    When the analysis was run using the “inetsim/fakenet-ng” option, I could see information about the requested DNS lookup but the requested webpage couldn’t be fetched from the internet/Inetsim. FYI, I am running Inetsim on a different (Remnux) VM and don’t see any relevant entries in service.log and in reports.

    Enclosing relevant information that would help you in assessing the problem. 1. System setup a. Physical machine (Windows 10) -> VirtualBox Linux VM (Ubuntu 20.04.4 LTS) running CAPEv2 -> KVM Windows 10 analysis VM b. I am able to access the internet on the Linux VM

     2. Network information
    a. Linux VM

    image

        b. KVM Windows analysis VM

    image image

        c. KVM virtual networks

    image image

        d. Remnux VM

    image

    3. Excerpts from relevant config files
     
    a. kvm.conf
      `machines = win10
       interface = virbr1
       label = win10
       platform = windows
       ip = 192.168.100.131
       snapshot = cape_to_use`

     b. auxiliary.conf
         `[auxiliary_modules]
              browser = yes
              curtain = no
              digisig = yes
              disguise = yes
              evtx = no
              human = yes
              procmon = no
              screenshots = yes
              sysmon = no
              tlsdump = yes
              usage = no
              filepickup = no
              permissions = no
              pre_script = no
              during_script = no

        [sniffer]
            enabled = yes
       
        interface = virbr1

         [gateways]
              RTR1 = 192.168.122.1
              RTR2 = 192.168.100.1
              RTR3 = 10.0.2.15
              INETSIM = 192.168.100.130`
    
       c. routing.conf
         ` route = internet
            internet = enp0s3
            rt_table = enp0s3
            verify_interface = yes

            [inetsim]
            enabled = yes
            server = 192.168.100.130
            dnsport = 53
            interface = virbr1`

     d. cuckoo.conf
         `machinery = kvm
          rooter = /tmp/cuckoo-rooter     
          ip = 192.168.100.1
          port = 2042
          resolve_dns = on`

    Kindly provide inputs and let me know should you need more information. Thank you for all the efforts!

    opened by vijayakumarcfis 1
  • Can you consider supporting Chinese for the legal character range of the file name?

    Can you consider supporting Chinese for the legal character range of the file name?

    As shown in the red box in the picture, I noticed that you have processed the ASCII character range of file names, excluding all uppercase and lowercase letters, numbers and characters other than "_ -". Can you consider GBK coding for official projects? I hope Chinese can also be a legal file name range. Inside. 企业微信截图_16681606742426

    opened by Yesisyes 9
  • Stopped auxiliary modules inside guest VM (Windows 10)

    Stopped auxiliary modules inside guest VM (Windows 10)

    About accounts on capesandbox.com

    • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

    This is open source and you are getting free support so be friendly!

    • Free support from doomedraven ended - no whiskey, no support. For updates check the documentation.

    Prerequisites

    Please answer the following questions for yourself before submitting an issue.

    • [X] I am running the latest version
    • [X] I did read the README!
    • [X] I checked the documentation and found no answer
    • [X] I checked to make sure that this issue has not already been filed
    • [X] I'm reporting the issue to the correct repository (for multi-repository projects)
    • [X] I have read and checked all configs (with all optional parts)

    Expected Behavior

    I expect to be no errors within the logs of the virtual machine while performing the analysis.

    Current Behavior

    The screenshot module crashes during some of the analyses. It is the last screenshot I see (obviously, given that it crashes) and oddly enough the error is not reflected in any of the logs of my host. I'm only able to see the error in the logs in the VM:

    image

    As far as I was able to dig into it, my guess is that the error is produced here: https://github.com/kevoreilly/CAPEv2/blob/200a80818f82f5b9487e9242f8da32ae969aa27c/lib/cuckoo/core/log.py#L171

    cuckoo.log:

    2022-11-06 22:32:09,232 [lib.cuckoo.core.scheduler] INFO: Task #46: Starting analysis of FILE '/tmp/cuckoo-tmp/upload_gao2t1jj/8fe888167e7096db5d6aa3d3'
2022-11-06 22:32:09,238 [lib.cuckoo.core.scheduler] INFO: Task #46: File already exists at '/opt/CAPEv2/storage/binaries/8fe888167e7096db5d6aa3d3bc64998cd8fd43bef3a83fc6d3c40ffa903891f6'
2022-11-06 22:32:09,245 [lib.cuckoo.core.scheduler] INFO: Task #46: acquired machine cuckoo1 (label=win10, arch=x64, platform=windows)
2022-11-06 22:32:17,213 [lib.cuckoo.core.scheduler] INFO: Enabled route 'internet'
2022-11-06 22:32:17,218 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 562535 (interface=virbr1, host=192.168.55.133, dump path=/opt/CAPEv2/storage/analyses/46/dump.pcap)
2022-11-06 22:32:17,227 [lib.cuckoo.core.guest] INFO: Task #46: Starting analysis on guest (id=cuckoo1, ip=192.168.55.133)
2022-11-06 22:32:17,962 [lib.cuckoo.core.guest] INFO: Task #46: Guest is running CAPE Agent 0.11 (id=cuckoo1, ip=192.168.55.133)
2022-11-06 22:32:32,558 [lib.cuckoo.core.guest] INFO: Task #46: Uploading support files to guest (id=cuckoo1, ip=192.168.55.133)
2022-11-06 22:32:32,558 [lib.cuckoo.core.guest] INFO: Task #46: Uploading script files to guest (id=cuckoo1, ip=192.168.55.133)
2022-11-06 22:36:24,600 [lib.cuckoo.core.guest] INFO: Task #46: Analysis completed successfully (id=cuckoo1, ip=192.168.55.133)
2022-11-06 22:36:25,454 [lib.cuckoo.core.scheduler] INFO: Disabled route 'internet'
2022-11-06 22:36:25,476 [lib.cuckoo.core.scheduler] INFO: Task #46: analysis procedure completed

    The log of the analysis itself:

    022-08-17 09:27:32,041 [root] INFO: Date set to: 20221106T22:32:08, timeout set to: 200
2022-11-06 21:32:08,105 [root] DEBUG: Starting analyzer from: C:\tmp9jl3q2fi
2022-11-06 21:32:08,105 [root] DEBUG: Storing results at: C:\BITuZJq
2022-11-06 21:32:08,120 [root] DEBUG: Pipe server name: \\.\PIPE\MySuLTI
2022-11-06 21:32:08,120 [root] DEBUG: Python path: C:\Users\razv\AppData\Local\Programs\Python\Python310-32
2022-11-06 21:32:08,120 [root] INFO: Analysis package "exe" has been specified
2022-11-06 21:32:08,120 [root] DEBUG: Importing analysis package "exe"...
2022-11-06 21:32:10,027 [root] DEBUG: Initializing analysis package "exe"...
2022-11-06 21:32:10,027 [root] DEBUG: New location of moved file: C:\Users\razv\AppData\Local\Temp\8fe888167e7096db5d6aa3d3
2022-11-06 21:32:10,027 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2022-11-06 21:32:10,027 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2022-11-06 21:32:10,027 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2022-11-06 21:32:10,027 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2022-11-06 21:32:21,406 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2022-11-06 21:32:21,422 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2022-11-06 21:32:21,578 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2022-11-06 21:32:21,687 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2022-11-06 21:32:21,765 [root] DEBUG: Importing auxiliary module "modules.auxiliary.during_script"...
2022-11-06 21:32:21,781 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2022-11-06 21:32:22,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filepickup"...
2022-11-06 21:32:22,390 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2022-11-06 21:32:22,625 [root] DEBUG: Importing auxiliary module "modules.auxiliary.permissions"...
2022-11-06 21:32:22,640 [root] DEBUG: Importing auxiliary module "modules.auxiliary.pre_script"...
2022-11-06 21:32:22,781 [root] DEBUG: Importing auxiliary module "modules.auxiliary.procmon"...
2022-11-06 21:32:22,828 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2022-11-06 21:32:22,969 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2022-11-06 21:32:23,687 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2022-11-06 21:32:23,687 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2022-11-06 21:32:23,750 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2022-11-06 21:32:23,781 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2022-11-06 21:32:23,797 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2022-11-06 21:32:23,813 [root] DEBUG: Initialized auxiliary module "Browser"
2022-11-06 21:32:23,813 [root] DEBUG: Trying to start auxiliary module "Browser"...
2022-11-06 21:32:23,813 [root] DEBUG: Started auxiliary module "Browser"
2022-11-06 21:32:23,813 [root] DEBUG: Started auxiliary module Browser
2022-11-06 21:32:23,813 [root] DEBUG: Initialized auxiliary module "Curtain"
2022-11-06 21:32:23,813 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2022-11-06 21:32:23,813 [root] DEBUG: Started auxiliary module "Curtain"
2022-11-06 21:32:23,813 [root] DEBUG: Started auxiliary module Curtain
2022-11-06 21:32:23,813 [root] DEBUG: Initialized auxiliary module "DigiSig"
2022-11-06 21:32:23,813 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2022-11-06 21:32:23,813 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2022-11-06 21:32:24,844 [modules.auxiliary.digisig] DEBUG: File is not signed
2022-11-06 21:32:24,844 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2022-11-06 21:32:24,859 [root] DEBUG: Started auxiliary module "DigiSig"
2022-11-06 21:32:24,859 [root] DEBUG: Started auxiliary module DigiSig
2022-11-06 21:32:24,859 [root] DEBUG: Initialized auxiliary module "Disguise"
2022-11-06 21:32:24,859 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2022-11-06 21:32:24,859 [modules.auxiliary.disguise] INFO: Disguising GUID to 399877ac-67b0-4d04-850a-98a766981897
2022-11-06 21:32:24,859 [root] DEBUG: Started auxiliary module "Disguise"
2022-11-06 21:32:24,859 [root] DEBUG: Started auxiliary module Disguise
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "Evtx"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "Evtx"...
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module "Evtx"
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module Evtx
2022-11-06 21:32:24,875 [root] WARNING: Auxiliary module FilePickup was not implemented: 'Config' object has no attribute 'file_pickup'
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "Human"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "Human"...
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module "Human"
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module Human
2022-11-06 21:32:24,875 [root] WARNING: Auxiliary module Permissions was not implemented: 'Config' object has no attribute 'file_pickup'
