| Category | Package | Started | Completed | Duration | Log(s) |
|---|---|---|---|---|---|
| FILE | exe | 2025-11-20 09:35:59 | 2025-11-20 09:39:46 | 227 seconds | Show Analysis Log |
2025-11-20 02:01:41,828 [root] INFO: Date set to: 20251120T09:35:58, timeout set to: 200 2025-11-20 09:35:58,023 [root] DEBUG: Starting analyzer from: C:\ng5yia_d 2025-11-20 09:35:58,024 [root] DEBUG: Storing results at: C:\KKXkhRvnKv 2025-11-20 09:35:58,025 [root] DEBUG: Pipe server name: \\.\PIPE\QyxnimP 2025-11-20 09:35:58,025 [root] DEBUG: Python path: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32 2025-11-20 09:35:58,026 [root] INFO: analysis running as an admin 2025-11-20 09:35:58,027 [root] INFO: analysis package specified: "exe" 2025-11-20 09:35:58,027 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-11-20 09:35:58,041 [root] DEBUG: imported analysis package "exe" 2025-11-20 09:35:58,042 [root] DEBUG: initializing analysis package "exe"... 2025-11-20 09:35:58,042 [lib.common.common] INFO: wrapping 2025-11-20 09:35:58,043 [lib.core.compound] INFO: C:\Temp already exists, skipping creation 2025-11-20 09:35:58,044 [root] DEBUG: New location of moved file: C:\Temp\winlocker_builder_0.6.exe 2025-11-20 09:35:58,044 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-11-20 09:35:58,044 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-11-20 09:35:58,044 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-11-20 09:35:58,044 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-11-20 09:35:58,094 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-11-20 09:35:58,109 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-11-20 09:35:58,142 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-11-20 09:35:58,199 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-11-20 09:35:58,206 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-11-20 09:35:58,489 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab' 2025-11-20 09:35:58,492 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw' 2025-11-20 09:35:58,563 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance 2025-11-20 09:35:58,565 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-11-20 09:35:58,571 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-11-20 09:35:58,572 [root] DEBUG: Initialized auxiliary module "Browser" 2025-11-20 09:35:58,573 [root] DEBUG: attempting to configure 'Browser' from data 2025-11-20 09:35:58,575 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-11-20 09:35:58,576 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-11-20 09:35:58,578 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-11-20 09:35:58,579 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-11-20 09:35:58,582 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-11-20 09:35:58,584 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-11-20 09:35:58,586 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-11-20 09:35:58,589 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-11-20 09:35:59,603 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-11-20 09:35:59,603 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-11-20 09:35:59,614 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-11-20 09:35:59,615 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-11-20 09:35:59,615 [root] DEBUG: attempting to configure 'Disguise' from data 2025-11-20 09:35:59,616 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-11-20 09:35:59,616 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-11-20 09:35:59,617 [modules.auxiliary.disguise] INFO: Disguising GUID to 6b704107-2158-4b27-ac55-ec6a3ca3925c 2025-11-20 09:35:59,617 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-11-20 09:35:59,618 [root] DEBUG: Initialized auxiliary module "Human" 2025-11-20 09:35:59,618 [root] DEBUG: attempting to configure 'Human' from data 2025-11-20 09:35:59,619 [root] DEBUG: module Human does not support data configuration, ignoring 2025-11-20 09:35:59,619 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-11-20 09:35:59,622 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-11-20 09:35:59,622 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-11-20 09:35:59,623 