2025-11-20 02:01:54,046 [root] INFO: Date set to: 20251120T10:16:41, timeout set to: 200
2025-11-20 10:16:41,024 [root] DEBUG: Starting analyzer from: C:\k2ffbmig
2025-11-20 10:16:41,025 [root] DEBUG: Storing results at: C:\PrCQdMR
2025-11-20 10:16:41,025 [root] DEBUG: Pipe server name: \\.\PIPE\LTZoRN
2025-11-20 10:16:41,026 [root] DEBUG: Python path: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32
2025-11-20 10:16:41,026 [root] INFO: analysis running as an admin
2025-11-20 10:16:41,027 [root] INFO: analysis package specified: "archive"
2025-11-20 10:16:41,027 [root] DEBUG: importing analysis package module: "modules.packages.archive"...
2025-11-20 10:16:41,073 [root] DEBUG: imported analysis package "archive"
2025-11-20 10:16:41,074 [root] DEBUG: initializing analysis package "archive"...
2025-11-20 10:16:41,074 [lib.common.common] INFO: wrapping
2025-11-20 10:16:41,074 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:16:41,074 [root] DEBUG: New location of moved file: C:\Temp\vesktop.zip
2025-11-20 10:16:41,075 [root] INFO: Analyzer: Package modules.packages.archive does not specify a DLL option
2025-11-20 10:16:41,075 [root] INFO: Analyzer: Package modules.packages.archive does not specify a DLL_64 option
2025-11-20 10:16:41,075 [root] INFO: Analyzer: Package modules.packages.archive does not specify a loader option
2025-11-20 10:16:41,075 [root] INFO: Analyzer: Package modules.packages.archive does not specify a loader_64 option
2025-11-20 10:16:41,094 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-11-20 10:16:41,121 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-11-20 10:16:41,177 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-11-20 10:16:41,212 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-11-20 10:16:41,219 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-11-20 10:16:41,541 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-11-20 10:16:41,543 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-11-20 10:16:41,751 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2025-11-20 10:16:41,751 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-11-20 10:16:41,754 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-11-20 10:16:41,755 [root] DEBUG: Initialized auxiliary module "Browser"
2025-11-20 10:16:41,755 [root] DEBUG: attempting to configure 'Browser' from data
2025-11-20 10:16:41,757 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-11-20 10:16:41,757 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-11-20 10:16:41,758 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-11-20 10:16:41,758 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-11-20 10:16:41,758 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-11-20 10:16:41,758 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-11-20 10:16:41,759 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-11-20 10:16:41,759 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-11-20 10:16:43,280 [modules.auxiliary.digisig] DEBUG: File format not recognized
2025-11-20 10:16:43,280 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-11-20 10:16:43,290 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-11-20 10:16:43,291 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-11-20 10:16:43,291 [root] DEBUG: attempting to configure 'Disguise' from data
2025-11-20 10:16:43,291 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-11-20 10:16:43,291 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-11-20 10:16:43,292 [modules.auxiliary.disguise] INFO: Disguising GUID to 31d9701d-8c5a-4eb5-8616-1d9dbb97ef23
2025-11-20 10:16:43,292 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-11-20 10:16:43,292 [root] DEBUG: Initialized auxiliary module "Human"
2025-11-20 10:16:43,293 [root] DEBUG: attempting to configure 'Human' from data
2025-11-20 10:16:43,293 [root] DEBUG: module Human does not support data configuration, ignoring
2025-11-20 10:16:43,293 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-11-20 10:16:43,296 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-11-20 10:16:43,296 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-11-20 10:16:43,297 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-11-20 10:16:43,297 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-11-20 10:16:43,298 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-11-20 10:16:43,298 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-11-20 10:16:43,299 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-11-20 10:16:43,299 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-11-20 10:16:43,300 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-11-20 10:16:43,300 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-11-20 10:16:43,303 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608
2025-11-20 10:16:43,537 [lib.api.process] INFO: Monitor config for <Process 608 lsass.exe>: C:\k2ffbmig\dll\608.ini
2025-11-20 10:16:43,540 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-11-20 10:16:43,564 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:16:43,589 [root] DEBUG: Loader: Injecting process 608 with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:16:43,598 [root] DEBUG: 608: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:16:43,600 [root] DEBUG: 608: Disabling sleep skipping.
2025-11-20 10:16:43,601 [root] DEBUG: 608: TLS secret dump mode enabled.
2025-11-20 10:16:43,637 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 10:16:43,638 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEB9130000, thread 3428, image base 0x00007FF60EE30000, stack from 0x000000A5F4B72000-0x000000A5F4B80000
2025-11-20 10:16:43,639 [root] DEBUG: 608: Commandline: C:\Windows\system32\lsass.exe
2025-11-20 10:16:43,651 [root] DEBUG: 608: Hooked 5 out of 5 functions
2025-11-20 10:16:43,653 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-20 10:16:43,654 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:16:43,658 [lib.api.process] INFO: Injected into 64-bit <Process 608 lsass.exe>
2025-11-20 10:16:43,658 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-11-20 10:16:46,859 [root] INFO: Restarting WMI Service
2025-11-20 10:16:48,974 [root] DEBUG: package modules.packages.archive does not support configure, ignoring
2025-11-20 10:16:48,975 [root] WARNING: configuration error for package modules.packages.archive: error importing data.packages.archive: No module named 'data.packages'
2025-11-20 10:16:48,996 [lib.common.zip_utils] DEBUG: ['C:\\Program Files\\7-Zip\\7z.exe', 'l', 'C:\\Temp\\vesktop.zip']
2025-11-20 10:16:49,180 [lib.common.zip_utils] DEBUG: ['C:\\Program Files\\7-Zip\\7z.exe', 'x', '-p', '-y', '-oC:\\vesktop.zip', 'C:\\Temp\\vesktop.zip']
2025-11-20 10:16:53,468 [lib.common.zip_utils] DEBUG: b'\r\n7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20\r\n\r\nScanning the drive for archives:\r\n1 file, 135061806 bytes (129 MiB)\r\n\r\nExtracting archive: C:\\Temp\\vesktop.zip\r\n--\r\nPath = C:\\Temp\\vesktop.zip\r\nType = zip\r\nPhysical Size = 135061806\r\n\r\nEverything is Ok\r\n\r\nFolders: 3\r\nFiles: 77\r\nSize:       355116794\r\nCompressed: 135061806\r\n' b''
2025-11-20 10:16:53,470 [modules.packages.archive] DEBUG: ['vesktop\\chrome_100_percent.pak', 'vesktop\\chrome_200_percent.pak', 'vesktop\\d3dcompiler_47.dll', 'vesktop\\dxcompiler.dll', 'vesktop\\dxil.dll', 'vesktop\\ffmpeg.dll', 'vesktop\\icudtl.dat', 'vesktop\\libEGL.dll', 'vesktop\\libGLESv2.dll', 'vesktop\\LICENSE.electron.txt', 'vesktop\\LICENSES.chromium.html', 'vesktop\\resources.pak', 'vesktop\\snapshot_blob.bin', 'vesktop\\Uninstall vesktop.exe', 'vesktop\\v8_context_snapshot.bin', 'vesktop\\vesktop.exe', 'vesktop\\vk_swiftshader.dll', 'vesktop\\vk_swiftshader_icd.json', 'vesktop\\vulkan-1.dll', 'vesktop\\locales\\af.pak', 'vesktop\\locales\\am.pak', 'vesktop\\locales\\ar.pak', 'vesktop\\locales\\bg.pak', 'vesktop\\locales\\bn.pak', 'vesktop\\locales\\ca.pak', 'vesktop\\locales\\cs.pak', 'vesktop\\locales\\da.pak', 'vesktop\\locales\\de.pak', 'vesktop\\locales\\el.pak', 'vesktop\\locales\\en-GB.pak', 'vesktop\\locales\\en-US.pak', 'vesktop\\locales\\es-419.pak', 'vesktop\\locales\\es.pak', 'vesktop\\locales\\et.pak', 'vesktop\\locales\\fa.pak', 'vesktop\\locales\\fi.pak', 'vesktop\\locales\\fil.pak', 'vesktop\\locales\\fr.pak', 'vesktop\\locales\\gu.pak', 'vesktop\\locales\\he.pak', 'vesktop\\locales\\hi.pak', 'vesktop\\locales\\hr.pak', 'vesktop\\locales\\hu.pak', 'vesktop\\locales\\id.pak', 'vesktop\\locales\\it.pak', 'vesktop\\locales\\ja.pak', 'vesktop\\locales\\kn.pak', 'vesktop\\locales\\ko.pak', 'vesktop\\locales\\lt.pak', 'vesktop\\locales\\lv.pak', 'vesktop\\locales\\ml.pak', 'vesktop\\locales\\mr.pak', 'vesktop\\locales\\ms.pak', 'vesktop\\locales\\nb.pak', 'vesktop\\locales\\nl.pak', 'vesktop\\locales\\pl.pak', 'vesktop\\locales\\pt-BR.pak', 'vesktop\\locales\\pt-PT.pak', 'vesktop\\locales\\ro.pak', 'vesktop\\locales\\ru.pak', 'vesktop\\locales\\sk.pak', 'vesktop\\locales\\sl.pak', 'vesktop\\locales\\sr.pak', 'vesktop\\locales\\sv.pak', 'vesktop\\locales\\sw.pak', 'vesktop\\locales\\ta.pak', 'vesktop\\locales\\te.pak', 'vesktop\\locales\\th.pak', 'vesktop\\locales\\tr.pak', 'vesktop\\locales\\uk.pak', 'vesktop\\locales\\ur.pak', 'vesktop\\locales\\vi.pak', 'vesktop\\locales\\zh-CN.pak', 'vesktop\\locales\\zh-TW.pak', 'vesktop\\resources\\app-update.yml', 'vesktop\\resources\\app.asar', 'vesktop\\resources\\elevate.exe']
2025-11-20 10:16:53,471 [modules.packages.archive] DEBUG: Replacing ['vesktop', 'vesktop\\chrome_100_percent.pak', 'vesktop\\chrome_200_percent.pak', 'vesktop\\d3dcompiler_47.dll', 'vesktop\\dxcompiler.dll', 'vesktop\\dxil.dll', 'vesktop\\ffmpeg.dll', 'vesktop\\icudtl.dat', 'vesktop\\libEGL.dll', 'vesktop\\libGLESv2.dll', 'vesktop\\LICENSE.electron.txt', 'vesktop\\LICENSES.chromium.html', 'vesktop\\locales', 'vesktop\\locales\\af.pak', 'vesktop\\locales\\am.pak', 'vesktop\\locales\\ar.pak', 'vesktop\\locales\\bg.pak', 'vesktop\\locales\\bn.pak', 'vesktop\\locales\\ca.pak', 'vesktop\\locales\\cs.pak', 'vesktop\\locales\\da.pak', 'vesktop\\locales\\de.pak', 'vesktop\\locales\\el.pak', 'vesktop\\locales\\en-GB.pak', 'vesktop\\locales\\en-US.pak', 'vesktop\\locales\\es-419.pak', 'vesktop\\locales\\es.pak', 'vesktop\\locales\\et.pak', 'vesktop\\locales\\fa.pak', 'vesktop\\locales\\fi.pak', 'vesktop\\locales\\fil.pak', 'vesktop\\locales\\fr.pak', 'vesktop\\locales\\gu.pak', 'vesktop\\locales\\he.pak', 'vesktop\\locales\\hi.pak', 'vesktop\\locales\\hr.pak', 'vesktop\\locales\\hu.pak', 'vesktop\\locales\\id.pak', 'vesktop\\locales\\it.pak', 'vesktop\\locales\\ja.pak', 'vesktop\\locales\\kn.pak', 'vesktop\\locales\\ko.pak', 'vesktop\\locales\\lt.pak', 'vesktop\\locales\\lv.pak', 'vesktop\\locales\\ml.pak', 'vesktop\\locales\\mr.pak', 'vesktop\\locales\\ms.pak', 'vesktop\\locales\\nb.pak', 'vesktop\\locales\\nl.pak', 'vesktop\\locales\\pl.pak', 'vesktop\\locales\\pt-BR.pak', 'vesktop\\locales\\pt-PT.pak', 'vesktop\\locales\\ro.pak', 'vesktop\\locales\\ru.pak', 'vesktop\\locales\\sk.pak', 'vesktop\\locales\\sl.pak', 'vesktop\\locales\\sr.pak', 'vesktop\\locales\\sv.pak', 'vesktop\\locales\\sw.pak', 'vesktop\\locales\\ta.pak', 'vesktop\\locales\\te.pak', 'vesktop\\locales\\th.pak', 'vesktop\\locales\\tr.pak', 'vesktop\\locales\\uk.pak', 'vesktop\\locales\\ur.pak', 'vesktop\\locales\\vi.pak', 'vesktop\\locales\\zh-CN.pak', 'vesktop\\locales\\zh-TW.pak', 'vesktop\\resources', 'vesktop\\resources\\app-update.yml', 'vesktop\\resources\\app.asar', 'vesktop\\resources\\elevate.exe', 'vesktop\\resources.pak', 'vesktop\\snapshot_blob.bin', 'vesktop\\Uninstall vesktop.exe', 'vesktop\\v8_context_snapshot.bin', 'vesktop\\vesktop.exe', 'vesktop\\vk_swiftshader.dll', 'vesktop\\vk_swiftshader_icd.json', 'vesktop\\vulkan-1.dll'] with ['vesktop\\chrome_100_percent.pak', 'vesktop\\chrome_200_percent.pak', 'vesktop\\d3dcompiler_47.dll', 'vesktop\\dxcompiler.dll', 'vesktop\\dxil.dll', 'vesktop\\ffmpeg.dll', 'vesktop\\icudtl.dat', 'vesktop\\libEGL.dll', 'vesktop\\libGLESv2.dll', 'vesktop\\LICENSE.electron.txt', 'vesktop\\LICENSES.chromium.html', 'vesktop\\resources.pak', 'vesktop\\snapshot_blob.bin', 'vesktop\\Uninstall vesktop.exe', 'vesktop\\v8_context_snapshot.bin', 'vesktop\\vesktop.exe', 'vesktop\\vk_swiftshader.dll', 'vesktop\\vk_swiftshader_icd.json', 'vesktop\\vulkan-1.dll', 'vesktop\\locales\\af.pak', 'vesktop\\locales\\am.pak', 'vesktop\\locales\\ar.pak', 'vesktop\\locales\\bg.pak', 'vesktop\\locales\\bn.pak', 'vesktop\\locales\\ca.pak', 'vesktop\\locales\\cs.pak', 'vesktop\\locales\\da.pak', 'vesktop\\locales\\de.pak', 'vesktop\\locales\\el.pak', 'vesktop\\locales\\en-GB.pak', 'vesktop\\locales\\en-US.pak', 'vesktop\\locales\\es-419.pak', 'vesktop\\locales\\es.pak', 'vesktop\\locales\\et.pak', 'vesktop\\locales\\fa.pak', 'vesktop\\locales\\fi.pak', 'vesktop\\locales\\fil.pak', 'vesktop\\locales\\fr.pak', 'vesktop\\locales\\gu.pak', 'vesktop\\locales\\he.pak', 'vesktop\\locales\\hi.pak', 'vesktop\\locales\\hr.pak', 'vesktop\\locales\\hu.pak', 'vesktop\\locales\\id.pak', 'vesktop\\locales\\it.pak', 'vesktop\\locales\\ja.pak', 'vesktop\\locales\\kn.pak', 'vesktop\\locales\\ko.pak', 'vesktop\\locales\\lt.pak', 'vesktop\\locales\\lv.pak', 'vesktop\\locales\\ml.pak', 'vesktop\\locales\\mr.pak', 'vesktop\\locales\\ms.pak', 'vesktop\\locales\\nb.pak', 'vesktop\\locales\\nl.pak', 'vesktop\\locales\\pl.pak', 'vesktop\\locales\\pt-BR.pak', 'vesktop\\locales\\pt-PT.pak', 'vesktop\\locales\\ro.pak', 'vesktop\\locales\\ru.pak', 'vesktop\\locales\\sk.pak', 'vesktop\\locales\\sl.pak', 'vesktop\\locales\\sr.pak', 'vesktop\\locales\\sv.pak', 'vesktop\\locales\\sw.pak', 'vesktop\\locales\\ta.pak', 'vesktop\\locales\\te.pak', 'vesktop\\locales\\th.pak', 'vesktop\\locales\\tr.pak', 'vesktop\\locales\\uk.pak', 'vesktop\\locales\\ur.pak', 'vesktop\\locales\\vi.pak', 'vesktop\\locales\\zh-CN.pak', 'vesktop\\locales\\zh-TW.pak', 'vesktop\\resources\\app-update.yml', 'vesktop\\resources\\app.asar', 'vesktop\\resources\\elevate.exe']