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "Pre_script"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "Pre_script"...
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module "Pre_script"
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module Pre_script
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "Procmon"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module "Procmon"
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module Procmon
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "Screenshots"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module "Screenshots"
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module Screenshots
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "Sysmon"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module "Sysmon"
2022-11-06 21:32:24,875 [root] DEBUG: Started auxiliary module Sysmon
2022-11-06 21:32:24,875 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2022-11-06 21:32:24,875 [root] DEBUG: Trying to start auxiliary module "TLSDumpMasterSecrets"...
2022-11-06 21:32:24,891 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608
2022-11-06 21:32:24,891 [lib.api.process] INFO: Monitor config for process 608: C:\tmp9jl3q2fi\dll\608.ini
2022-11-06 21:32:26,063 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2022-11-06 21:32:26,063 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp9jl3q2fi\dll\MrXCore.dll, loader C:\tmp9jl3q2fi\bin\lnNUHKVs.exe
2022-11-06 21:32:26,140 [root] DEBUG: Loader: Injecting process 608 with C:\tmp9jl3q2fi\dll\MrXCore.dll.
2022-11-06 21:32:26,140 [root] DEBUG: Python path set to 'C:\Users\razv\AppData\Local\Programs\Python\Python310-32'.
2022-11-06 21:32:26,140 [root] DEBUG: TLS secret dump mode enabled.
2022-11-06 21:32:26,156 [root] INFO: Disabling sleep skipping.
2022-11-06 21:32:26,156 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFDB6390000, thread 5948, image base 0x00007FF728100000, stack from 0x00000039C4B74000-0x00000039C4B80000
2022-11-06 21:32:26,156 [root] DEBUG: Commandline: C:\Windows\system32\lsass.exe
2022-11-06 21:32:26,172 [root] DEBUG: Post-init: Failed to initialise debugger.
2022-11-06 21:32:26,172 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2022-11-06 21:32:26,172 [root] DEBUG: Successfully injected DLL C:\tmp9jl3q2fi\dll\MrXCore.dll.
2022-11-06 21:32:26,172 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 608
2022-11-06 21:32:26,172 [root] DEBUG: Started auxiliary module "TLSDumpMasterSecrets"
2022-11-06 21:32:26,172 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2022-11-06 21:32:26,172 [root] DEBUG: Initialized auxiliary module "Usage"
2022-11-06 21:32:26,172 [root] DEBUG: Trying to start auxiliary module "Usage"...
2022-11-06 21:32:26,172 [root] DEBUG: Started auxiliary module "Usage"
2022-11-06 21:32:26,172 [root] DEBUG: Started auxiliary module Usage
2022-11-06 21:32:26,172 [root] DEBUG: Initialized auxiliary module "During_script"
2022-11-06 21:32:26,172 [root] DEBUG: Trying to start auxiliary module "During_script"...
2022-11-06 21:32:26,187 [root] DEBUG: Started auxiliary module "During_script"
2022-11-06 21:32:26,187 [root] DEBUG: Started auxiliary module During_script
2022-11-06 21:32:31,406 [root] INFO: Restarting WMI Service
2022-11-06 21:32:33,469 [lib.common.common] INFO: Submitted file is missing extension, adding .exe
2022-11-06 21:32:33,469 [lib.core.compound] INFO: C:\Users\razv\AppData\Local\Temp already exists, skipping creation
2022-11-06 21:32:34,422 [lib.api.process] INFO: Successfully executed process from path "C:\Users\razv\AppData\Local\Temp\8fe888167e7096db5d6aa3d3.exe" with arguments "" with pid 4392
2022-11-06 21:32:34,422 [lib.api.process] INFO: Monitor config for process 4392: C:\tmp9jl3q2fi\dll\4392.ini
2022-11-06 21:32:34,484 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp9jl3q2fi\dll\EDqBVzl.dll, loader C:\tmp9jl3q2fi\bin\CZzWVVV.exe
2022-11-06 21:32:34,641 [root] DEBUG: Loader: Injecting process 4392 (thread 4404) with C:\tmp9jl3q2fi\dll\EDqBVzl.dll.
2022-11-06 21:32:34,641 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2022-11-06 21:32:34,641 [root] DEBUG: Successfully injected DLL C:\tmp9jl3q2fi\dll\EDqBVzl.dll.
2022-11-06 21:32:34,641 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4392
2022-11-06 21:32:36,672 [lib.api.process] INFO: Successfully resumed process with pid 4392
2022-11-06 21:32:36,906 [root] DEBUG: Python path set to 'C:\Users\razv\AppData\Local\Programs\Python\Python310-32'.
2022-11-06 21:32:36,906 [root] DEBUG: Dropped file limit defaulting to 100.
2022-11-06 21:32:36,922 [root] DEBUG: Initialising Yara...
2022-11-06 21:32:37,000 [root] DEBUG: YaraInit: Compiled 18 rule files
2022-11-06 21:32:37,000 [root] DEBUG: YaraInit: Compiled rules saved to file C:\tmp9jl3q2fi\data\yara\capemon.yac