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-11-20 09:35:59,623 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-11-20 09:35:59,624 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-11-20 09:35:59,625 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-11-20 09:35:59,625 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-11-20 09:35:59,626 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-11-20 09:35:59,627 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-11-20 09:35:59,627 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-11-20 09:35:59,630 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608 2025-11-20 09:35:59,835 [lib.api.process] INFO: Monitor config for <Process 608 lsass.exe>: C:\ng5yia_d\dll\608.ini 2025-11-20 09:35:59,837 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-11-20 09:35:59,854 [lib.api.process] INFO: 64-bit DLL to inject is C:\ng5yia_d\dll\DCxmJWD.dll, loader C:\ng5yia_d\bin\SMDjpsmF.exe 2025-11-20 09:35:59,874 [root] DEBUG: Loader: Injecting process 608 with C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:35:59,891 [root] DEBUG: 608: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'. 2025-11-20 09:35:59,892 [root] DEBUG: 608: Disabling sleep skipping. 2025-11-20 09:35:59,893 [root] DEBUG: 608: TLS secret dump mode enabled. 2025-11-20 09:35:59,934 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0 2025-11-20 09:35:59,935 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEB9270000, thread 2452, image base 0x00007FF60EE30000, stack from 0x000000A5F4B73000-0x000000A5F4B80000 2025-11-20 09:35:59,936 [root] DEBUG: 608: Commandline: C:\Windows\system32\lsass.exe 2025-11-20 09:35:59,948 [root] DEBUG: 608: Hooked 5 out of 5 functions 2025-11-20 09:35:59,950 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-11-20 09:35:59,951 [root] DEBUG: Successfully injected DLL C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:35:59,954 [lib.api.process] INFO: Injected into 64-bit <Process 608 lsass.exe> 2025-11-20 09:35:59,955 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2025-11-20 09:36:03,138 [root] INFO: Restarting WMI Service 2025-11-20 09:36:05,281 [root] DEBUG: package modules.packages.exe does not support configure, ignoring 2025-11-20 09:36:05,282 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages' 2025-11-20 09:36:05,283 [lib.core.compound] INFO: C:\Temp already exists, skipping creation 2025-11-20 09:36:05,313 [lib.api.process] INFO: Successfully executed process from path "C:\Temp\winlocker_builder_0.6.exe" with arguments "" with pid 2620 2025-11-20 09:36:05,314 [lib.api.process] INFO: Monitor config for <Process 2620 winlocker_builder_0.6.exe>: C:\ng5yia_d\dll\2620.ini 2025-11-20 09:36:05,318 [lib.api.process] INFO: 64-bit DLL to inject is C:\ng5yia_d\dll\DCxmJWD.dll, loader C:\ng5yia_d\bin\SMDjpsmF.exe 2025-11-20 09:36:05,329 [root] DEBUG: Loader: Injecting process 2620 (thread 3028) with C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:36:05,330 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-11-20 09:36:05,330 [root] DEBUG: Successfully injected DLL C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:36:05,333 [lib.api.process] INFO: Injected into 64-bit <Process 2620 winlocker_builder_0.6.exe> 2025-11-20 09:36:07,336 [lib.api.process] INFO: Successfully resumed <Process 2620 winlocker_builder_0.6.exe> 2025-11-20 09:36:07,349 [root] DEBUG: 2620: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'. 2025-11-20 09:36:07,350 [root] DEBUG: 2620: Disabling sleep skipping. 2025-11-20 09:36:07,351 [root] DEBUG: 2620: Dropped file limit defaulting to 100. 