2025-11-20 10:16:53,471 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\chrome_100_percent.pak to host
2025-11-20 10:16:53,475 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\chrome_100_percent.pak to files/45d14a4278b1e152b363197401a5604aa5a3cee6512a6b52df978038fa521a0f; Size is 114781; Max size: 100000000
2025-11-20 10:16:53,482 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\chrome_200_percent.pak to host
2025-11-20 10:16:53,485 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\chrome_200_percent.pak to files/aafc61b89748d17fcbc9fecd9844a77be2c584529a81714c98e0c4d453ea9496; Size is 186658; Max size: 100000000
2025-11-20 10:16:53,500 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\d3dcompiler_47.dll to host
2025-11-20 10:16:53,551 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\d3dcompiler_47.dll to files/c8e25abd3d45dfb55966a74613258c39b4a83ea2ac77f2f80903499f4d5c03f0; Size is 4741480; Max size: 100000000
2025-11-20 10:16:53,598 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\dxcompiler.dll to host
2025-11-20 10:16:53,853 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\dxcompiler.dll to files/25910d2b13581368afd6351feda6b7167ca16f1d8d45676c28b82cb641593594; Size is 26071040; Max size: 100000000
2025-11-20 10:16:54,025 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\dxil.dll to host
2025-11-20 10:16:54,039 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\dxil.dll to files/436f128f22050ae27323da61321a469de0678def7a4e6d86f9ccad4858724f0a; Size is 1503600; Max size: 100000000
2025-11-20 10:16:54,053 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\ffmpeg.dll to host
2025-11-20 10:16:54,080 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\ffmpeg.dll to files/572bb16b97da5d79c3ed44873981aa0e7e1efaf5926db81e00e4546d88434e89; Size is 3058176; Max size: 100000000
2025-11-20 10:16:54,124 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\icudtl.dat to host
2025-11-20 10:16:54,227 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\icudtl.dat to files/5070de99fbd8a48378543511fb7a072f85bf36f94b4f4e1d420d54be1435d6f1; Size is 10467680; Max size: 100000000
2025-11-20 10:16:54,303 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\libEGL.dll to host
2025-11-20 10:16:54,309 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\libEGL.dll to files/8a1b5f0c6d491ec67d03816fd7b7baf7772cb5deb41f37cd949e7788bfde1997; Size is 504320; Max size: 100000000
2025-11-20 10:16:54,329 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\libGLESv2.dll to host
2025-11-20 10:16:54,403 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\libGLESv2.dll to files/7e9623fe8e641bfe80fdeb611029ac266d5ca9f2c65d306f190bcf9f63638acb; Size is 8399872; Max size: 100000000
2025-11-20 10:16:54,577 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\LICENSE.electron.txt to host
2025-11-20 10:16:54,580 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\LICENSE.electron.txt to files/5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d; Size is 1096; Max size: 100000000
2025-11-20 10:16:54,583 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\LICENSES.chromium.html to host
2025-11-20 10:16:54,722 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\LICENSES.chromium.html to files/c16ee3cc1aa0d1669a839428ef26869d7a3844a43df505377b85077e1db14396; Size is 15102119; Max size: 100000000
2025-11-20 10:16:54,815 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\resources.pak to host
2025-11-20 10:16:54,872 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\resources.pak to files/75759d014d085ad2dc8772775ce165eda55fff890bdae0acd252796e32ccd836; Size is 6300973; Max size: 100000000
2025-11-20 10:16:54,937 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\snapshot_blob.bin to host
2025-11-20 10:16:54,942 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\snapshot_blob.bin to files/53b1d8a58564147d34384e6dd4e6f4eb76c9c78eae8c9e48baed031817c18937; Size is 403834; Max size: 100000000
2025-11-20 10:16:54,965 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\Uninstall vesktop.exe to host
2025-11-20 10:16:54,971 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\Uninstall vesktop.exe to files/ae3015444332c009803c56016931af3a68391dfeaf9f7867951b4c97f9b48942; Size is 528833; Max size: 100000000
2025-11-20 10:16:54,986 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\v8_context_snapshot.bin to host
2025-11-20 10:16:54,994 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\v8_context_snapshot.bin to files/18e61e7439cac6193040e2590e47c43fa59ae74d86c881e581852554c29fa06d; Size is 776865; Max size: 100000000
2025-11-20 10:16:55,001 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\vesktop.exe to host
2025-11-20 10:16:56,928 [lib.common.results] WARNING: File C:\vesktop.zip\vesktop\vesktop.exe size is too big: 210838528, ignoring
2025-11-20 10:16:56,929 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\vk_swiftshader.dll to host
2025-11-20 10:16:56,978 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\vk_swiftshader.dll to files/d9a45d05a557028db82c374230b1797cca3f87cb7b7656846360be2a84f88149; Size is 5640704; Max size: 100000000
2025-11-20 10:16:57,020 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\vk_swiftshader_icd.json to host
2025-11-20 10:16:57,021 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\vk_swiftshader_icd.json to files/32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9; Size is 106; Max size: 100000000
2025-11-20 10:16:57,034 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\vulkan-1.dll to host
2025-11-20 10:16:57,044 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\vulkan-1.dll to files/bf53271ae7ce29ee5865b871ac834b20cb2d451b807a3f812f59c80fe26f9a18; Size is 944128; Max size: 100000000
2025-11-20 10:16:57,050 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\af.pak to host
2025-11-20 10:16:57,056 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\af.pak to files/ebfdf1ca739f74b0b58a7965094274523fe2deb44fa0afff5bed98635b70326a; Size is 581539; Max size: 100000000
2025-11-20 10:16:57,069 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\am.pak to host
2025-11-20 10:16:57,078 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\am.pak to files/e04aff8c10e90113e7fd281e067ad2b95703a1ebfa2cfac5a38c7090ae58d5bd; Size is 943256; Max size: 100000000
2025-11-20 10:16:57,086 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ar.pak to host
2025-11-20 10:16:57,103 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ar.pak to files/44c7e802f47dd41335825b824d11a50b7122f065469378da258fe68df5f59c0b; Size is 1041242; Max size: 100000000
2025-11-20 10:16:57,113 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\bg.pak to host
2025-11-20 10:16:57,124 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\bg.pak to files/c66991330d9f7423ee26ecb8737f234e17982d782237121352ae925c2e44f904; Size is 1075890; Max size: 100000000
2025-11-20 10:16:57,139 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\bn.pak to host
2025-11-20 10:16:57,152 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\bn.pak to files/15a6cefa698a938d2212d1b0d275299dea5a2e8a3c292f80ef7ca43fd27472a4; Size is 1388243; Max size: 100000000
2025-11-20 10:16:57,194 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ca.pak to host
2025-11-20 10:16:57,200 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ca.pak to files/f65d82a9e81a8c135e35de1086bb1728e84125e650c5a9bb3a1a5592612ca4a0; Size is 655658; Max size: 100000000
2025-11-20 10:16:57,213 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\cs.pak to host
2025-11-20 10:16:57,222 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\cs.pak to files/d1b71e5fc5eeae3fe3a0e7434d0be2a72db1de4b8e2d7a7bd2ef8aad111a3e23; Size is 679712; Max size: 100000000
2025-11-20 10:16:57,237 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\da.pak to host
2025-11-20 10:16:57,244 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\da.pak to files/6c6c35e64f6a9213f64b76cee34d7f18ed5c456355a449ff2c51201600915fd4; Size is 612361; Max size: 100000000
2025-11-20 10:16:57,260 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\de.pak to host
2025-11-20 10:16:57,267 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\de.pak to files/0f320e62aed97197de2e27bb06a797b8faeb2674f53fc334af525905a987a707; Size is 656517; Max size: 100000000
2025-11-20 10:16:57,284 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\el.pak to host
2025-11-20 10:16:57,296 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\el.pak to files/c7e3ffd6424050f77a204cd243da7ad615e7df6096474589f33f5bbbd992dd8f; Size is 1183268; Max size: 100000000
2025-11-20 10:16:57,310 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\en-GB.pak to host
2025-11-20 10:16:57,316 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\en-GB.pak to files/d25573feb04edd24b29f3f1e6139a3348ea31ac5d50586cf032a8f56a5bbe198; Size is 530749; Max size: 100000000
2025-11-20 10:16:57,334 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\en-US.pak to host
2025-11-20 10:16:57,340 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\en-US.pak to files/d4b35269d3b629c9895f3a6f98178f8578db37a7e840c9ea496c53044729b796; Size is 536882; Max size: 100000000
2025-11-20 10:16:57,350 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\es-419.pak to host
2025-11-20 10:16:57,357 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\es-419.pak to files/78480bc1b80a923f8bf4209ea6ee3f6963518864c54c09888e8a531eaf298fb0; Size is 646017; Max size: 100000000
2025-11-20 10:16:57,362 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\es.pak to host
2025-11-20 10:16:57,369 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\es.pak to files/e97de891605549684ccb3700871b448327d6777f14f1946cd33de326e10b7d9d; Size is 643718; Max size: 100000000
2025-11-20 10:16:57,386 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\et.pak to host
2025-11-20 10:16:57,392 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\et.pak to files/f304e16a3820f8f9f624c1c5ed1eae2c2fd20807616280f0aa9736d50674d694; Size is 587336; Max size: 100000000
2025-11-20 10:16:57,409 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\fa.pak to host
2025-11-20 10:16:57,418 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\fa.pak to files/fac7c1836c64eeaabcf437fbb8f9b6c12060686b6502e7f28c60e31605f58474; Size is 969319; Max size: 100000000
2025-11-20 10:16:57,431 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\fi.pak to host
2025-11-20 10:16:57,438 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\fi.pak to files/29220b9d2e2aacb542ee0905b676b914a748332bc7831fe0da0f453252f88235; Size is 598169; Max size: 100000000
2025-11-20 10:16:57,444 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\fil.pak to host
2025-11-20 10:16:57,452 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\fil.pak to files/9c2c3db51dd197c0ece433fa103829a96daa5a4b3335324f1a98bcd7345cafaa; Size is 678514; Max size: 100000000
2025-11-20 10:16:57,460 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\fr.pak to host
2025-11-20 10:16:57,467 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\fr.pak to files/38139282dbcd2229e4adead79ff4763c60d261b55c64057c66d9db666be2cb02; Size is 698515; Max size: 100000000
2025-11-20 10:16:57,472 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\gu.pak to host
2025-11-20 10:16:57,485 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\gu.pak to files/149237780840b625b95321117cfaeccf5d54d6ac870a9886fcb9a3bcb1e6080a; Size is 1370341; Max size: 100000000
2025-11-20 10:16:57,496 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\he.pak to host
2025-11-20 10:16:57,505 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\he.pak to files/c4a828d6425bfc888d6e79ac1d9220926af6737c3eea05d86f0796206f7eef62; Size is 849299; Max size: 100000000