2022-11-06 21:32:37,000 [root] DEBUG: InternalYaraScan: Scanning 0x77820000, size 0x1a31c8
2022-11-06 21:32:37,015 [root] DEBUG: AmsiDumper initialised.
2022-11-06 21:32:37,015 [root] DEBUG: Monitor initialised: 32-bit capemon loaded in process 4392 at 0x73a40000, thread 4404, image base 0x400000, stack from 0x196000-0x1a0000
2022-11-06 21:32:37,015 [root] DEBUG: Commandline: "C:\Users\razv\AppData\Local\Temp\8fe888167e7096db5d6aa3d3.exe"
2022-11-06 21:32:37,031 [root] DEBUG: hook_api: Warning - CoCreateInstance export address 0x762A56BD differs from GetProcAddress -> 0x759A88C0
2022-11-06 21:32:37,031 [root] DEBUG: hook_api: Warning - CoCreateInstanceEx export address 0x762A56FC differs from GetProcAddress -> 0x759E3020
2022-11-06 21:32:37,031 [root] DEBUG: hook_api: Warning - CoGetClassObject export address 0x762A5C8C differs from GetProcAddress -> 0x759DD870
2022-11-06 21:32:37,078 [root] DEBUG: hook_api: Warning - SetWindowLongW export address 0x76315960 differs from GetProcAddress -> 0x740559E0
2022-11-06 21:32:37,125 [root] DEBUG: hook_api: Warning - CLSIDFromProgID export address 0x762A4EF6 differs from GetProcAddress -> 0x75954F80
2022-11-06 21:32:37,156 [root] DEBUG: WoW64fix: Windows version 6.2 not supported.
2022-11-06 21:32:37,156 [root] DEBUG: RestoreHeaders: Restored original import table.
2022-11-06 21:32:37,156 [root] INFO: Loaded monitor into process with pid 4392
2022-11-06 21:32:37,156 [root] DEBUG: caller_dispatch: Adding region at 0x00400000 to caller regions list (kernel32::GetSystemTimeAsFileTime returns to 0x0040863C, thread 4404).
2022-11-06 21:32:37,156 [root] DEBUG: YaraScan: Scanning 0x00400000, size 0x3aaba
2022-11-06 21:32:37,156 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00400000 skipped (kernel32::GetSystemTimeAsFileTime returns to 0x0040863C mapped as \Device\HarddiskVolume2\Users\razv\AppData\Local\Temp\8fe888167e7096db5d6aa3d3.exe).
2022-11-06 21:32:38,969 [root] DEBUG: DLL loaded at 0x73A30000: C:\Windows\SYSTEM32\msimg32 (0x6000 bytes).
2022-11-06 21:32:38,969 [root] DEBUG: caller_dispatch: Adding region at 0x00560000 to caller regions list (ntdll::LdrLoadDll returns to 0x00591C95, thread 4404).
2022-11-06 21:32:38,969 [root] DEBUG: YaraScan: Scanning 0x00560000, size 0x48fff
2022-11-06 21:32:38,969 [root] DEBUG: DumpPEsInRange: Scanning range 0x00560000 - 0x005A8FFF.
2022-11-06 21:32:38,969 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x005A6E18
2022-11-06 21:32:38,969 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 4392)
2022-11-06 21:32:38,969 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x005A6E18.
2022-11-06 21:32:38,969 [root] DEBUG: DumpPE: Empty or inaccessible last section, file image seems incomplete (from 0x005A8818 to 0x005A8A18).
2022-11-06 21:32:39,031 [lib.common.results] INFO: File C:\BITuZJq\CAPE\4392_111134613832971112022 size is 7168, Max size: 100000000
2022-11-06 21:32:39,047 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x1c00.
2022-11-06 21:32:39,047 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x005A7E18-0x005A8FFF.
2022-11-06 21:32:39,047 [root] DEBUG: DumpRegion: Dumped PE image(s) from base address 0x00560000, size 299008 bytes.
2022-11-06 21:32:39,219 [root] DEBUG: caller_dispatch: Adding region at 0x02360000 to caller regions list (ntdll::LdrGetProcedureAddressForCaller returns to 0x02360A22, thread 4404).
2022-11-06 21:32:39,219 [root] DEBUG: YaraScan: Scanning 0x02360000, size 0x807b
2022-11-06 21:32:39,219 [root] DEBUG: DumpPEsInRange: Scanning range 0x02360000 - 0x0236807B.
2022-11-06 21:32:39,219 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x02360E67
2022-11-06 21:32:39,219 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image (process 4392)
2022-11-06 21:32:39,219 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x02360E67.
2022-11-06 21:32:39,625 [lib.common.results] INFO: File C:\BITuZJq\CAPE\4392_64740783932971112022 size is 29696, Max size: 100000000
2022-11-06 21:32:39,625 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x7400.
2022-11-06 21:32:39,625 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x02361E67-0x0236807B.
2022-11-06 21:32:39,625 [root] DEBUG: DumpRegion: Dumped PE image(s) from base address 0x02360000, size 36864 bytes.
2022-11-06 21:32:39,625 [root] DEBUG: NtProtectVirtualMemory: Rescinding caller region at 0x00400000 due to protection change.
2022-11-06 21:32:39,641 [root] DEBUG: caller_dispatch: Adding region at 0x00400000 to caller regions list (ntdll::LdrLoadDll returns to 0x004026DE, thread 4404).
2022-11-06 21:32:39,641 [root] DEBUG: YaraScan: Scanning 0x00400000, size 0x3aaba
2022-11-06 21:32:39,641 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00400000 skipped (ntdll::LdrLoadDll returns to 0x004026DE mapped as \Device\HarddiskVolume2\Users\razv\AppData\Local\Temp\8fe888167e7096db5d6aa3d3.exe).
2022-11-06 21:32:39,641 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x22c and local view 0x75BD0000 to global list.