2025-11-20 09:36:07,375 [root] DEBUG: 2620: YaraInit: Compiled 43 rule files 2025-11-20 09:36:07,378 [root] DEBUG: 2620: YaraInit: Compiled rules saved to file C:\ng5yia_d\data\yara\capemon.yac 2025-11-20 09:36:07,403 [root] DEBUG: 2620: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0 2025-11-20 09:36:07,404 [root] DEBUG: 2620: YaraScan: Scanning 0x00007FF615C90000, size 0x5b774 2025-11-20 09:36:07,409 [root] DEBUG: 2620: Monitor initialised: 64-bit capemon loaded in process 2620 at 0x00007FFEB9270000, thread 3028, image base 0x00007FF615C90000, stack from 0x00000066D99E2000-0x00000066D99F0000 2025-11-20 09:36:07,410 [root] DEBUG: 2620: Commandline: "C:\Temp\winlocker_builder_0.6.exe" 2025-11-20 09:36:07,420 [root] DEBUG: 2620: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress 2025-11-20 09:36:07,473 [root] WARNING: b'Unable to place hook on LockResource' 2025-11-20 09:36:07,474 [root] DEBUG: 2620: set_hooks: Unable to hook LockResource 2025-11-20 09:36:07,485 [root] DEBUG: 2620: Hooked 619 out of 620 functions 2025-11-20 09:36:07,491 [root] DEBUG: 2620: Syscall hook installed, syscall logging level 1 2025-11-20 09:36:07,502 [root] DEBUG: 2620: RestoreHeaders: Restored original import table. 2025-11-20 09:36:07,503 [root] INFO: Loaded monitor into process with pid 2620 2025-11-20 09:36:07,513 [root] DEBUG: 2620: caller_dispatch: Added region at 0x00007FF615C90000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x00007FF615C9EC63, thread 3028). 2025-11-20 09:36:07,514 [root] DEBUG: 2620: YaraScan: Scanning 0x00007FF615C90000, size 0x5b774 2025-11-20 09:36:07,521 [root] DEBUG: 2620: ProcessImageBase: Main module image at 0x00007FF615C90000 unmodified (entropy change 0.000000e+00) 2025-11-20 09:36:07,555 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\VCRUNTIME140.dll 2025-11-20 09:36:07,576 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_bz2.pyd 2025-11-20 09:36:07,625 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_decimal.pyd 2025-11-20 09:36:07,643 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_hashlib.pyd 2025-11-20 09:36:07,687 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_lzma.pyd 2025-11-20 09:36:07,697 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_queue.pyd 2025-11-20 09:36:07,719 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_socket.pyd 2025-11-20 09:36:07,757 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\_ssl.pyd 2025-11-20 09:36:07,837 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\base_library.zip 2025-11-20 09:36:07,891 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\certifi\cacert.pem 2025-11-20 09:36:07,904 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\certifi\py.typed 2025-11-20 09:36:07,914 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\charset_normalizer\md.cp310-win_amd64.pyd 2025-11-20 09:36:07,944 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\charset_normalizer\md__mypyc.cp310-win_amd64.pyd 2025-11-20 09:36:08,122 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\libcrypto-1_1.dll 2025-11-20 09:36:08,183 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\libssl-1_1.dll 2025-11-20 09:36:08,402 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\python310.dll 2025-11-20 09:36:08,410 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\select.pyd 2025-11-20 09:36:08,467 [root] INFO: Added new file to list with pid None and path C:\Temp\_MEI26202\unicodedata.pyd 2025-11-20 09:36:08,480 [root] DEBUG: 2620: CreateProcessHandler: Injection info set for new process 3140: C:\Temp\winlocker_builder_0.6.exe, ImageBase: 0x00007FF615C90000 2025-11-20 09:36:08,482 [root] INFO: Announced 64-bit process name: winlocker_builder_0.6.exe pid: 3140 2025-11-20 09:36:08,482 [lib.api.process] INFO: Monitor config for <Process 3140 winlocker_builder_0.6.exe>: C:\ng5yia_d\dll\3140.ini 2025-11-20 09:36:08,487 [lib.api.process] INFO: 64-bit DLL to inject is C:\ng5yia_d\dll\DCxmJWD.dll, loader C:\ng5yia_d\bin\SMDjpsmF.exe 2025-11-20 09:36:08,498 [root] DEBUG: Loader: Injecting process 3140 (thread 3172) with C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:36:08,499 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-11-20 09:36:08,499 [root] DEBUG: Successfully injected DLL C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:36:08,502 [lib.api.process] INFO: Injected into 64-bit <Process 3140 winlocker_builder_0.6.exe> 2025-11-20 09:36:08,505 [root] INFO: Announced 64-bit process name: winlocker_builder_0.6.exe pid: 3140 2025-11-20 09:36:08,506 [lib.api.process] INFO: Monitor config for <Process 3140 winlocker_builder_0.6.exe>: C:\ng5yia_d\dll\3140.ini 2025-11-20 09:36:08,509 [lib.api.process] INFO: 64-bit DLL to inject is C:\ng5yia_d\dll\DCxmJWD.dll, loader C:\ng5yia_d\bin\SMDjpsmF.exe 2025-11-20 09:36:08,520 [root] DEBUG: Loader: Injecting process 3140 (thread 3172) with C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:36:08,521 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2025-11-20 09:36:08,522 [root] DEBUG: Successfully injected DLL C:\ng5yia_d\dll\DCxmJWD.dll. 2025-11-20 09:36:08,524 [lib.api.process] INFO: Injected into 64-bit <Process 3140 winlocker_builder_0.6.exe> 2025-11-20 09:36:08,527 [root] DEBUG: 2620: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes). 