2025-11-20 10:16:57,524 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\hi.pak to host
2025-11-20 10:16:57,538 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\hi.pak to files/2acf2e5770dc1d8ca5fe4b93eef94f0395e44780e97eac8c03b3707c0e0e40ef; Size is 1449018; Max size: 100000000
2025-11-20 10:16:57,559 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\hr.pak to host
2025-11-20 10:16:57,566 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\hr.pak to files/a104df3eadd5a8217d58204b7407724c3c7731a32fb47fb6265090ece347ee86; Size is 654642; Max size: 100000000
2025-11-20 10:16:57,585 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\hu.pak to host
2025-11-20 10:16:57,592 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\hu.pak to files/0e3d482b4b09cacadf58043acd55baa2705fa631d1217ca0e10c7a8cc114fa73; Size is 701000; Max size: 100000000
2025-11-20 10:16:57,601 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\id.pak to host
2025-11-20 10:16:57,607 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\id.pak to files/0b35177ee2ca68f9ed7b516d6920696971cc9dbf2187c92f63adfa8e696e4921; Size is 579257; Max size: 100000000
2025-11-20 10:16:57,612 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\it.pak to host
2025-11-20 10:16:57,619 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\it.pak to files/ed64dadb92c0113bd03c56c0417e0c1930d0ef17d76f5f6c356e6ede66a094eb; Size is 634659; Max size: 100000000
2025-11-20 10:16:57,632 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ja.pak to host
2025-11-20 10:16:57,640 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ja.pak to files/25b71276ae5ddbe98e8cd237031d25954d02883584dba4a86ba5e16d7c308493; Size is 772093; Max size: 100000000
2025-11-20 10:16:57,644 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\kn.pak to host
2025-11-20 10:16:57,658 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\kn.pak to files/1ba01542213e2d3e9da15d930922a12c0916b002665d6d7d9a2fb2f483f3aa6a; Size is 1568918; Max size: 100000000
2025-11-20 10:16:57,698 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ko.pak to host
2025-11-20 10:16:57,706 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ko.pak to files/baa4dc565c14119a4cae9016314b284d2795fbc427a76e54b27799910d3b777a; Size is 655400; Max size: 100000000
2025-11-20 10:16:57,727 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\lt.pak to host
2025-11-20 10:16:57,734 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\lt.pak to files/cc3ad14a054ef5db438523d56f33cec0eddddcec82161c3ff231eeb6cd747e4f; Size is 710958; Max size: 100000000
2025-11-20 10:16:57,783 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\lv.pak to host
2025-11-20 10:16:57,805 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\lv.pak to files/b792d7adf76e8a87cd0fe28947b0683859e91d0f05b119a14964239d28165b2e; Size is 708648; Max size: 100000000
2025-11-20 10:16:57,815 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ml.pak to host
2025-11-20 10:16:57,830 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ml.pak to files/007fbd34d82ad4faf6ff8c0192a09783b37bf988ef76f4dc6ce8a93cd7364fff; Size is 1620601; Max size: 100000000
2025-11-20 10:16:57,855 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\mr.pak to host
2025-11-20 10:16:57,868 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\mr.pak to files/c0b460f8fcf6a46f94385ffe57d9be6ca1bbff317cc866bd2c7722d813c04df1; Size is 1340792; Max size: 100000000
2025-11-20 10:16:57,898 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ms.pak to host
2025-11-20 10:16:57,904 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ms.pak to files/195a63e82ca877f07e12eb531779e2b93f35b4f45accaea4e9d133d6b52f1883; Size is 609504; Max size: 100000000
2025-11-20 10:16:57,911 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\nb.pak to host
2025-11-20 10:16:57,917 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\nb.pak to files/0eeca6206c27b7246a9ef09217b00e60ba3d0f72cce528e9dc21836c32ac2d66; Size is 585928; Max size: 100000000
2025-11-20 10:16:57,927 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\nl.pak to host
2025-11-20 10:16:57,933 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\nl.pak to files/8189f284e1e1b665c17b91becf084cdad8e88d0574dd99f165c994885a7668c9; Size is 609092; Max size: 100000000
2025-11-20 10:16:57,939 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\pl.pak to host
2025-11-20 10:16:57,945 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\pl.pak to files/504077baf20983656f334b7a2bd78e97ad267c1243ffaca05d83723724c30508; Size is 679415; Max size: 100000000
2025-11-20 10:16:57,955 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\pt-BR.pak to host
2025-11-20 10:16:57,961 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\pt-BR.pak to files/423059732c14cd00c450ea2d6b9204c34954ac117169abb506ec248da6250052; Size is 636976; Max size: 100000000
2025-11-20 10:16:57,970 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\pt-PT.pak to host
2025-11-20 10:16:57,976 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\pt-PT.pak to files/6ae5c44e2044c1fa754d2cfbd79a33d3b9c2bd24702622df0f641bdbc7991435; Size is 640614; Max size: 100000000
2025-11-20 10:16:57,986 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ro.pak to host
2025-11-20 10:16:57,993 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ro.pak to files/8880b2ee29244efa9fe250d88f17dd5ae8f3e56a354c8208c5d4be4ff7cc3b74; Size is 664052; Max size: 100000000
2025-11-20 10:16:58,001 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ru.pak to host
2025-11-20 10:16:58,012 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ru.pak to files/4de88dade1118467dce77afa84802c2e52e49a574bf91cd8db9262d687f86000; Size is 1099422; Max size: 100000000
2025-11-20 10:16:58,025 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\sk.pak to host
2025-11-20 10:16:58,032 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\sk.pak to files/d0aa4f73024ae7f8bc95a6e6e8975fdf65cfa52d0c500f7e04db483d13fc1566; Size is 691087; Max size: 100000000
2025-11-20 10:16:58,056 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\sl.pak to host
2025-11-20 10:16:58,067 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\sl.pak to files/7fb4f5154e2f158777bb5b03dfd35f1037bafa6be772203f96e5c53f7a771643; Size is 661889; Max size: 100000000
2025-11-20 10:16:58,079 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\sr.pak to host
2025-11-20 10:16:58,090 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\sr.pak to files/39dffe2ac8a038bc8ab98b3796da08109d7b0201299a0b8411d0290b507dafda; Size is 1017075; Max size: 100000000
2025-11-20 10:16:58,105 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\sv.pak to host
2025-11-20 10:16:58,111 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\sv.pak to files/78c25c86c120e4db41ecce3d91ebe550d127a97d8b72c719d3a2a433973946d2; Size is 591734; Max size: 100000000
2025-11-20 10:16:58,126 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\sw.pak to host
2025-11-20 10:16:58,133 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\sw.pak to files/c2df1fc14a64c19c92d9b9b891aee74ee1d9319cc054642251c517ed00363bae; Size is 625307; Max size: 100000000
2025-11-20 10:16:58,142 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ta.pak to host
2025-11-20 10:16:58,157 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ta.pak to files/b7dcc6f63181392752f4522d3bbb573fd4a6ec65f9058a922ac61ce21b257b76; Size is 1611499; Max size: 100000000
2025-11-20 10:16:58,183 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\te.pak to host
2025-11-20 10:16:58,197 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\te.pak to files/72cf1e05c189751946df56b1847776ffbbc2b4460fad07a070c4c33396516ef2; Size is 1491212; Max size: 100000000
2025-11-20 10:16:58,213 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\th.pak to host
2025-11-20 10:16:58,226 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\th.pak to files/45a573589f11c1694490913c00bbff65d57e232d33ca2270ac2e443207b971d2; Size is 1251780; Max size: 100000000
2025-11-20 10:16:58,243 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\tr.pak to host
2025-11-20 10:16:58,250 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\tr.pak to files/a75be19b6203daafc5c01f8ada1ba464076346a4d4959a2e05e91523ac56c446; Size is 636522; Max size: 100000000
2025-11-20 10:16:58,271 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\uk.pak to host
2025-11-20 10:16:58,282 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\uk.pak to files/01989ebc539c272ed8eddd3a9d25810e39c7fa0276a19562492f5b332ddc380f; Size is 1105739; Max size: 100000000
2025-11-20 10:16:58,319 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\ur.pak to host
2025-11-20 10:16:58,328 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\ur.pak to files/d99ccf422979a0dda1c46919934e6eb599d2b75a7c724c34b761da8215a727db; Size is 956025; Max size: 100000000
2025-11-20 10:16:58,345 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\vi.pak to host
2025-11-20 10:16:58,353 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\vi.pak to files/2b28fc3de60a6f3e75423bde8bd681fdfd149372455070e6aa0508581707e94d; Size is 755237; Max size: 100000000
2025-11-20 10:16:58,365 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\zh-CN.pak to host
2025-11-20 10:16:58,371 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\zh-CN.pak to files/03754412deb511ddac23a23e0858bba40373b5053bf97cc21e9e0b3c5d00ec4c; Size is 541981; Max size: 100000000
2025-11-20 10:16:58,376 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\locales\zh-TW.pak to host
2025-11-20 10:16:58,382 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\locales\zh-TW.pak to files/d97e1a4b2b3b7b64e92dd419480f8abe84fe3148834cdef5abc31b36f69391bd; Size is 535963; Max size: 100000000
2025-11-20 10:16:58,392 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\resources\app-update.yml to host
2025-11-20 10:16:58,394 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\resources\app-update.yml to files/00f7a4b067d59666fe8c6daff7df43b73572d079ef55e465e86b0deeb9b56451; Size is 83; Max size: 100000000
2025-11-20 10:16:58,407 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\resources\app.asar to host
2025-11-20 10:16:58,522 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\resources\app.asar to files/d5559be502dbfa0730af12eb48756769032face7417deb4786bb5a7b61ef9413; Size is 13103814; Max size: 100000000
2025-11-20 10:16:58,624 [lib.common.zip_utils] INFO: Uploading C:\vesktop.zip\vesktop\resources\elevate.exe to host
2025-11-20 10:16:58,627 [lib.common.results] INFO: Uploading file C:\vesktop.zip\vesktop\resources\elevate.exe to files/9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37; Size is 107520; Max size: 100000000
2025-11-20 10:16:59,634 [modules.packages.archive] DEBUG: Missing file option, auto executing: ['vesktop\\d3dcompiler_47.dll', 'vesktop\\dxcompiler.dll', 'vesktop\\dxil.dll', 'vesktop\\ffmpeg.dll', 'vesktop\\icudtl.dat', 'vesktop\\libEGL.dll', 'vesktop\\libGLESv2.dll', 'vesktop\\LICENSES.chromium.html', 'vesktop\\Uninstall vesktop.exe', 'vesktop\\vesktop.exe', 'vesktop\\vk_swiftshader.dll', 'vesktop\\vulkan-1.dll', 'vesktop\\resources\\elevate.exe']
2025-11-20 10:16:59,636 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:16:59,648 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\d3dcompiler_47.dll",#1" with pid 1368
2025-11-20 10:16:59,648 [lib.api.process] INFO: Monitor config for <Process 1368 rundll32.exe>: C:\k2ffbmig\dll\1368.ini
2025-11-20 10:16:59,654 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:16:59,681 [root] DEBUG: Loader: Injecting process 1368 (thread 2312) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:16:59,683 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:16:59,685 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:16:59,688 [lib.api.process] INFO: Injected into 32-bit <Process 1368 rundll32.exe>
2025-11-20 10:17:01,701 [lib.api.process] INFO: Successfully resumed <Process 1368 rundll32.exe>
2025-11-20 10:17:01,703 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:17:01,708 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\dxcompiler.dll",#1" with pid 2100
2025-11-20 10:17:01,709 [lib.api.process] INFO: Monitor config for <Process 2100 rundll32.exe>: C:\k2ffbmig\dll\2100.ini
2025-11-20 10:17:01,713 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:17:01,726 [root] DEBUG: Loader: Injecting process 2100 (thread 2052) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:01,727 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:01,728 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:01,731 [lib.api.process] INFO: Injected into 32-bit <Process 2100 rundll32.exe>
2025-11-20 10:17:01,762 [root] DEBUG: 1368: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:01,764 [root] DEBUG: 1368: Disabling sleep skipping.