2022-11-06 21:32:39,656 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\System32\shell32 (0x5b6000 bytes).
2022-11-06 21:32:39,656 [root] INFO: Disabling sleep skipping.
2022-11-06 21:32:39,656 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x26c and local view 0x04A80000 to global list.
2022-11-06 21:32:39,656 [root] DEBUG: Sample attempted to remap module 'C:\Windows\SysWOW64\ntdll.dll' at 0x04A80000, returning original module address instead: 0x77820000
2022-11-06 21:32:44,687 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2932, handle 0x270.
2022-11-06 21:32:44,687 [root] DEBUG: OpenProcessHandler: Handle insufficient to obtain target process name.
2022-11-06 21:32:44,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 and local view 0x03AE0000 to global list.
2022-11-06 21:32:44,687 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x278 to existing target process 2932.
2022-11-06 21:32:44,687 [root] INFO: Announced 64-bit process name: explorer.exe pid: 2932
2022-11-06 21:32:44,687 [lib.api.process] INFO: Monitor config for process 2932: C:\tmp9jl3q2fi\dll\2932.ini
2022-11-06 21:32:44,687 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp9jl3q2fi\dll\MrXCore.dll, loader C:\tmp9jl3q2fi\bin\lnNUHKVs.exe
2022-11-06 21:32:44,703 [root] DEBUG: Loader: Injecting process 2932 with C:\tmp9jl3q2fi\dll\MrXCore.dll.
2022-11-06 21:32:45,734 [root] DEBUG: Python path set to 'C:\Users\razv\AppData\Local\Programs\Python\Python310-32'.
2022-11-06 21:32:45,734 [root] DEBUG: Dropped file limit defaulting to 100.
2022-11-06 21:32:45,828 [root] INFO: Disabling sleep skipping.
2022-11-06 21:32:45,953 [root] DEBUG: Initialising Yara...
2022-11-06 21:32:45,953 [root] DEBUG: YaraInit: Compiled rules loaded from existing file C:\tmp9jl3q2fi\data\yara\capemon.yac
2022-11-06 21:32:45,953 [root] DEBUG: InternalYaraScan: Scanning 0x00007FFDF0070000, size 0x1f7546
2022-11-06 21:32:45,953 [root] DEBUG: Error 5 (0x5) - AmsiDumper: Is CAPE agent running elevated? Initialisation failed: Access is denied.
2022-11-06 21:32:45,953 [root] DEBUG: Monitor initialised: 64-bit capemon loaded in process 2932 at 0x00007FFDB6390000, thread 6116, image base 0x00007FF7599C0000, stack from 0x0000000008B42000-0x0000000008B50000
2022-11-06 21:32:45,953 [root] DEBUG: Commandline: C:\Windows\Explorer.EXE
2022-11-06 21:32:45,969 [root] DEBUG: hook_api: Warning - CoCreateInstance export address 0x00007FFDEFE542EB differs from GetProcAddress -> 0x00007FFDEE287E30
2022-11-06 21:32:45,969 [root] DEBUG: hook_api: Warning - CoCreateInstanceEx export address 0x00007FFDEFE5432A differs from GetProcAddress -> 0x00007FFDEE2091E0
2022-11-06 21:32:45,969 [root] DEBUG: hook_api: Warning - CoGetClassObject export address 0x00007FFDEFE548BA differs from GetProcAddress -> 0x00007FFDEE284FF0
2022-11-06 21:32:46,063 [root] DEBUG: hook_api: Warning - CLSIDFromProgID export address 0x00007FFDEFE53B36 differs from GetProcAddress -> 0x00007FFDEE2166D0
2022-11-06 21:32:46,109 [root] INFO: Loaded monitor into process with pid 2932
2022-11-06 21:32:46,125 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDF0070000 to caller regions list (ntdll::NtQueryInformationThread returns to 0x00007FFDF00C461E, thread 6116).
2022-11-06 21:32:46,125 [root] DEBUG: YaraScan: Scanning 0x00007FFDF0070000, size 0x1f7546
2022-11-06 21:32:46,125 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDF0070000 skipped (ntdll::NtQueryInformationThread returns to 0x00007FFDF00C461E mapped as \Device\HarddiskVolume2\Windows\System32\ntdll.dll).
2022-11-06 21:32:46,125 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDED8F0000 to caller regions list (ntdll::NtClose returns to 0x00007FFDED91A405, thread 6116).
2022-11-06 21:32:46,140 [root] DEBUG: caller_dispatch: Scanning calling region at 0x00007FFDED8F0000...
2022-11-06 21:32:46,140 [root] DEBUG: YaraScan: Scanning 0x00007FFDED8F0000, size 0x2cdc40
2022-11-06 21:32:46,140 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDED8F0000 skipped (ntdll::NtClose returns to 0x00007FFDED91A405 mapped as \Device\HarddiskVolume2\Windows\System32\KernelBase.dll).
2022-11-06 21:32:46,140 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2022-11-06 21:32:46,140 [root] DEBUG: Successfully injected DLL C:\tmp9jl3q2fi\dll\MrXCore.dll.
2022-11-06 21:32:46,140 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2932
2022-11-06 21:32:46,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x27c and local view 0x03AF0000 to global list.
2022-11-06 21:32:46,140 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x27c to existing target process 2932.
2022-11-06 21:32:46,156 [root] DEBUG: DumpSectionViewsForPid: Shared section view found with pid 2932, size 20480 (accessible 20480), local address 0x03AE0000.