2025-11-20 09:36:08,533 [root] DEBUG: 2620: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes). 2025-11-20 09:36:08,538 [root] DEBUG: 3140: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'. 2025-11-20 09:36:08,539 [root] DEBUG: 3140: Dropped file limit defaulting to 100. 2025-11-20 09:36:08,542 [root] DEBUG: 3140: Disabling sleep skipping. 2025-11-20 09:36:08,545 [root] DEBUG: 3140: YaraInit: Compiled rules loaded from existing file C:\ng5yia_d\data\yara\capemon.yac 2025-11-20 09:36:08,572 [root] DEBUG: 3140: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0 2025-11-20 09:36:08,572 [root] DEBUG: 3140: YaraScan: Scanning 0x00007FF615C90000, size 0x5b774 2025-11-20 09:36:08,579 [root] DEBUG: 3140: Monitor initialised: 64-bit capemon loaded in process 3140 at 0x00007FFEB9270000, thread 3172, image base 0x00007FF615C90000, stack from 0x000000D8551E5000-0x000000D8551F0000 2025-11-20 09:36:08,579 [root] DEBUG: 3140: Commandline: "C:\Temp\winlocker_builder_0.6.exe" 2025-11-20 09:36:08,589 [root] DEBUG: 3140: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress 2025-11-20 09:36:08,640 [root] WARNING: b'Unable to place hook on LockResource' 2025-11-20 09:36:08,641 [root] DEBUG: 3140: set_hooks: Unable to hook LockResource 2025-11-20 09:36:08,652 [root] DEBUG: 3140: Hooked 619 out of 620 functions 2025-11-20 09:36:08,658 [root] DEBUG: 3140: Syscall hook installed, syscall logging level 1 2025-11-20 09:36:08,666 [root] DEBUG: 3140: RestoreHeaders: Restored original import table. 2025-11-20 09:36:08,667 [root] INFO: Loaded monitor into process with pid 3140 2025-11-20 09:36:08,677 [root] DEBUG: 3140: caller_dispatch: Added region at 0x00007FF615C90000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x00007FF615C9EC63, thread 3172). 2025-11-20 09:36:08,678 [root] DEBUG: 3140: YaraScan: Scanning 0x00007FF615C90000, size 0x5b774 2025-11-20 09:36:08,686 [root] DEBUG: 3140: ProcessImageBase: Main module image at 0x00007FF615C90000 unmodified (entropy change 0.000000e+00) 2025-11-20 09:36:08,749 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDC870000: C:\Windows\SYSTEM32\VERSION (0xa000 bytes). 2025-11-20 09:36:08,750 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDC850000: C:\Temp\_MEI26202\VCRUNTIME140 (0x1b000 bytes). 2025-11-20 09:36:08,751 [root] DEBUG: 3140: DLL loaded at 0x00007FFEC3F30000: C:\Temp\_MEI26202\python310 (0x455000 bytes). 2025-11-20 09:36:08,760 [root] DEBUG: 3140: DLL loaded at 0x00007FFEE0450000: C:\Windows\SYSTEM32\CRYPTSP (0x18000 bytes). 2025-11-20 09:36:08,762 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDFB90000: C:\Windows\system32\rsaenh (0x34000 bytes). 2025-11-20 09:36:08,766 [root] DEBUG: 3140: DLL loaded at 0x00007FFEE1390000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes). 2025-11-20 09:36:09,346 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDC220000: C:\Temp\_MEI26202\_bz2.pyd (0x15000 bytes). 2025-11-20 09:36:09,365 [root] DEBUG: 3140: DLL loaded at 0x00007FFED9690000: C:\Temp\_MEI26202\_lzma.pyd (0x28000 bytes). 2025-11-20 09:36:09,542 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDFF50000: C:\Windows\SYSTEM32\IPHLPAPI (0x3b000 bytes). 2025-11-20 09:36:09,544 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDB270000: C:\Temp\_MEI26202\_socket.pyd (0x15000 bytes). 2025-11-20 09:36:09,569 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDC210000: C:\Temp\_MEI26202\select.pyd (0x9000 bytes). 2025-11-20 09:36:09,798 [root] DEBUG: 3140: DLL loaded at 0x00007FFED3F70000: C:\Temp\_MEI26202\libcrypto-1_1 (0x34d000 bytes). 2025-11-20 09:36:09,799 [root] DEBUG: 3140: DLL loaded at 0x00007FFED94C0000: C:\Temp\_MEI26202\libssl-1_1 (0xad000 bytes). 