2025-11-20 10:17:01,765 [root] DEBUG: 1368: Dropped file limit defaulting to 100.
2025-11-20 10:17:01,783 [root] DEBUG: 1368: YaraInit: Compiled 43 rule files
2025-11-20 10:17:01,787 [root] DEBUG: 1368: YaraInit: Compiled rules saved to file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:01,788 [root] DEBUG: 1368: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:01,790 [root] DEBUG: 1368: Monitor initialised: 32-bit capemon loaded in process 1368 at 0x72e90000, thread 2312, image base 0x280000, stack from 0x2673000-0x2680000
2025-11-20 10:17:01,791 [root] DEBUG: 1368: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\d3dcompiler_47.dll",#1
2025-11-20 10:17:01,837 [root] DEBUG: 1368: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 10:17:01,842 [root] DEBUG: 1368: hook_api: Warning - CreateProcessA export address 0x76552D70 differs from GetProcAddress -> 0x731F22A0 (AcLayers.DLL::0x222a0)
2025-11-20 10:17:01,842 [root] DEBUG: 1368: hook_api: Warning - CreateProcessW export address 0x765388E0 differs from GetProcAddress -> 0x731F24E0 (AcLayers.DLL::0x224e0)
2025-11-20 10:17:01,843 [root] DEBUG: 1368: hook_api: Warning - WinExec export address 0x7657CF20 differs from GetProcAddress -> 0x731F27A0 (AcLayers.DLL::0x227a0)
2025-11-20 10:17:01,876 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 10:17:01,876 [root] DEBUG: 1368: set_hooks: Unable to hook GetCommandLineA
2025-11-20 10:17:01,877 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 10:17:01,878 [root] DEBUG: 1368: set_hooks: Unable to hook GetCommandLineW
2025-11-20 10:17:01,893 [root] DEBUG: 1368: Hooked 625 out of 627 functions
2025-11-20 10:17:01,895 [root] DEBUG: 1368: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:01,902 [root] DEBUG: 1368: RestoreHeaders: Restored original import table.
2025-11-20 10:17:01,903 [root] INFO: Loaded monitor into process with pid 1368
2025-11-20 10:17:01,905 [root] DEBUG: 1368: caller_dispatch: Added region at 0x00280000 to tracked regions list (ntdll::memcpy returns to 0x00285F1A, thread 2312).
2025-11-20 10:17:01,905 [root] DEBUG: 1368: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:01,907 [root] DEBUG: 1368: ProcessImageBase: Main module image at 0x00280000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:01,931 [root] DEBUG: 1368: InstrumentationCallback: Added region at 0x7654274C (base 0x76520000) to tracked regions list (thread 2312).
2025-11-20 10:17:01,932 [root] DEBUG: 1368: ProcessTrackedRegion: Region at 0x76520000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping
2025-11-20 10:17:01,940 [root] DEBUG: 1368: CreateProcessHandler: Injection info set for new process 1012: C:\Windows\system32\rundll32.exe, ImageBase: 0x00000000
2025-11-20 10:17:01,941 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1012
2025-11-20 10:17:01,942 [lib.api.process] INFO: Monitor config for <Process 1012 rundll32.exe>: C:\k2ffbmig\dll\1012.ini
2025-11-20 10:17:01,945 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:01,955 [root] DEBUG: Loader: Injecting process 1012 (thread 3552) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:01,956 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:01,957 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:01,959 [lib.api.process] INFO: Injected into 64-bit <Process 1012 rundll32.exe>
2025-11-20 10:17:01,991 [root] DEBUG: 1368: InstrumentationCallback: Added region at 0x75A163DC (base 0x758D0000) to tracked regions list (thread 2312).
2025-11-20 10:17:01,992 [root] DEBUG: 1368: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 10:17:01,993 [root] DEBUG: 1368: WriteMemoryHandler: shellcode at 0x0278DE68 (size 0x11c0) injected into process 1012 at 0xC2A30000.
2025-11-20 10:17:01,996 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\1368_102000341177204112025 to CAPE\3b4049aac941247676ffc6680092e97c6c555ac47e049a6e6fcdbed347ddd476; Size is 4449; Max size: 100000000
2025-11-20 10:17:02,000 [root] DEBUG: 1368: DumpMemory: Payload successfully created: C:\PrCQdMR\CAPE\1368_102000341177204112025 (size 4449 bytes)
2025-11-20 10:17:02,000 [root] DEBUG: 1368: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-11-20 10:17:02,001 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1012
2025-11-20 10:17:02,002 [lib.api.process] INFO: Monitor config for <Process 1012 rundll32.exe>: C:\k2ffbmig\dll\1012.ini
2025-11-20 10:17:02,005 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:02,015 [root] DEBUG: Loader: Injecting process 1012 (thread 3552) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:02,016 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:02,016 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:02,019 [lib.api.process] INFO: Injected into 64-bit <Process 1012 rundll32.exe>
2025-11-20 10:17:02,020 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1012
2025-11-20 10:17:02,020 [lib.api.process] INFO: Monitor config for <Process 1012 rundll32.exe>: C:\k2ffbmig\dll\1012.ini
2025-11-20 10:17:02,023 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:02,032 [root] DEBUG: Loader: Injecting process 1012 (thread 3552) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:02,033 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:02,034 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:02,036 [lib.api.process] INFO: Injected into 64-bit <Process 1012 rundll32.exe>
2025-11-20 10:17:02,037 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1012
2025-11-20 10:17:02,038 [lib.api.process] INFO: Monitor config for <Process 1012 rundll32.exe>: C:\k2ffbmig\dll\1012.ini
2025-11-20 10:17:02,041 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:02,051 [root] DEBUG: Loader: Injecting process 1012 (thread 3552) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:02,052 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:02,053 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:02,055 [lib.api.process] INFO: Injected into 64-bit <Process 1012 rundll32.exe>
2025-11-20 10:17:02,069 [root] DEBUG: 1012: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:02,070 [root] DEBUG: 1012: Dropped file limit defaulting to 100.
2025-11-20 10:17:02,074 [root] DEBUG: 1012: Disabling sleep skipping.
2025-11-20 10:17:02,077 [root] DEBUG: 1012: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:02,101 [root] DEBUG: 1012: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 10:17:02,102 [root] DEBUG: 1012: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:02,104 [root] DEBUG: 1012: Monitor initialised: 64-bit capemon loaded in process 1012 at 0x00007FFEB9130000, thread 3552, image base 0x00007FF6C1D60000, stack from 0x0000007951CB4000-0x0000007951CC0000
2025-11-20 10:17:02,105 [root] DEBUG: 1012: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\d3dcompiler_47.dll",#1
2025-11-20 10:17:02,115 [root] DEBUG: 1012: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-20 10:17:02,167 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-20 10:17:02,168 [root] DEBUG: 1012: set_hooks: Unable to hook LockResource
2025-11-20 10:17:02,180 [root] DEBUG: 1012: Hooked 619 out of 620 functions
2025-11-20 10:17:02,183 [root] DEBUG: 1012: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:02,193 [root] DEBUG: 1012: RestoreHeaders: Restored original import table.
2025-11-20 10:17:02,194 [root] INFO: Loaded monitor into process with pid 1012
2025-11-20 10:17:02,196 [root] DEBUG: 1012: caller_dispatch: Added region at 0x00007FF6C1D60000 to tracked regions list (msvcrt::memcpy returns to 0x00007FF6C1D6660E, thread 3552).
2025-11-20 10:17:02,197 [root] DEBUG: 1012: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:02,199 [root] DEBUG: 1012: ProcessImageBase: Main module image at 0x00007FF6C1D60000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:02,254 [root] DEBUG: 1012: Target DLL loaded at 0x00007FFEC3E40000: C:\vesktop.zip\vesktop\d3dcompiler_47 (0x48d000 bytes).
2025-11-20 10:17:02,255 [root] DEBUG: 1012: YaraScan: Scanning 0x00007FFEC3E40000, size 0x48ca4f
2025-11-20 10:17:02,343 [root] DEBUG: 1012: caller_dispatch: Added region at 0x00007FFEC3E40000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFEC3F9F13B, thread 3552).
2025-11-20 10:17:02,344 [root] DEBUG: 1012: caller_dispatch: Scanning calling region at 0x00007FFEC3E40000...
2025-11-20 10:17:02,352 [root] DEBUG: 1012: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-20 10:17:02,365 [root] DEBUG: 1012: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes).
2025-11-20 10:17:02,378 [root] DEBUG: 1012: Target DLL unloading from 0x00007FFEC3E40000: code modification detected, dumping.
2025-11-20 10:17:02,379 [root] DEBUG: 1012: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 10:17:02,380 [root] DEBUG: 1012: DumpProcess: Instantiating PeParser with address: 0x00007FFEC3E40000.
2025-11-20 10:17:02,381 [root] DEBUG: 1012: DumpProcess: Module entry point VA is 0x000000000016CD60.
2025-11-20 10:17:02,439 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\1012_53137402177204112025 to procdump\564f7d68356ae7d3fa689608b4f0474632e3078727761a5363edfdc00423e398; Size is 4755456; Max size: 100000000
2025-11-20 10:17:02,510 [root] DEBUG: 1012: DumpProcess: Module image dump success - dump size 0x489000.
2025-11-20 10:17:02,533 [root] INFO: Process with pid 1012 has terminated
2025-11-20 10:17:02,542 [root] DEBUG: 1368: NtTerminateProcess hook: Attempting to dump process 1368
2025-11-20 10:17:02,543 [root] DEBUG: 1368: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 10:17:02,553 [root] INFO: Process with pid 1368 has terminated
2025-11-20 10:17:03,744 [lib.api.process] INFO: Successfully resumed <Process 2100 rundll32.exe>
2025-11-20 10:17:03,746 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:17:03,751 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\dxil.dll",#1" with pid 2964
2025-11-20 10:17:03,752 [lib.api.process] INFO: Monitor config for <Process 2964 rundll32.exe>: C:\k2ffbmig\dll\2964.ini
2025-11-20 10:17:03,758 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:17:03,768 [root] DEBUG: 2100: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:03,769 [root] DEBUG: 2100: Disabling sleep skipping.