2022-11-06 21:32:46,156 [root] DEBUG: caller_dispatch: Adding region at 0x0000000002F00000 to caller regions list (kernel32::CreateThread returns to 0x0000000002F01C54, thread 4924).
2022-11-06 21:32:46,219 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x03AE0000-0x03AE5000.
2022-11-06 21:32:46,266 [root] DEBUG: YaraScan: Scanning 0x0000000002F00000, size 0x700c
2022-11-06 21:32:46,266 [root] DEBUG: DumpSectionViewsForPid: no PE file found in shared section view, attempting raw dump.
2022-11-06 21:32:46,266 [root] DEBUG: DumpPEsInRange: Scanning range 0x0000000002F00000 - 0x0000000002F0700C.
2022-11-06 21:32:46,266 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3452, handle 0x10f0.
2022-11-06 21:32:46,266 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x0000000002F00000-0x0000000002F0700C.
2022-11-06 21:32:46,266 [root] DEBUG: OpenProcessHandler: Handle insufficient to obtain target process name.
2022-11-06 21:32:46,266 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3228, handle 0x173c.
2022-11-06 21:32:46,266 [root] DEBUG: OpenProcessHandler: Handle insufficient to obtain target process name.
2022-11-06 21:32:46,266 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDD5C10000 to caller regions list (msvcrt::memcpy returns to 0x00007FFDD5C433FB, thread 3812).
2022-11-06 21:32:46,297 [root] DEBUG: YaraScan: Scanning 0x00007FFDD5C10000, size 0x5f2576
2022-11-06 21:32:46,297 [root] DEBUG: DLL unloaded from 0x00007FFDD5C10000.
2022-11-06 21:32:46,297 [root] DEBUG: caller_dispatch: Dump of calling region at 0x00007FFDD5C10000 skipped (msvcrt::memcpy returns to 0x00007FFDD5C433FB mapped as \Device\HarddiskVolume2\Windows\System32\twinui.dll).
2022-11-06 21:32:46,297 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDEF0D0000 to caller regions list (user32::MsgWaitForMultipleObjectsEx returns to 0x00007FFDEF0E7580, thread 1516).
2022-11-06 21:32:48,047 [root] DEBUG: YaraScan: Scanning 0x00007FFDEF0D0000, size 0xac36c
2022-11-06 21:32:48,204 [lib.common.results] INFO: File C:\BITuZJq\CAPE\2932_51892274632571112022 size is 28684, Max size: 100000000
2022-11-06 21:32:48,343 [root] DEBUG: caller_dispatch: Adding region at 0x00007FF7599C0000 to caller regions list (cryptsp::CryptAcquireContextW returns to 0x00007FF759A04F05, thread 2916).
2022-11-06 21:32:49,096 [root] DEBUG: caller_dispatch: Adding region at 0x00007FFDD6E20000 to caller regions list (user32::GetCursorPos returns to 0x00007FFDD6E6DCDC, thread 744).
2022-11-06 21:34:00,978 [root] DEBUG: DLL loaded at 0x00007FFDE25C0000: C:\Windows\SYSTEM32\secur32 (0xc000 bytes).
2022-11-06 21:34:02,986 [root] DEBUG: DLL loaded at 0x00007FFDDE0D0000: C:\Windows\System32\OneCoreCommonProxyStub (0x7d000 bytes).
2022-11-06 21:35:57,512 [root] INFO: Analysis timeout hit, terminating analysis
2022-11-06 21:35:57,512 [lib.api.process] ERROR: Failed to open terminate event for pid 4392
2022-11-06 21:35:57,512 [root] INFO: Terminate event set for process 4392
2022-11-06 21:35:57,512 [lib.api.process] ERROR: Failed to open terminate event for pid 2932
2022-11-06 21:35:57,512 [root] INFO: Terminate event set for process 2932
2022-11-06 21:35:57,512 [root] INFO: Created shutdown mutex
2022-11-06 21:35:58,528 [root] INFO: Shutting down package
2022-11-06 21:35:58,528 [root] INFO: Stopping auxiliary modules
2022-11-06 21:35:58,528 [root] INFO: Stopped auxiliary modules: <Browser(Thread-3, stopped 5412)>
2022-11-06 21:35:58,777 [lib.common.results] INFO: File C:\curtain.log size is 120508, Max size: 100000000
2022-11-06 21:35:58,809 [root] INFO: Stopped auxiliary modules: <Curtain(Thread-4, stopped 4756)>
2022-11-06 21:35:58,809 [root] INFO: Stopped auxiliary modules: <Evtx(Thread-7, stopped 5888)>
2022-11-06 21:35:58,809 [root] INFO: Stopped auxiliary modules: <Human(Thread-8, started 5892)>
2022-11-06 21:35:58,809 [root] INFO: Stopped auxiliary modules: <Pre_script(Thread-9, initial)>
2022-11-06 21:35:58,856 [lib.common.results] WARNING: File C:\BITuZJq\bin\procmon.xml doesn't exist anymore
2022-11-06 21:35:58,856 [root] INFO: Stopped auxiliary modules: <Procmon(Thread-10, stopped 5876)>
2022-11-06 21:35:58,871 [root] INFO: Stopped auxiliary modules: <Screenshots(Thread-11, started 5852)>
2022-11-06 21:35:58,918 [root] WARNING: Cannot terminate auxiliary module Sysmon: Thread.__init__() was not called
2022-11-06 21:35:58,934 [root] INFO: Stopped auxiliary modules: <Usage(Thread-23, stopped 5916)>
2022-11-06 21:35:58,934 [root] INFO: Stopped auxiliary modules: <During_script(Thread-24, initial)>
2022-11-06 21:35:58,934 [root] INFO: Finishing auxiliary modules
2022-11-06 21:35:58,949 [root] INFO: Shutting down pipe server and dumping dropped files
2022-11-06 21:35:58,949 [root] WARNING: Folder at path "C:\BITuZJq\debugger" does not exist, skipping
2022-11-06 21:35:58,949 [root] WARNING: Folder at path "C:\BITuZJq\tlsdump" does not exist, skipping
2022-11-06 21:35:58,949 [root] INFO: Analysis completed