2025-11-20 09:36:09,800 [root] DEBUG: 3140: DLL loaded at 0x00007FFED9660000: C:\Temp\_MEI26202\_ssl.pyd (0x28000 bytes). 2025-11-20 09:36:09,834 [root] DEBUG: 3140: DLL loaded at 0x00007FFEE0260000: C:\Windows\system32\mswsock (0x6a000 bytes). 2025-11-20 09:36:09,885 [root] DEBUG: 3140: DLL loaded at 0x00007FFED94A0000: C:\Temp\_MEI26202\_hashlib.pyd (0x11000 bytes). 2025-11-20 09:36:09,994 [root] DEBUG: 3140: DLL loaded at 0x00007FFED9650000: C:\Temp\_MEI26202\_queue.pyd (0x9000 bytes). 2025-11-20 09:36:10,169 [root] DEBUG: 3140: DLL loaded at 0x00007FFED9490000: C:\Temp\_MEI26202\charset_normalizer\md.cp310-win_amd64.pyd (0x7000 bytes). 2025-11-20 09:36:10,177 [root] DEBUG: 3140: DLL loaded at 0x00007FFED5F20000: C:\Temp\_MEI26202\charset_normalizer\md__mypyc.cp310-win_amd64.pyd (0x24000 bytes). 2025-11-20 09:36:10,200 [root] DEBUG: 3140: DLL loaded at 0x00007FFECC7F0000: C:\Temp\_MEI26202\unicodedata.pyd (0x114000 bytes). 2025-11-20 09:36:10,428 [root] DEBUG: 3140: set_hooks_by_export_directory: Hooked 0 out of 620 functions 2025-11-20 09:36:10,429 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDEA70000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes). 2025-11-20 09:36:10,611 [root] DEBUG: 3140: DLL loaded at 0x00007FFEDFF90000: C:\Windows\SYSTEM32\DNSAPI (0xca000 bytes). 2025-11-20 09:36:10,615 [root] DEBUG: 3140: DLL loaded at 0x00007FFEE2110000: C:\Windows\System32\NSI (0x8000 bytes). 2025-11-20 09:36:10,619 [root] DEBUG: 3140: DLL loaded at 0x00007FFED87C0000: C:\Windows\System32\rasadhlp (0xa000 bytes). 2025-11-20 09:36:10,650 [root] DEBUG: 3140: DLL loaded at 0x00007FFED8CB0000: C:\Windows\System32\fwpuclnt (0x80000 bytes). 2025-11-20 09:36:13,362 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,373 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,374 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,375 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,376 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,377 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,377 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,378 [root] DEBUG: 3140: api-cap: GetSystemTimeAsFileTime hook disabled due to count: 5007 2025-11-20 09:36:13,642 [root] DEBUG: 3140: api-cap: LdrpCallInitRoutine hook disabled due to count: 5000 2025-11-20 09:36:14,298 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5001 2025-11-20 09:36:14,299 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5003 2025-11-20 09:36:14,301 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5004 2025-11-20 09:36:14,302 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5006 2025-11-20 09:36:14,302 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5005 2025-11-20 09:36:14,304 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5007 2025-11-20 09:36:14,304 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5007 2025-11-20 09:36:14,305 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5008 2025-11-20 09:36:14,306 [root] DEBUG: 3140: api-cap: NtWaitForSingleObject hook disabled due to count: 5002 2025-11-20 09:36:16,968 [root] DEBUG: 3140: api-cap: NtClose hook disabled due to count: 5000 2025-11-20 09:36:31,814 [root] DEBUG: 3140: api-cap: RegQueryValueExW hook disabled due to count: 5000 2025-11-20 09:36:37,707 [root] DEBUG: 3140: api-cap: NtQueryPerformanceCounter hook disabled due to count: 5000 2025-11-20 09:36:45,324 [root] DEBUG: 3140: api-cap: ioctlsocket hook disabled due to count: 5000 2025-11-20 09:36:53,117 [root] DEBUG: 3140: api-cap: NtDeviceIoControlFile hook disabled due to count: 5000 2025-11-20 09:36:53,118 [root] DEBUG: 3140: api-cap: NtDeviceIoControlFile hook disabled due to count: 5001 2025-11-20 09:36:53,120 [root] DEBUG: 3140: api-cap: NtDeviceIoControlFile hook disabled due to count: 5002 2025-11-20 09:36:53,356 [root] DEBUG: 3140: api-cap: RegQueryValueExW hook disabled due to count: 5000 2025-11-20 09:36:58,913 [root] DEBUG: 608: TLS 1.2 secrets logged to: C:\KKXkhRvnKv\tlsdump\tlsdump.log 2025-11-20 09:36:59,248 [root] DEBUG: 3140: api-cap: NtCreateFile hook disabled due to count: 5001 2025-11-20 09:36:59,253 [root] DEBUG: 3140: api-cap: NtCreateFile hook disabled due to count: 5001 2025-11-20 