2025-11-20 10:17:03,770 [root] DEBUG: 2100: Dropped file limit defaulting to 100.
2025-11-20 10:17:03,771 [root] DEBUG: Loader: Injecting process 2964 (thread 3736) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:03,772 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:03,773 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:03,776 [root] DEBUG: 2100: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:03,777 [root] DEBUG: 2100: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:03,778 [lib.api.process] INFO: Injected into 32-bit <Process 2964 rundll32.exe>
2025-11-20 10:17:03,779 [root] DEBUG: 2100: Monitor initialised: 32-bit capemon loaded in process 2100 at 0x72e90000, thread 2052, image base 0x280000, stack from 0x2354000-0x2360000
2025-11-20 10:17:03,780 [root] DEBUG: 2100: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\dxcompiler.dll",#1
2025-11-20 10:17:03,809 [root] DEBUG: 2100: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 10:17:03,813 [root] DEBUG: 2100: hook_api: Warning - CreateProcessA export address 0x76552D70 differs from GetProcAddress -> 0x731F22A0 (AcLayers.DLL::0x222a0)
2025-11-20 10:17:03,814 [root] DEBUG: 2100: hook_api: Warning - CreateProcessW export address 0x765388E0 differs from GetProcAddress -> 0x731F24E0 (AcLayers.DLL::0x224e0)
2025-11-20 10:17:03,815 [root] DEBUG: 2100: hook_api: Warning - WinExec export address 0x7657CF20 differs from GetProcAddress -> 0x731F27A0 (AcLayers.DLL::0x227a0)
2025-11-20 10:17:03,844 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 10:17:03,846 [root] DEBUG: 2100: set_hooks: Unable to hook GetCommandLineA
2025-11-20 10:17:03,847 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 10:17:03,848 [root] DEBUG: 2100: set_hooks: Unable to hook GetCommandLineW
2025-11-20 10:17:03,858 [root] DEBUG: 2100: Hooked 625 out of 627 functions
2025-11-20 10:17:03,860 [root] DEBUG: 2100: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:03,865 [root] DEBUG: 2100: RestoreHeaders: Restored original import table.
2025-11-20 10:17:03,866 [root] INFO: Loaded monitor into process with pid 2100
2025-11-20 10:17:03,868 [root] DEBUG: 2100: caller_dispatch: Added region at 0x00280000 to tracked regions list (ntdll::memcpy returns to 0x00285F1A, thread 2052).
2025-11-20 10:17:03,868 [root] DEBUG: 2100: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:03,871 [root] DEBUG: 2100: ProcessImageBase: Main module image at 0x00280000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:03,894 [root] DEBUG: 2100: InstrumentationCallback: Added region at 0x7654274C (base 0x76520000) to tracked regions list (thread 2052).
2025-11-20 10:17:03,895 [root] DEBUG: 2100: ProcessTrackedRegion: Region at 0x76520000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping
2025-11-20 10:17:03,902 [root] DEBUG: 2100: CreateProcessHandler: Injection info set for new process 1616: C:\Windows\system32\rundll32.exe, ImageBase: 0x00000000
2025-11-20 10:17:03,903 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1616
2025-11-20 10:17:03,904 [lib.api.process] INFO: Monitor config for <Process 1616 rundll32.exe>: C:\k2ffbmig\dll\1616.ini
2025-11-20 10:17:03,911 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:03,921 [root] DEBUG: Loader: Injecting process 1616 (thread 2452) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:03,922 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:03,923 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:03,925 [lib.api.process] INFO: Injected into 64-bit <Process 1616 rundll32.exe>
2025-11-20 10:17:03,944 [root] DEBUG: 2100: InstrumentationCallback: Added region at 0x75A163DC (base 0x758D0000) to tracked regions list (thread 2052).
2025-11-20 10:17:03,944 [root] DEBUG: 2100: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 10:17:03,945 [root] DEBUG: 2100: WriteMemoryHandler: shellcode at 0x027DBA68 (size 0x11c0) injected into process 1616 at 0xF9B80000.
2025-11-20 10:17:03,949 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\2100_169823713177204112025 to CAPE\28e614599ad787145b797d9bac7de992a2950d1a2d798de2f532701c8a343568; Size is 4449; Max size: 100000000
2025-11-20 10:17:03,966 [root] DEBUG: 2100: DumpMemory: Payload successfully created: C:\PrCQdMR\CAPE\2100_169823713177204112025 (size 4449 bytes)
2025-11-20 10:17:03,967 [root] DEBUG: 2100: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-11-20 10:17:03,968 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1616
2025-11-20 10:17:03,968 [lib.api.process] INFO: Monitor config for <Process 1616 rundll32.exe>: C:\k2ffbmig\dll\1616.ini
2025-11-20 10:17:03,973 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:03,984 [root] DEBUG: Loader: Injecting process 1616 (thread 2452) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:03,985 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:03,986 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:03,989 [lib.api.process] INFO: Injected into 64-bit <Process 1616 rundll32.exe>
2025-11-20 10:17:03,991 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1616
2025-11-20 10:17:03,991 [lib.api.process] INFO: Monitor config for <Process 1616 rundll32.exe>: C:\k2ffbmig\dll\1616.ini
2025-11-20 10:17:03,996 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:04,005 [root] DEBUG: Loader: Injecting process 1616 (thread 2452) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:04,006 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:04,007 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:04,010 [lib.api.process] INFO: Injected into 64-bit <Process 1616 rundll32.exe>
2025-11-20 10:17:04,012 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1616
2025-11-20 10:17:04,013 [lib.api.process] INFO: Monitor config for <Process 1616 rundll32.exe>: C:\k2ffbmig\dll\1616.ini
2025-11-20 10:17:04,017 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:04,027 [root] DEBUG: Loader: Injecting process 1616 (thread 2452) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:04,027 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:04,028 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:04,030 [lib.api.process] INFO: Injected into 64-bit <Process 1616 rundll32.exe>
2025-11-20 10:17:04,045 [root] DEBUG: 1616: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:04,046 [root] DEBUG: 1616: Dropped file limit defaulting to 100.
2025-11-20 10:17:04,050 [root] DEBUG: 1616: Disabling sleep skipping.
2025-11-20 10:17:04,053 [root] DEBUG: 1616: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:04,077 [root] DEBUG: 1616: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 10:17:04,078 [root] DEBUG: 1616: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:04,080 [root] DEBUG: 1616: Monitor initialised: 64-bit capemon loaded in process 1616 at 0x00007FFEB9130000, thread 2452, image base 0x00007FF6C1D60000, stack from 0x000000B7138A4000-0x000000B7138B0000
2025-11-20 10:17:04,081 [root] DEBUG: 1616: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\dxcompiler.dll",#1
2025-11-20 10:17:04,097 [root] DEBUG: 1616: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-20 10:17:04,158 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-20 10:17:04,159 [root] DEBUG: 1616: set_hooks: Unable to hook LockResource
2025-11-20 10:17:04,171 [root] DEBUG: 1616: Hooked 619 out of 620 functions
2025-11-20 10:17:04,174 [root] DEBUG: 1616: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:04,182 [root] DEBUG: 1616: RestoreHeaders: Restored original import table.
2025-11-20 10:17:04,182 [root] INFO: Loaded monitor into process with pid 1616
2025-11-20 10:17:04,184 [root] DEBUG: 1616: caller_dispatch: Added region at 0x00007FF6C1D60000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6C1D66D01, thread 2452).
2025-11-20 10:17:04,185 [root] DEBUG: 1616: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:04,188 [root] DEBUG: 1616: ProcessImageBase: Main module image at 0x00007FF6C1D60000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:04,203 [root] DEBUG: 1616: Target DLL loaded at 0x00007FFEC29E0000: C:\vesktop.zip\vesktop\dxcompiler (0x18ea000 bytes).
2025-11-20 10:17:04,213 [root] DEBUG: 1616: YaraScan: Scanning 0x00007FFEC29E0000, size 0x18e9d28
2025-11-20 10:17:04,682 [root] DEBUG: 1616: caller_dispatch: Added region at 0x00007FFEC29E0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFEC3E18B03, thread 2452).
2025-11-20 10:17:04,684 [root] DEBUG: 1616: caller_dispatch: Scanning calling region at 0x00007FFEC29E0000...
2025-11-20 10:17:04,691 [root] DEBUG: 1616: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-20 10:17:04,696 [root] DEBUG: 1616: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes).
2025-11-20 10:17:05,252 [root] INFO: Process with pid 1616 has terminated
2025-11-20 10:17:05,253 [root] DEBUG: 1616: NtTerminateProcess hook: Attempting to dump process 1616
2025-11-20 10:17:05,255 [root] DEBUG: 1616: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FFEC29E0000.
2025-11-20 10:17:05,256 [root] DEBUG: 1616: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 10:17:05,257 [root] DEBUG: 1616: DumpProcess: Instantiating PeParser with address: 0x00007FFEC29E0000.
2025-11-20 10:17:05,258 [root] DEBUG: 1616: DumpProcess: Module entry point VA is 0x00000000013FEDD0.
2025-11-20 10:17:05,688 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\1616_74171055177204112025 to procdump\a9208d3aac82022b18aec719c720ea9d505d6079d2d6d258be8b0761a8610c22; Size is 26096640; Max size: 100000000
2025-11-20 10:17:05,803 [lib.api.process] INFO: Successfully resumed <Process 2964 rundll32.exe>
2025-11-20 10:17:05,811 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:17:05,822 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\ffmpeg.dll",#1" with pid 3148
2025-11-20 10:17:05,823 [lib.api.process] INFO: Monitor config for <Process 3148 rundll32.exe>: C:\k2ffbmig\dll\3148.ini
2025-11-20 10:17:05,864 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:17:05,873 [root] DEBUG: 1616: DumpProcess: Module image dump success - dump size 0x18e3400.
2025-11-20 10:17:05,874 [root] DEBUG: 2964: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:05,876 [root] DEBUG: 2964: Dropped file limit defaulting to 100.
2025-11-20 10:17:05,881 [root] DEBUG: 2964: Disabling sleep skipping.
2025-11-20 10:17:05,884 [root] DEBUG: Loader: Injecting process 3148 (thread 3096) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:05,886 [root] DEBUG: 2964: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:05,887 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:05,888 [root] DEBUG: 2964: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:05,889 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:05,893 [root] DEBUG: 2964: Monitor initialised: 32-bit capemon loaded in process 2964 at 0x72e90000, thread 3736, image base 0x280000, stack from 0x23c4000-0x23d0000
2025-11-20 10:17:05,895 [root] DEBUG: 2964: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\dxil.dll",#1
2025-11-20 10:17:05,896 [lib.api.process] INFO: Injected into 32-bit <Process 3148 rundll32.exe>
2025-11-20 10:17:05,913 [root] DEBUG: 2100: NtTerminateProcess hook: Attempting to dump process 2100
2025-11-20 10:17:05,915 [root] DEBUG: 2100: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 10:17:05,923 [root] INFO: Process with pid 2100 has terminated
2025-11-20 10:17:05,931 [root] DEBUG: 2964: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 10:17:05,934 [root] DEBUG: 2964: hook_api: Warning - CreateProcessA export address 0x76552D70 differs from GetProcAddress -> 0x731F22A0 (AcLayers.DLL::0x222a0)
2025-11-20 10:17:05,935 [root] DEBUG: 2964: hook_api: Warning - CreateProcessW export address 0x765388E0 differs from GetProcAddress -> 0x731F24E0 (AcLayers.DLL::0x224e0)
2025-11-20 10:17:05,936 [root] DEBUG: 2964: hook_api: Warning - WinExec export address 0x7657CF20 differs from GetProcAddress -> 0x731F27A0 (AcLayers.DLL::0x227a0)
2025-11-20 10:17:05,965 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 10:17:05,966 [root] DEBUG: 2964: set_hooks: Unable to hook GetCommandLineA
2025-11-20 10:17:05,967 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 10:17:05,969 [root] DEBUG: 2964: set_hooks: Unable to hook GetCommandLineW
2025-11-20 10:17:05,979 [root] DEBUG: 2964: Hooked 625 out of 627 functions
2025-11-20 10:17:05,981 [root] DEBUG: 2964: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:05,986 [root] DEBUG: 2964: RestoreHeaders: Restored original import table.