    The VM is a Windows 10 running over KVM. image

    The error is not logged. What could be causing this error? Is it important or should I ignore it?

    Failure Information (for bugs)

    Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

    Steps to Reproduce

    Please provide detailed steps for reproducing the issue.

    1. step 1
    2. step 2
    3. you get it...

    Context

    Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

    | Question | Answer |------------------|-------------------- | Git commit | Type $ git log \| head -n1 to find out | OS version | Windows 10 with KVM

    Failure Logs

    Please include any relevant log snippets or files here.

    opened by RazviOverflow 0
Owner
Kevin O'Reilly
CAPE developer
Kevin O'Reilly
GitHub https://capesandbox.com/analysis/
A Feature Rich Modular Malware Configuration Extraction Utility for MalDuck

Malware Configuration Extractor A Malware Configuration Extraction Tool and Modules for MalDuck This project is FREE as in FREE ?? , use it commercial

c3rb3ru5 103 Dec 18, 2022
Malware arcane - Scripts and notes on my malware analysis journey

Malware Arcane Repository of notes and scripts I use when doing malware analysis

null 9 Jun 1, 2022
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures.

HatVenom HatSploit native powerful payload generation and shellcode injection tool that provides support for common platforms and architectures. Featu

EntySec 100 Dec 23, 2022
Extendable payload obfuscation and delivery framework

NSGenCS What Is? An extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. Installation Requirements Currently

null 123 Dec 19, 2022
macOS Initial Access Payload Generator

Mystikal macOS Initial Access Payload Generator Related Blog Post: https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 Usage: Install Xcode

Leo Pitt 206 Dec 31, 2022
对安卓APP注入MSF PAYLOAD,并且对手机管家进行BYPASS。

520_APK_HOOK 介绍 将msf生成的payload,注入到一个正常的apk文件中,重新打包后进行加固,bypass手机安全管家的检测。 项目地址: https://github.com/cleverbao/520apkhook 作者: BaoGuo 优点 相比于原始的msf远控,此版本ap

BaoGuo 368 Jan 2, 2023
Tool To generate Stable Undetected Payload

windowsPayload Tool To generate Stable Undetected Payload Don t Upload to Virus Total :) Follow on Social Media Platforms ScreenShots How to install +

youhacker55 117 Dec 30, 2022
proxyshell payload generate

Py Permutative Encoding https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd Generate proxyshell

Evi1cg 63 Nov 15, 2022
RCE 0-day for GhostScript 9.50 - Payload generator

RCE-0-day-for-GhostScript-9.50 PoC for RCE 0-day for GhostScript 9.50 - Payload generator The PoC in python generates payload when exploited for a 0-d

null 534 Dec 14, 2022
Ducky Script is the payload language of Hak5 gear.

Ducky Script is the payload language of Hak5 gear. Since its introduction with the USB Rubber Ducky in 2010, Ducky Script has grown in capability while maintaining simplicity. Aided by Bash for logic and conditional operations, Ducky Script provides multi-vector functions for all Hak5 payload platforms.

Abir Abedin Khan 6 Oct 7, 2022
Python script that sends CVE-2021-44228 log4j payload requests to url list

scan4log4j Python script that sends CVE-2021-44228 log4j payload requests to url list [VERY BETA] using Supply your url list to urls.txt Put your payl

elyesa 5 Nov 9, 2022
Dumps the payload.bin image found in Android update images.

payload dumper Dumps the payload.bin image found in Android update images. Has significant performance gains over other tools due to using multiproces

Rasmus 7 Nov 17, 2022
PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

null 3 Mar 25, 2022
Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework)

Industry ready custom API payload with an easy format for building Python APIs (Django/Django Rest Framework) Yosh! If you are a django backend develo

Abram (^o^) 7 Sep 30, 2022
A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

A way to analyse how malware and/or goodware samples vary from each other using Shannon Entropy, Hausdorff Distance and Jaro-Winkler Distance

null 11 Nov 15, 2022
A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms. Change the Blackgound image of targets' computer. and decrypt the targets' encrypted files in our own computer

Li Ka Lok 2 Dec 2, 2022
A small utility to deal with malware embedded hashes.

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as: Dyn

Abdallah Elshinbary 48 Dec 19, 2022
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

null 27 Sep 23, 2022