09:37:02,919 [root] DEBUG: 3140: api-cap: RegOpenKeyExW hook disabled due to count: 5001 2025-11-20 09:37:02,923 [root] DEBUG: 3140: api-cap: RegOpenKeyExW hook disabled due to count: 5002 2025-11-20 09:37:02,924 [root] DEBUG: 3140: api-cap: RegOpenKeyExW hook disabled due to count: 5002 2025-11-20 09:37:03,710 [root] DEBUG: 3140: api-cap: RegCloseKey hook disabled due to count: 5000 2025-11-20 09:37:14,414 [root] DEBUG: 3140: api-cap: NtQueryValueKey hook disabled due to count: 5000 2025-11-20 09:37:57,449 [root] DEBUG: 3140: api-cap: RegOpenKeyExW hook disabled due to count: 5000 2025-11-20 09:37:57,456 [root] DEBUG: 3140: api-cap: RegOpenKeyExW hook disabled due to count: 5001 2025-11-20 09:37:57,457 [root] DEBUG: 3140: api-cap: RegOpenKeyExW hook disabled due to count: 5002 2025-11-20 09:37:57,474 [root] DEBUG: 3140: api-cap: getaddrinfo hook disabled due to count: 5000 2025-11-20 09:37:58,417 [root] DEBUG: 3140: api-cap: LdrUnloadDll hook disabled due to count: 5000 2025-11-20 09:37:58,417 [root] DEBUG: 3140: api-cap: LdrUnloadDll hook disabled due to count: 5001 2025-11-20 09:37:58,479 [root] DEBUG: 3140: api-cap: NtCreateThreadEx hook disabled due to count: 5000 2025-11-20 09:37:58,607 [root] DEBUG: 3140: api-cap: RegCloseKey hook disabled due to count: 5000 2025-11-20 09:37:58,813 [root] DEBUG: 3140: api-cap: NtTestAlert hook disabled due to count: 5000 2025-11-20 09:37:59,343 [root] DEBUG: 3140: api-cap: CreateRemoteThreadEx hook disabled due to count: 5000 2025-11-20 09:37:59,379 [root] DEBUG: 3140: api-cap: send hook disabled due to count: 5000 2025-11-20 09:37:59,575 [root] DEBUG: 3140: api-cap: NtQueryInformationThread hook disabled due to count: 5000 2025-11-20 09:37:59,621 [root] DEBUG: 3140: api-cap: WSASocketW hook disabled due to count: 5000 2025-11-20 09:37:59,632 [root] DEBUG: 3140: api-cap: closesocket hook disabled due to count: 5000 2025-11-20 09:37:59,633 [root] DEBUG: 3140: api-cap: closesocket hook disabled due to count: 5001 2025-11-20 09:37:59,634 [root] DEBUG: 3140: api-cap: closesocket hook disabled due to count: 5002 2025-11-20 09:37:59,999 [root] DEBUG: 3140: api-cap: connect hook disabled due to count: 5000 2025-11-20 09:38:00,327 [root] DEBUG: 3140: api-cap: NtTerminateThread hook disabled due to count: 5001 2025-11-20 09:38:00,327 [root] DEBUG: 3140: api-cap: NtTerminateThread hook disabled due to count: 5001 2025-11-20 09:38:00,615 [root] DEBUG: 3140: api-cap: setsockopt hook disabled due to count: 5000 2025-11-20 09:38:02,972 [root] DEBUG: 3140: api-cap: recv hook disabled due to count: 5001 2025-11-20 09:38:02,976 [root] DEBUG: 3140: api-cap: recv hook disabled due to count: 5002 2025-11-20 09:38:02,977 [root] DEBUG: 3140: api-cap: recv hook disabled due to count: 5002 2025-11-20 09:38:03,903 [root] DEBUG: 3140: api-cap: RtlSetCurrentTransaction hook disabled due to count: 5001 2025-11-20 09:38:03,905 [root] DEBUG: 3140: api-cap: RtlSetCurrentTransaction hook disabled due to count: 5001 2025-11-20 09:38:03,906 [root] DEBUG: 3140: api-cap: RtlSetCurrentTransaction hook disabled due to count: 5002 2025-11-20 09:38:09,565 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,567 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,568 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,569 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,570 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,571 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,573 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,573 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,575 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,576 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,577 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,578 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,579 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5016 2025-11-20 09:38:09,580 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,581 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5014 2025-11-20 09:38:09,582 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5013 2025-11-20 09:38:09,583 [root] DEBUG: 3140: api-cap: NtQueryKey hook disabled due to count: 5015 2025-11-20 09:38:09,675 [root] DEBUG: 3140: api-cap: NtOpenKeyEx hook disabled due to count: 5000 2025-11-20 09:38:09,677 [root] DEBUG: 3140: api-cap: NtOpenKeyEx hook disabled due to count: 5001 2025-11-20 09:38:09,677 [root] DEBUG: 3140: api-cap: NtOpenKeyEx hook disabled due to count: 5002 2025-11-20 09:38:09,678 [root] DEBUG: 3140: api-cap: NtOpenKeyEx hook disabled due to count: 5003 2025-11-20 09:38:09,679 [root] DEBUG: 3140: api-cap: NtOpenKeyEx hook disabled due to count: 5005 2025-11-20 09:38:09,680 [root] DEBUG: 3140: api-cap: NtOpenKeyEx hook disabled due to count: 5004 2025-11-20 09:38:19,220 [root] DEBUG: 3140: api-cap: NtDuplicateObject hook disabled due to count: 5001 2025-11-20 09:38:19,222 [root] DEBUG: 3140: api-cap: NtDuplicateObject hook disabled due to count: 5001 2025-11-20 09:38:19,226 [root] DEBUG: 3140: api-cap: NtDuplicateObject hook disabled due to count: 5002 2025-11-20 09:38:20,230 [root] DEBUG: 3140: api-cap: GetAddrInfoW hook disabled due to count: 5000 2025-11-20 09:38:27,014 [root] DEBUG: 3140: api-cap: NtCreateEvent hook disabled due to count: 5002 2025-11-20 09:38:27,015 [root] DEBUG: 3140: api-cap: NtCreateEvent hook disabled due to count: 5002 2025-11-20 09:38:27,017 [root] DEBUG: 3140: api-cap: NtCreateEvent hook disabled due to count: 5002 2025-11-20 09:38:42,547 [root] DEBUG: 3140: api-cap: socket hook disabled due to count: 5000 2025-11-20 09:39:27,606 [root] INFO: Analysis timeout hit, terminating analysis 2025-11-20 09:39:27,608 [lib.api.process] INFO: Terminate event set for <Process 2620 winlocker_builder_0.6.exe> 2025-11-20 09:39:27,612 [root] DEBUG: 2620: Terminate Event: Attempting to dump process 2620 2025-11-20 09:39:27,615 [root] DEBUG: 2620: DoProcessDump: Skipping process dump as code is identical on disk. 2025-11-20 09:39:27,629 [lib.api.process] INFO: Termination confirmed for <Process 2620 winlocker_builder_0.6.exe> 2025-11-20 09:39:27,629 [root] DEBUG: 2620: Terminate Event: monitor shutdown complete for process 2620 2025-11-20 09:39:27,630 [root] INFO: Terminate event set for process 2620 2025-11-20 09:39:27,630 [lib.api.process] INFO: Terminate event set for <Process 3140 winlocker_builder_0.6.exe> 2025-11-20 09:39:27,631 [root] DEBUG: 3140: Terminate Event: Attempting to dump process 3140 2025-11-20 09:39:27,634 [root] DEBUG: 3140: DoProcessDump: Skipping process dump as code is identical on disk. 2025-11-20 09:39:27,657 [lib.api.process] INFO: Termination confirmed for <Process 3140 winlocker_builder_0.6.exe> 2025-11-20 09:39:27,657 [root] INFO: Terminate event set for process 3140 2025-11-20 09:39:27,658 [root] DEBUG: 3140: Terminate Event: monitor shutdown complete for process 3140 2025-11-20 09:39:27,658 [root] INFO: Created shutdown mutex 2025-11-20 09:39:28,665 [root] INFO: Shutting down package 2025-11-20 09:39:28,665 [root] INFO: Stopping auxiliary modules 2025-11-20 09:39:28,665 [root] INFO: Stopping auxiliary module: Browser 2025-11-20 09:39:28,666 [root] INFO: Stopping auxiliary module: Human 2025-11-20 09:39:33,581 [root] INFO: Stopping auxiliary module: Screenshots 2025-11-20 09:39:33,622 [root] INFO: Finishing auxiliary modules 2025-11-20 09:39:33,622 [root] INFO: Shutting down pipe server and dumping dropped files 2025-11-20 09:39:33,625 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\VCRUNTIME140.dll to files\ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e; Size is 97168; Max size: 100000000 2025-11-20 09:39:33,637 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_bz2.pyd to files\4b1d29f19adaf856727fa4a1f50eee0a86c893038dfba2e52f26c11ab5b3672f; Size is 80112; Max size: 100000000 2025-11-20 09:39:33,652 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_decimal.pyd to files\f7864b8b37715a87f4f11d5cbfefd5f1489399e064f7662fa0e0d7c5df59d5e4; Size is 247024; Max size: 100000000 2025-11-20 09:39:33,666 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_hashlib.pyd to files\df47255c100d9cc033a14c7d60051abe89c24da9c60362fe33cdf24c19651f7c; Size is 59120; Max size: 100000000 2025-11-20 09:39:33,683 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_lzma.pyd to files\2e3fd65c4e02c99a61344ce59e09ec7fde74c671db5f82a891732e1140910f20; Size is 153328; Max size: 