2025-11-20 10:17:05,987 [root] INFO: Loaded monitor into process with pid 2964
2025-11-20 10:17:05,989 [root] DEBUG: 2964: caller_dispatch: Added region at 0x00280000 to tracked regions list (ntdll::memcpy returns to 0x00285F1A, thread 3736).
2025-11-20 10:17:05,990 [root] DEBUG: 2964: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:05,993 [root] DEBUG: 2964: ProcessImageBase: Main module image at 0x00280000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:06,013 [root] DEBUG: 2964: InstrumentationCallback: Added region at 0x7654274C (base 0x76520000) to tracked regions list (thread 3736).
2025-11-20 10:17:06,015 [root] DEBUG: 2964: ProcessTrackedRegion: Region at 0x76520000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping
2025-11-20 10:17:06,022 [root] DEBUG: 2964: CreateProcessHandler: Injection info set for new process 1684: C:\Windows\system32\rundll32.exe, ImageBase: 0x00000000
2025-11-20 10:17:06,024 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1684
2025-11-20 10:17:06,025 [lib.api.process] INFO: Monitor config for <Process 1684 rundll32.exe>: C:\k2ffbmig\dll\1684.ini
2025-11-20 10:17:06,034 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:06,044 [root] DEBUG: Loader: Injecting process 1684 (thread 1632) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,045 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:06,047 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,049 [lib.api.process] INFO: Injected into 64-bit <Process 1684 rundll32.exe>
2025-11-20 10:17:06,067 [root] DEBUG: 2964: InstrumentationCallback: Added region at 0x75A163DC (base 0x758D0000) to tracked regions list (thread 3736).
2025-11-20 10:17:06,068 [root] DEBUG: 2964: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 10:17:06,069 [root] DEBUG: 2964: WriteMemoryHandler: shellcode at 0x0268CAF8 (size 0x11c0) injected into process 1684 at 0xAB6C0000.
2025-11-20 10:17:06,074 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\2964_16178286177204112025 to CAPE\b6259a5d399583a41ac7af9ddcec28e883e755634a805b4a71bf25977990d7b5; Size is 4449; Max size: 100000000
2025-11-20 10:17:06,078 [root] DEBUG: 2964: DumpMemory: Payload successfully created: C:\PrCQdMR\CAPE\2964_16178286177204112025 (size 4449 bytes)
2025-11-20 10:17:06,079 [root] DEBUG: 2964: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-11-20 10:17:06,080 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1684
2025-11-20 10:17:06,081 [lib.api.process] INFO: Monitor config for <Process 1684 rundll32.exe>: C:\k2ffbmig\dll\1684.ini
2025-11-20 10:17:06,088 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:06,099 [root] DEBUG: Loader: Injecting process 1684 (thread 1632) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,100 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:06,101 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,104 [lib.api.process] INFO: Injected into 64-bit <Process 1684 rundll32.exe>
2025-11-20 10:17:06,105 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1684
2025-11-20 10:17:06,107 [lib.api.process] INFO: Monitor config for <Process 1684 rundll32.exe>: C:\k2ffbmig\dll\1684.ini
2025-11-20 10:17:06,113 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:06,123 [root] DEBUG: Loader: Injecting process 1684 (thread 1632) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,124 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:06,125 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,127 [lib.api.process] INFO: Injected into 64-bit <Process 1684 rundll32.exe>
2025-11-20 10:17:06,129 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 1684
2025-11-20 10:17:06,130 [lib.api.process] INFO: Monitor config for <Process 1684 rundll32.exe>: C:\k2ffbmig\dll\1684.ini
2025-11-20 10:17:06,137 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:06,146 [root] DEBUG: Loader: Injecting process 1684 (thread 1632) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,148 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:06,149 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:06,153 [lib.api.process] INFO: Injected into 64-bit <Process 1684 rundll32.exe>
2025-11-20 10:17:06,167 [root] DEBUG: 1684: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:06,168 [root] DEBUG: 1684: Dropped file limit defaulting to 100.
2025-11-20 10:17:06,172 [root] DEBUG: 1684: Disabling sleep skipping.
2025-11-20 10:17:06,174 [root] DEBUG: 1684: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:06,198 [root] DEBUG: 1684: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 10:17:06,199 [root] DEBUG: 1684: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:06,203 [root] DEBUG: 1684: Monitor initialised: 64-bit capemon loaded in process 1684 at 0x00007FFEB9130000, thread 1632, image base 0x00007FF6C1D60000, stack from 0x0000004DC3704000-0x0000004DC3710000
2025-11-20 10:17:06,204 [root] DEBUG: 1684: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\dxil.dll",#1
2025-11-20 10:17:06,215 [root] DEBUG: 1684: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-20 10:17:06,275 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-20 10:17:06,276 [root] DEBUG: 1684: set_hooks: Unable to hook LockResource
2025-11-20 10:17:06,287 [root] DEBUG: 1684: Hooked 619 out of 620 functions
2025-11-20 10:17:06,291 [root] DEBUG: 1684: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:06,299 [root] DEBUG: 1684: RestoreHeaders: Restored original import table.
2025-11-20 10:17:06,301 [root] INFO: Loaded monitor into process with pid 1684
2025-11-20 10:17:06,302 [root] DEBUG: 1684: caller_dispatch: Added region at 0x00007FF6C1D60000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6C1D66D01, thread 1632).
2025-11-20 10:17:06,304 [root] DEBUG: 1684: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:06,307 [root] DEBUG: 1684: ProcessImageBase: Main module image at 0x00007FF6C1D60000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:06,321 [root] DEBUG: 1684: Target DLL loaded at 0x00007FFED4010000: C:\vesktop.zip\vesktop\dxil (0x173000 bytes).
2025-11-20 10:17:06,322 [root] DEBUG: 1684: YaraScan: Scanning 0x00007FFED4010000, size 0x172c30
2025-11-20 10:17:06,350 [root] DEBUG: 1684: caller_dispatch: Added region at 0x00007FFED4010000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFED4110DA6, thread 1632).
2025-11-20 10:17:06,351 [root] DEBUG: 1684: caller_dispatch: Scanning calling region at 0x00007FFED4010000...
2025-11-20 10:17:06,357 [root] DEBUG: 1684: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-20 10:17:06,362 [root] DEBUG: 1684: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes).
2025-11-20 10:17:06,738 [root] INFO: Process with pid 1684 has terminated
2025-11-20 10:17:06,739 [root] DEBUG: 1684: NtTerminateProcess hook: Attempting to dump process 1684
2025-11-20 10:17:06,740 [root] DEBUG: 1684: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FFED4010000.
2025-11-20 10:17:06,742 [root] DEBUG: 1684: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 10:17:06,743 [root] DEBUG: 1684: DumpProcess: Instantiating PeParser with address: 0x00007FFED4010000.
2025-11-20 10:17:06,744 [root] DEBUG: 1684: DumpProcess: Module entry point VA is 0x00000000001095B0.
2025-11-20 10:17:06,766 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\1684_193475106177204112025 to procdump\82ffd48fba15e4a4596074e04a54177a760dd26b6cb0e6f96e81847ded80306a; Size is 1502720; Max size: 100000000
2025-11-20 10:17:06,780 [root] DEBUG: 1684: DumpProcess: Module image dump success - dump size 0x16ee00.
2025-11-20 10:17:06,797 [root] DEBUG: 2964: NtTerminateProcess hook: Attempting to dump process 2964
2025-11-20 10:17:06,799 [root] DEBUG: 2964: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 10:17:06,808 [root] INFO: Process with pid 2964 has terminated
2025-11-20 10:17:07,901 [lib.api.process] INFO: Successfully resumed <Process 3148 rundll32.exe>
2025-11-20 10:17:07,915 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:17:07,920 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\icudtl.dat",#1" with pid 4184
2025-11-20 10:17:07,922 [lib.api.process] INFO: Monitor config for <Process 4184 rundll32.exe>: C:\k2ffbmig\dll\4184.ini
2025-11-20 10:17:07,928 [root] DEBUG: 3148: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:07,930 [root] DEBUG: 3148: Dropped file limit defaulting to 100.
2025-11-20 10:17:07,934 [root] DEBUG: 3148: Disabling sleep skipping.
2025-11-20 10:17:07,937 [root] DEBUG: 3148: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:07,938 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:17:07,939 [root] DEBUG: 3148: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:07,942 [root] DEBUG: 3148: Monitor initialised: 32-bit capemon loaded in process 3148 at 0x72e90000, thread 3096, image base 0x280000, stack from 0x2d34000-0x2d40000
2025-11-20 10:17:07,943 [root] DEBUG: 3148: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\ffmpeg.dll",#1
2025-11-20 10:17:07,951 [root] DEBUG: Loader: Injecting process 4184 (thread 4188) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:07,953 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:07,954 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:07,959 [lib.api.process] INFO: Injected into 32-bit <Process 4184 rundll32.exe>
2025-11-20 10:17:07,976 [root] DEBUG: 3148: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 10:17:07,980 [root] DEBUG: 3148: hook_api: Warning - CreateProcessA export address 0x76552D70 differs from GetProcAddress -> 0x731F22A0 (AcLayers.DLL::0x222a0)
2025-11-20 10:17:07,981 [root] DEBUG: 3148: hook_api: Warning - CreateProcessW export address 0x765388E0 differs from GetProcAddress -> 0x731F24E0 (AcLayers.DLL::0x224e0)
2025-11-20 10:17:07,983 [root] DEBUG: 3148: hook_api: Warning - WinExec export address 0x7657CF20 differs from GetProcAddress -> 0x731F27A0 (AcLayers.DLL::0x227a0)
2025-11-20 10:17:08,014 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 10:17:08,017 [root] DEBUG: 3148: set_hooks: Unable to hook GetCommandLineA
2025-11-20 10:17:08,018 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 10:17:08,019 [root] DEBUG: 3148: set_hooks: Unable to hook GetCommandLineW
2025-11-20 10:17:08,030 [root] DEBUG: 3148: Hooked 625 out of 627 functions
2025-11-20 10:17:08,032 [root] DEBUG: 3148: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:08,037 [root] DEBUG: 3148: RestoreHeaders: Restored original import table.
2025-11-20 10:17:08,038 [root] INFO: Loaded monitor into process with pid 3148
2025-11-20 10:17:08,041 [root] DEBUG: 3148: caller_dispatch: Added region at 0x00280000 to tracked regions list (ntdll::memcpy returns to 0x00285F1A, thread 3096).
2025-11-20 10:17:08,043 [root] DEBUG: 3148: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:08,047 [root] DEBUG: 3148: ProcessImageBase: Main module image at 0x00280000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:08,070 [root] DEBUG: 3148: InstrumentationCallback: Added region at 0x7654274C (base 0x76520000) to tracked regions list (thread 3096).
2025-11-20 10:17:08,071 [root] DEBUG: 3148: ProcessTrackedRegion: Region at 0x76520000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping
2025-11-20 10:17:08,078 [root] DEBUG: 3148: CreateProcessHandler: Injection info set for new process 4356: C:\Windows\system32\rundll32.exe, ImageBase: 0x00000000
2025-11-20 10:17:08,079 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4356
2025-11-20 10:17:08,080 [lib.api.process] INFO: Monitor config for <Process 4356 rundll32.exe>: C:\k2ffbmig\dll\4356.ini
2025-11-20 10:17:08,089 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:08,100 [root] DEBUG: Loader: Injecting process 4356 (thread 4360) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,102 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:08,104 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,107 [lib.api.process] INFO: Injected into 64-bit <Process 4356 rundll32.exe>
2025-11-20 10:17:08,127 [root] DEBUG: 3148: InstrumentationCallback: Added region at 0x75A163DC (base 0x758D0000) to tracked regions list (thread 3096).
2025-11-20 10:17:08,128 [root] DEBUG: 3148: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 10:17:08,130 [root] DEBUG: 3148: WriteMemoryHandler: shellcode at 0x0326BA78 (size 0x11c0) injected into process 4356 at 0xEE9E0000.
2025-11-20 10:17:08,134 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\3148_1404208177204112025 to CAPE\0ad642e10c33385cfab3caf2833d9e0958886fffe8a6a2da724d13dc8b800f84; Size is 4449; Max size: 100000000
2025-11-20 10:17:08,141 [root] DEBUG: 3148: DumpMemory: Payload successfully created: C:\PrCQdMR\CAPE\3148_1404208177204112025 (size 4449 bytes)
2025-11-20 10:17:08,143 [root] DEBUG: 3148: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-11-20 10:17:08,144 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4356
2025-11-20 10:17:08,146 [lib.api.process] INFO: Monitor config for <Process 4356 rundll32.exe>: C:\k2ffbmig\dll\4356.ini
2025-11-20 10:17:08,154 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:08,166 [root] DEBUG: Loader: Injecting process 4356 (thread 4360) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,169 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:08,171 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,174 [lib.api.process] INFO: Injected into 64-bit <Process 4356 rundll32.exe>
2025-11-20 10:17:08,176 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4356
2025-11-20 10:17:08,177 [lib.api.process] INFO: Monitor config for <Process 4356 rundll32.exe>: C:\k2ffbmig\dll\4356.ini
2025-11-20 10:17:08,185 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:08,197 [root] DEBUG: Loader: Injecting process 4356 (thread 4360) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,199 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:08,200 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,204 [lib.api.process] INFO: Injected into 64-bit <Process 4356 rundll32.exe>
2025-11-20 10:17:08,205 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4356
2025-11-20 10:17:08,207 [lib.api.process] INFO: Monitor config for <Process 4356 rundll32.exe>: C:\k2ffbmig\dll\4356.ini
2025-11-20 10:17:08,217 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:08,232 [root] DEBUG: Loader: Injecting process 4356 (thread 4360) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,234 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:08,235 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:08,239 [lib.api.process] INFO: Injected into 64-bit <Process 4356 rundll32.exe>
2025-11-20 10:17:08,252 [root] DEBUG: 4356: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:08,254 [root] DEBUG: 4356: Dropped file limit defaulting to 100.
2025-11-20 10:17:08,259 [root] DEBUG: 4356: Disabling sleep skipping.
2025-11-20 10:17:08,261 [root] DEBUG: 4356: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:08,286 [root] DEBUG: 4356: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 10:17:08,288 [root] DEBUG: 4356: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:08,291 [root] DEBUG: 4356: Monitor initialised: 64-bit capemon loaded in process 4356 at 0x00007FFEB9130000, thread 4360, image base 0x00007FF6C1D60000, stack from 0x000000CA15D54000-0x000000CA15D60000
2025-11-20 10:17:08,293 [root] DEBUG: 4356: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\ffmpeg.dll",#1
2025-11-20 10:17:08,304 [root] DEBUG: 4356: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-20 10:17:08,365 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-20 10:17:08,367 [root] DEBUG: 4356: set_hooks: Unable to hook LockResource
2025-11-20 10:17:08,379 [root] DEBUG: 4356: Hooked 619 out of 620 functions
2025-11-20 10:17:08,381 [root] DEBUG: 4356: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:08,390 [root] DEBUG: 4356: RestoreHeaders: Restored original import table.
2025-11-20 10:17:08,391 [root] INFO: Loaded monitor into process with pid 4356
2025-11-20 10:17:08,393 [root] DEBUG: 4356: caller_dispatch: Added region at 0x00007FF6C1D60000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6C1D66D01, thread 4360).
2025-11-20 10:17:08,395 [root] DEBUG: 4356: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:08,398 [root] DEBUG: 4356: ProcessImageBase: Main module image at 0x00007FF6C1D60000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:08,412 [root] DEBUG: 4356: Target DLL loaded at 0x00007FFEC3F00000: C:\vesktop.zip\vesktop\ffmpeg (0x3cf000 bytes).
2025-11-20 10:17:08,414 [root] DEBUG: 4356: YaraScan: Scanning 0x00007FFEC3F00000, size 0x3ce674
2025-11-20 10:17:08,489 [root] DEBUG: 4356: caller_dispatch: Added region at 0x00007FFEC3F00000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFEC3FE867B, thread 4360).
2025-11-20 10:17:08,491 [root] DEBUG: 4356: caller_dispatch: Scanning calling region at 0x00007FFEC3F00000...
2025-11-20 10:17:08,499 [root] DEBUG: 4356: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-20 10:17:08,504 [root] DEBUG: 4356: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes).
2025-11-20 10:17:08,514 [root] DEBUG: 4356: Target DLL unloading from 0x00007FFEC3F00000: code modification detected, dumping.
2025-11-20 10:17:08,516 [root] DEBUG: 4356: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 10:17:08,518 [root] DEBUG: 4356: DumpProcess: Instantiating PeParser with address: 0x00007FFEC3F00000.
2025-11-20 10:17:08,520 [root] DEBUG: 4356: DumpProcess: Module entry point VA is 0x00000000000BA680.
2025-11-20 10:17:08,571 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\4356_169758758177204112025 to procdump\6313a69e16fb0f579ce178a2bd66d1e3ed23e1b983ee0a7f4bf0557539341a47; Size is 3963904; Max size: 100000000
2025-11-20 10:17:08,613 [root] DEBUG: 4356: DumpProcess: Module image dump success - dump size 0x3c7c00.
2025-11-20 10:17:08,622 [root] INFO: Process with pid 4356 has terminated
2025-11-20 10:17:08,630 [root] DEBUG: 3148: NtTerminateProcess hook: Attempting to dump process 3148
2025-11-20 10:17:08,631 [root] DEBUG: 3148: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 10:17:08,644 [root] INFO: Process with pid 3148 has terminated
2025-11-20 10:17:09,971 [lib.api.process] INFO: Successfully resumed <Process 4184 rundll32.exe>
2025-11-20 10:17:09,976 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:17:09,986 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\libEGL.dll",#1" with pid 4716
2025-11-20 10:17:09,989 [lib.api.process] INFO: Monitor config for <Process 4716 rundll32.exe>: C:\k2ffbmig\dll\4716.ini
2025-11-20 10:17:10,000 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:17:10,005 [root] DEBUG: 4184: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:10,007 [root] DEBUG: 4184: Dropped file limit defaulting to 100.
2025-11-20 10:17:10,015 [root] DEBUG: 4184: Disabling sleep skipping.
2025-11-20 10:17:10,019 [root] DEBUG: 4184: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:10,022 [root] DEBUG: 4184: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:10,023 [root] DEBUG: Loader: Injecting process 4716 (thread 4720) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:10,025 [root] DEBUG: 4184: Monitor initialised: 32-bit capemon loaded in process 4184 at 0x72e90000, thread 4188, image base 0x280000, stack from 0x30c4000-0x30d0000
2025-11-20 10:17:10,027 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:10,030 [root] DEBUG: 4184: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\icudtl.dat",#1
2025-11-20 10:17:10,033 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:10,039 [lib.api.process] INFO: Injected into 32-bit <Process 4716 rundll32.exe>
2025-11-20 10:17:10,074 [root] DEBUG: 4184: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 10:17:10,079 [root] DEBUG: 4184: hook_api: Warning - CreateProcessA export address 0x76552D70 differs from GetProcAddress -> 0x731F22A0 (AcLayers.DLL::0x222a0)
2025-11-20 10:17:10,082 [root] DEBUG: 4184: hook_api: Warning - CreateProcessW export address 0x765388E0 differs from GetProcAddress -> 0x731F24E0 (AcLayers.DLL::0x224e0)
2025-11-20 10:17:10,083 [root] DEBUG: 4184: hook_api: Warning - WinExec export address 0x7657CF20 differs from GetProcAddress -> 0x731F27A0 (AcLayers.DLL::0x227a0)
2025-11-20 10:17:10,114 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 10:17:10,117 [root] DEBUG: 4184: set_hooks: Unable to hook GetCommandLineA
2025-11-20 10:17:10,119 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 10:17:10,120 [root] DEBUG: 4184: set_hooks: Unable to hook GetCommandLineW
2025-11-20 10:17:10,132 [root] DEBUG: 4184: Hooked 625 out of 627 functions
2025-11-20 10:17:10,134 [root] DEBUG: 4184: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:10,140 [root] DEBUG: 4184: RestoreHeaders: Restored original import table.
2025-11-20 10:17:10,141 [root] INFO: Loaded monitor into process with pid 4184
2025-11-20 10:17:10,144 [root] DEBUG: 4184: caller_dispatch: Added region at 0x00280000 to tracked regions list (ntdll::memcpy returns to 0x00285F1A, thread 4188).
2025-11-20 10:17:10,145 [root] DEBUG: 4184: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:10,148 [root] DEBUG: 4184: ProcessImageBase: Main module image at 0x00280000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:10,167 [root] DEBUG: 4184: InstrumentationCallback: Added region at 0x7654274C (base 0x76520000) to tracked regions list (thread 4188).
2025-11-20 10:17:10,168 [root] DEBUG: 4184: ProcessTrackedRegion: Region at 0x76520000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping
2025-11-20 10:17:10,202 [root] DEBUG: 4184: InstrumentationCallback: Added region at 0x75A163AC (base 0x758D0000) to tracked regions list (thread 4188).
2025-11-20 10:17:10,203 [root] DEBUG: 4184: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 10:17:10,215 [root] DEBUG: 4184: DLL loaded at 0x72DF0000: C:\Windows\SYSTEM32\TextShaping (0x95000 bytes).
2025-11-20 10:17:10,253 [root] DEBUG: 4184: DLL loaded at 0x739F0000: C:\Windows\system32\uxtheme (0x74000 bytes).
2025-11-20 10:17:10,260 [root] DEBUG: 4184: DLL loaded at 0x76BD0000: C:\Windows\System32\MSCTF (0xd4000 bytes).
2025-11-20 10:17:10,281 [root] DEBUG: 4184: set_hooks_by_export_directory: Hooked 0 out of 627 functions
2025-11-20 10:17:10,283 [root] DEBUG: 4184: DLL loaded at 0x73B80000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2025-11-20 10:17:10,288 [root] DEBUG: 4184: DLL loaded at 0x75800000: C:\Windows\System32\bcryptPrimitives (0x5f000 bytes).
2025-11-20 10:17:10,328 [root] DEBUG: 4184: DLL loaded at 0x73560000: C:\Windows\SYSTEM32\ntmarta (0x29000 bytes).
2025-11-20 10:17:10,330 [root] DEBUG: 4184: DLL loaded at 0x72A10000: C:\Windows\System32\CoreMessaging (0x9b000 bytes).
2025-11-20 10:17:10,331 [root] DEBUG: 4184: DLL loaded at 0x72930000: C:\Windows\SYSTEM32\wintypes (0xdc000 bytes).
2025-11-20 10:17:10,333 [root] DEBUG: 4184: DLL loaded at 0x72AB0000: C:\Windows\System32\CoreUIComponents (0x27f000 bytes).
2025-11-20 10:17:10,335 [root] DEBUG: 4184: DLL loaded at 0x72D30000: C:\Windows\SYSTEM32\textinputframework (0xb9000 bytes).
2025-11-20 10:17:12,043 [lib.api.process] INFO: Successfully resumed <Process 4716 rundll32.exe>
2025-11-20 10:17:12,046 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 10:17:12,054 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\vesktop.zip\vesktop\libGLESv2.dll",#1" with pid 4972
2025-11-20 10:17:12,055 [lib.api.process] INFO: Monitor config for <Process 4972 rundll32.exe>: C:\k2ffbmig\dll\4972.ini
2025-11-20 10:17:12,065 [lib.api.process] INFO: 32-bit DLL to inject is C:\k2ffbmig\dll\VGCgjUjb.dll, loader C:\k2ffbmig\bin\oLlatlP.exe
2025-11-20 10:17:12,070 [root] DEBUG: 4716: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:12,072 [root] DEBUG: 4716: Dropped file limit defaulting to 100.
2025-11-20 10:17:12,077 [root] DEBUG: 4716: Disabling sleep skipping.
2025-11-20 10:17:12,079 [root] DEBUG: Loader: Injecting process 4972 (thread 4976) with C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:12,081 [root] DEBUG: 4716: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:12,083 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:12,084 [root] DEBUG: 4716: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:12,086 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\VGCgjUjb.dll.