100000000 2025-11-20 09:39:33,698 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_queue.pyd to files\9ad5bcf2a88e1ffff3b8ee29235dc92ce48b7fca4655e87cb6e4d71bd1150afb; Size is 26856; Max size: 100000000 2025-11-20 09:39:33,702 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_socket.pyd to files\d0497b79345b2c255f6274baea6ac44b74f345e111ab25bf6c91af9b2a3f3b95; Size is 74480; Max size: 100000000 2025-11-20 09:39:33,707 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\_ssl.pyd to files\ba6025ab22d8e6c5ad53c66dc919f219a542e87540502905609b33dc0a8dddd8; Size is 155888; Max size: 100000000 2025-11-20 09:39:33,721 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\base_library.zip to files\3ab0908f3aff84799207a65d93e04d0e1a4013961da383ca25a0f31d74126974; Size is 879278; Max size: 100000000 2025-11-20 09:39:33,731 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\certifi\cacert.pem to files\9102e6a3644a071ba6cdbd4a53698f291c4a64b18450a08bc046548b6db5cc8b; Size is 287634; Max size: 100000000 2025-11-20 09:39:33,752 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\charset_normalizer\md.cp310-win_amd64.pyd to files\050db4f1acb328eaed6473dbefce5be4782fc39b5cd96b3371f1eb8ad50e3e7c; Size is 10752; Max size: 100000000 2025-11-20 09:39:33,760 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\charset_normalizer\md__mypyc.cp310-win_amd64.pyd to files\3d91cd76d7ba0e99252288b5191c50db5be0d9e2f2bf5fead5dc7bbfff72ba2d; Size is 125952; Max size: 100000000 2025-11-20 09:39:33,806 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\libcrypto-1_1.dll to files\664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2; Size is 3429624; Max size: 100000000 2025-11-20 09:39:33,868 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\libssl-1_1.dll to files\b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf; Size is 695032; Max size: 100000000 2025-11-20 09:39:33,939 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\python310.dll to files\34f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e; Size is 4471024; Max size: 100000000 2025-11-20 09:39:33,977 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\select.pyd to files\b9ef1709ed4cd0fd72e4c4ba9b7702cb79d1619c11554ea06277f3dac21bd010; Size is 25320; Max size: 100000000 2025-11-20 09:39:34,004 [lib.common.results] INFO: Uploading file C:\Temp\_MEI26202\unicodedata.pyd to files\89c93a672b649cd1e296499333df5b3d9ba2fd28f9280233b56441c69c126631; Size is 1117936; Max size: 100000000 2025-11-20 09:39:34,015 [root] WARNING: Folder at path "C:\KKXkhRvnKv\debugger" does not exist, skipping 2025-11-20 09:39:34,015 [root] INFO: Uploading files at path "C:\KKXkhRvnKv\tlsdump" 2025-11-20 09:39:34,016 [lib.common.results] INFO: Uploading file C:\KKXkhRvnKv\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 274; Max size: 100000000 2025-11-20 09:39:34,019 [root] INFO: Analysis completed
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| MalwareGuest | MalwareGuest | Proxmox | 2025-11-20 09:35:59 | 2025-11-20 09:39:45 | internet |
| Direct | IP | Country Name | ASN |
|---|---|---|---|
| N | 45.153.68.37 [VT] | unknown | |
| N | 87.236.16.2 [VT] | unknown | |
| N | 45.130.41.159 [VT] | unknown | |
| N | 45.130.41.252 [VT] | unknown | |
| N | 164.138.103.195 [VT] | unknown |
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| mozilla.map.fastly.net [VT] |
A 151.101.65.91
[VT]
A 151.101.193.91 [VT] A 151.101.129.91 [VT] A 151.101.1.91 [VT] |
151.101.1.91 [VT] |
| mozilla.map.fastly.net [VT] |
AAAA 2a04:4e42:400::347
[VT]
AAAA 2a04:4e42:600::347 [VT] AAAA 2a04:4e42:200::347 [VT] AAAA 2a04:4e42::347 [VT] |
151.101.1.91 [VT] |
| 05.ru [VT] | A 164.138.103.195 [VT] | 164.138.103.195 [VT] |
| fenkovrn.ru [VT] | A 45.130.41.252 [VT] | 45.130.41.252 [VT] |
| roselectronika.ru [VT] | A 45.130.41.159 [VT] | 45.130.41.159 [VT] |
| astore.club [VT] | A 87.236.16.2 [VT] | 87.236.16.2 [VT] |
| elikon.ru [VT] | A 45.153.68.37 [VT] | 45.153.68.37 [VT] |
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
No HTTP(s) requests performed.
No SMTP traffic performed.
No IRC requests performed.
No ICMP traffic performed.
No CIF Results
No Suricata Alerts
No Suricata TLS
No Suricata HTTP