2025-11-20 10:17:12,087 [root] DEBUG: 4716: Monitor initialised: 32-bit capemon loaded in process 4716 at 0x72e90000, thread 4720, image base 0x280000, stack from 0x2a94000-0x2aa0000
2025-11-20 10:17:12,088 [root] DEBUG: 4716: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\libEGL.dll",#1
2025-11-20 10:17:12,089 [lib.api.process] INFO: Injected into 32-bit <Process 4972 rundll32.exe>
2025-11-20 10:17:12,123 [root] DEBUG: 4716: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 10:17:12,169 [root] DEBUG: 4716: hook_api: Warning - CreateProcessA export address 0x76552D70 differs from GetProcAddress -> 0x731F22A0 (AcLayers.DLL::0x222a0)
2025-11-20 10:17:12,171 [root] DEBUG: 4716: hook_api: Warning - CreateProcessW export address 0x765388E0 differs from GetProcAddress -> 0x731F24E0 (AcLayers.DLL::0x224e0)
2025-11-20 10:17:12,172 [root] DEBUG: 4716: hook_api: Warning - WinExec export address 0x7657CF20 differs from GetProcAddress -> 0x731F27A0 (AcLayers.DLL::0x227a0)
2025-11-20 10:17:12,212 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 10:17:12,214 [root] DEBUG: 4716: set_hooks: Unable to hook GetCommandLineA
2025-11-20 10:17:12,216 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 10:17:12,217 [root] DEBUG: 4716: set_hooks: Unable to hook GetCommandLineW
2025-11-20 10:17:12,230 [root] DEBUG: 4716: Hooked 625 out of 627 functions
2025-11-20 10:17:12,232 [root] DEBUG: 4716: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:12,238 [root] DEBUG: 4716: RestoreHeaders: Restored original import table.
2025-11-20 10:17:12,239 [root] INFO: Loaded monitor into process with pid 4716
2025-11-20 10:17:12,241 [root] DEBUG: 4716: caller_dispatch: Added region at 0x00280000 to tracked regions list (ntdll::memcpy returns to 0x00285F1A, thread 4720).
2025-11-20 10:17:12,243 [root] DEBUG: 4716: YaraScan: Scanning 0x00280000, size 0x136e8
2025-11-20 10:17:12,246 [root] DEBUG: 4716: ProcessImageBase: Main module image at 0x00280000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:12,269 [root] DEBUG: 4716: InstrumentationCallback: Added region at 0x7654274C (base 0x76520000) to tracked regions list (thread 4720).
2025-11-20 10:17:12,270 [root] DEBUG: 4716: ProcessTrackedRegion: Region at 0x76520000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\kernel32.dll is in known range, skipping
2025-11-20 10:17:12,277 [root] DEBUG: 4716: CreateProcessHandler: Injection info set for new process 4100: C:\Windows\system32\rundll32.exe, ImageBase: 0x00000000
2025-11-20 10:17:12,278 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4100
2025-11-20 10:17:12,281 [lib.api.process] INFO: Monitor config for <Process 4100 rundll32.exe>: C:\k2ffbmig\dll\4100.ini
2025-11-20 10:17:12,288 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:12,299 [root] DEBUG: Loader: Injecting process 4100 (thread 4112) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,301 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 10:17:12,303 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,306 [lib.api.process] INFO: Injected into 64-bit <Process 4100 rundll32.exe>
2025-11-20 10:17:12,324 [root] DEBUG: 4716: InstrumentationCallback: Added region at 0x75A163DC (base 0x758D0000) to tracked regions list (thread 4720).
2025-11-20 10:17:12,326 [root] DEBUG: 4716: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 10:17:12,327 [root] DEBUG: 4716: WriteMemoryHandler: shellcode at 0x02CFB670 (size 0x11c0) injected into process 4100 at 0xB80E0000.
2025-11-20 10:17:12,333 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\4716_651446912177204112025 to CAPE\673cecd0cd8909f665ccfe44ded1b34c366d412e96be8442920371c16d43f294; Size is 4449; Max size: 100000000
2025-11-20 10:17:12,340 [root] DEBUG: 4716: DumpMemory: Payload successfully created: C:\PrCQdMR\CAPE\4716_651446912177204112025 (size 4449 bytes)
2025-11-20 10:17:12,341 [root] DEBUG: 4716: WriteMemoryHandler: Dumped injected code/data from buffer.
2025-11-20 10:17:12,343 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4100
2025-11-20 10:17:12,344 [lib.api.process] INFO: Monitor config for <Process 4100 rundll32.exe>: C:\k2ffbmig\dll\4100.ini
2025-11-20 10:17:12,356 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:12,368 [root] DEBUG: Loader: Injecting process 4100 (thread 4112) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,370 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:12,371 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,374 [lib.api.process] INFO: Injected into 64-bit <Process 4100 rundll32.exe>
2025-11-20 10:17:12,376 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4100
2025-11-20 10:17:12,378 [lib.api.process] INFO: Monitor config for <Process 4100 rundll32.exe>: C:\k2ffbmig\dll\4100.ini
2025-11-20 10:17:12,387 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:12,397 [root] DEBUG: Loader: Injecting process 4100 (thread 4112) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,399 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:12,401 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,405 [lib.api.process] INFO: Injected into 64-bit <Process 4100 rundll32.exe>
2025-11-20 10:17:12,407 [root] INFO: Announced 64-bit process name: rundll32.exe pid: 4100
2025-11-20 10:17:12,408 [lib.api.process] INFO: Monitor config for <Process 4100 rundll32.exe>: C:\k2ffbmig\dll\4100.ini
2025-11-20 10:17:12,416 [lib.api.process] INFO: 64-bit DLL to inject is C:\k2ffbmig\dll\TjKeBkVB.dll, loader C:\k2ffbmig\bin\QxcuWWBV.exe
2025-11-20 10:17:12,425 [root] DEBUG: Loader: Injecting process 4100 (thread 4112) with C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,427 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2025-11-20 10:17:12,428 [root] DEBUG: Successfully injected DLL C:\k2ffbmig\dll\TjKeBkVB.dll.
2025-11-20 10:17:12,430 [lib.api.process] INFO: Injected into 64-bit <Process 4100 rundll32.exe>
2025-11-20 10:17:12,444 [root] DEBUG: 4100: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:12,445 [root] DEBUG: 4100: Dropped file limit defaulting to 100.
2025-11-20 10:17:12,449 [root] DEBUG: 4100: Disabling sleep skipping.
2025-11-20 10:17:12,452 [root] DEBUG: 4100: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:12,477 [root] DEBUG: 4100: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 10:17:12,479 [root] DEBUG: 4100: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:12,483 [root] DEBUG: 4100: Monitor initialised: 64-bit capemon loaded in process 4100 at 0x00007FFEB9130000, thread 4112, image base 0x00007FF6C1D60000, stack from 0x000000EB63F24000-0x000000EB63F30000
2025-11-20 10:17:12,485 [root] DEBUG: 4100: Commandline: "C:\Windows\system32\rundll32.exe" "C:\vesktop.zip\vesktop\libEGL.dll",#1
2025-11-20 10:17:12,497 [root] DEBUG: 4100: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-20 10:17:12,567 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-20 10:17:12,568 [root] DEBUG: 4100: set_hooks: Unable to hook LockResource
2025-11-20 10:17:12,580 [root] DEBUG: 4100: Hooked 619 out of 620 functions
2025-11-20 10:17:12,583 [root] DEBUG: 4100: Syscall hook installed, syscall logging level 1
2025-11-20 10:17:12,592 [root] DEBUG: 4100: RestoreHeaders: Restored original import table.
2025-11-20 10:17:12,593 [root] INFO: Loaded monitor into process with pid 4100
2025-11-20 10:17:12,594 [root] DEBUG: 4100: caller_dispatch: Added region at 0x00007FF6C1D60000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6C1D66D01, thread 4112).
2025-11-20 10:17:12,596 [root] DEBUG: 4100: YaraScan: Scanning 0x00007FF6C1D60000, size 0x16100
2025-11-20 10:17:12,600 [root] DEBUG: 4100: ProcessImageBase: Main module image at 0x00007FF6C1D60000 unmodified (entropy change 0.000000e+00)
2025-11-20 10:17:12,614 [root] DEBUG: 4100: Target DLL loaded at 0x00007FFED5DD0000: C:\vesktop.zip\vesktop\libEGL (0x86000 bytes).
2025-11-20 10:17:12,616 [root] DEBUG: 4100: YaraScan: Scanning 0x00007FFED5DD0000, size 0x85c4e
2025-11-20 10:17:12,628 [root] DEBUG: 4100: caller_dispatch: Added region at 0x00007FFED5DD0000 to tracked regions list (ntdll::LdrLoadDll returns to 0x00007FFED5E17337, thread 4112).
2025-11-20 10:17:12,630 [root] DEBUG: 4100: caller_dispatch: Scanning calling region at 0x00007FFED5DD0000...
2025-11-20 10:17:12,638 [root] DEBUG: 4100: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-20 10:17:12,642 [root] DEBUG: 4100: DLL loaded at 0x00007FFEE21A0000: C:\Windows\System32\MSCTF (0x114000 bytes).
2025-11-20 10:17:12,652 [root] DEBUG: 4100: DLL loaded at 0x00007FFEDF450000: C:\Windows\system32\dxgi (0xf3000 bytes).
2025-11-20 10:17:12,653 [root] DEBUG: 4100: DLL loaded at 0x00007FFEC3C70000: C:\vesktop.zip\vesktop\libGLESv2 (0x814000 bytes).
2025-11-20 10:17:12,664 [root] DEBUG: 4100: Target DLL unloading from 0x00007FFED5DD0000: code modification detected, dumping.
2025-11-20 10:17:12,665 [root] DEBUG: 4100: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 10:17:12,667 [root] DEBUG: 4100: DumpProcess: Instantiating PeParser with address: 0x00007FFED5DD0000.
2025-11-20 10:17:12,668 [root] DEBUG: 4100: DumpProcess: Module entry point VA is 0x0000000000020950.
2025-11-20 10:17:12,682 [lib.common.results] INFO: Uploading file C:\PrCQdMR\CAPE\4100_808744112177204112025 to procdump\e3059907218f7d6e631af937e371fd924e1457c13a27a25bc2bc16f12abddbb2; Size is 515584; Max size: 100000000
2025-11-20 10:17:12,691 [root] DEBUG: 4100: DumpProcess: Module image dump success - dump size 0x7de00.
2025-11-20 10:17:12,700 [root] INFO: Process with pid 4100 has terminated
2025-11-20 10:17:12,708 [root] DEBUG: 4716: NtTerminateProcess hook: Attempting to dump process 4716
2025-11-20 10:17:12,711 [root] DEBUG: 4716: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 10:17:12,722 [root] INFO: Process with pid 4716 has terminated
2025-11-20 10:17:14,101 [lib.api.process] INFO: Successfully resumed <Process 4972 rundll32.exe>
2025-11-20 10:17:14,104 [root] ERROR: You probably submitted the job with wrong package
Traceback (most recent call last):
  File "C:\k2ffbmig/analyzer.py", line 620, in run
    pids = self.package.start(self.target)
  File "C:\k2ffbmig\modules\packages\archive.py", line 148, in start
    ret_list.append(self.execute_interesting_file(root, interesting_file, file_path))
                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\k2ffbmig\lib\common\abstracts.py", line 290, in execute_interesting_file
    edge = self.get_path("msedge.exe")
  File "C:\k2ffbmig\lib\common\abstracts.py", line 135, in get_path
    raise CuckooPackageError(f"Unable to find any {application} executable")
lib.common.exceptions.CuckooPackageError: Unable to find any msedge.exe executable

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\k2ffbmig/analyzer.py", line 1521, in <module>
    success = analyzer.run()
  File "C:\k2ffbmig/analyzer.py", line 624, in run
    raise CuckooError(f'The package "{self.package_name}" start function raised an error: {e}') from e
lib.common.exceptions.CuckooError: The package "modules.packages.archive" start function raised an error: Unable to find any msedge.exe executable
2025-11-20 10:17:14,137 [root] DEBUG: 4972: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 10:17:14,155 [root] DEBUG: 4972: Dropped file limit defaulting to 100.
2025-11-20 10:17:14,161 [root] WARNING: Folder at path "C:\PrCQdMR\debugger" does not exist, skipping
2025-11-20 10:17:14,163 [root] DEBUG: 4972: Disabling sleep skipping.
2025-11-20 10:17:14,163 [root] WARNING: Folder at path "C:\PrCQdMR\tlsdump" does not exist, skipping
2025-11-20 10:17:14,165 [root] DEBUG: 4972: YaraInit: Compiled rules loaded from existing file C:\k2ffbmig\data\yara\capemon.yac
2025-11-20 10:17:14,279 [root] INFO: Analysis completed