Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Log(s)
FILE	python	2025-11-20 14:25:54	2025-11-20 14:26:44	50 seconds	Show Analysis Log

2025-11-20 02:03:38,603 [root] INFO: Date set to: 20251120T14:25:54, timeout set to: 200
2025-11-20 14:25:54,024 [root] DEBUG: Starting analyzer from: C:\8llta4uw
2025-11-20 14:25:54,025 [root] DEBUG: Storing results at: C:\tufUOsbM
2025-11-20 14:25:54,025 [root] DEBUG: Pipe server name: \\.\PIPE\dTDCqcr
2025-11-20 14:25:54,025 [root] DEBUG: Python path: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32
2025-11-20 14:25:54,025 [root] INFO: analysis running as an admin
2025-11-20 14:25:54,026 [root] INFO: analysis package specified: "python"
2025-11-20 14:25:54,026 [root] DEBUG: importing analysis package module: "modules.packages.python"...
2025-11-20 14:25:54,033 [root] DEBUG: imported analysis package "python"
2025-11-20 14:25:54,034 [root] DEBUG: initializing analysis package "python"...
2025-11-20 14:25:54,035 [lib.common.common] INFO: wrapping
2025-11-20 14:25:54,036 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 14:25:54,036 [root] DEBUG: New location of moved file: C:\Temp\app.py
2025-11-20 14:25:54,037 [root] INFO: Analyzer: Package modules.packages.python does not specify a DLL option
2025-11-20 14:25:54,037 [root] INFO: Analyzer: Package modules.packages.python does not specify a DLL_64 option
2025-11-20 14:25:54,037 [root] INFO: Analyzer: Package modules.packages.python does not specify a loader option
2025-11-20 14:25:54,037 [root] INFO: Analyzer: Package modules.packages.python does not specify a loader_64 option
2025-11-20 14:25:54,073 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-11-20 14:25:54,092 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-11-20 14:25:54,114 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-11-20 14:25:54,133 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-11-20 14:25:54,140 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-11-20 14:25:54,207 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-11-20 14:25:54,211 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-11-20 14:25:54,293 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2025-11-20 14:25:54,294 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-11-20 14:25:54,298 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-11-20 14:25:54,298 [root] DEBUG: Initialized auxiliary module "Browser"
2025-11-20 14:25:54,299 [root] DEBUG: attempting to configure 'Browser' from data
2025-11-20 14:25:54,301 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-11-20 14:25:54,301 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-11-20 14:25:54,302 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-11-20 14:25:54,302 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-11-20 14:25:54,302 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-11-20 14:25:54,303 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-11-20 14:25:54,303 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-11-20 14:25:54,303 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-11-20 14:25:54,947 [modules.auxiliary.digisig] DEBUG: File format not recognized
2025-11-20 14:25:54,949 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-11-20 14:25:54,961 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-11-20 14:25:54,962 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-11-20 14:25:54,962 [root] DEBUG: attempting to configure 'Disguise' from data
2025-11-20 14:25:54,962 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-11-20 14:25:54,962 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-11-20 14:25:54,963 [modules.auxiliary.disguise] INFO: Disguising GUID to 0f4d1863-31f8-4954-b1e3-75f12194b55d
2025-11-20 14:25:54,964 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-11-20 14:25:54,964 [root] DEBUG: Initialized auxiliary module "Human"
2025-11-20 14:25:54,964 [root] DEBUG: attempting to configure 'Human' from data
2025-11-20 14:25:54,964 [root] DEBUG: module Human does not support data configuration, ignoring
2025-11-20 14:25:54,965 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-11-20 14:25:54,967 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-11-20 14:25:54,968 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-11-20 14:25:54,969 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-11-20 14:25:54,971 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-11-20 14:25:54,971 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-11-20 14:25:54,979 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-11-20 14:25:54,979 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-11-20 14:25:54,982 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-11-20 14:25:54,983 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-11-20 14:25:54,984 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-11-20 14:25:54,988 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608
2025-11-20 14:25:55,169 [lib.api.process] INFO: Monitor config for <Process 608 lsass.exe>: C:\8llta4uw\dll\608.ini
2025-11-20 14:25:55,171 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-11-20 14:25:55,181 [lib.api.process] INFO: 64-bit DLL to inject is C:\8llta4uw\dll\OnAKlMw.dll, loader C:\8llta4uw\bin\kcPuBrIv.exe
2025-11-20 14:25:55,206 [root] DEBUG: Loader: Injecting process 608 with C:\8llta4uw\dll\OnAKlMw.dll.
2025-11-20 14:25:55,230 [root] DEBUG: 608: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 14:25:55,231 [root] DEBUG: 608: Disabling sleep skipping.
2025-11-20 14:25:55,232 [root] DEBUG: 608: TLS secret dump mode enabled.
2025-11-20 14:25:55,274 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-20 14:25:55,275 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEB75E0000, thread 624, image base 0x00007FF60EE30000, stack from 0x000000A5F48F3000-0x000000A5F4900000
2025-11-20 14:25:55,276 [root] DEBUG: 608: Commandline: C:\Windows\system32\lsass.exe
2025-11-20 14:25:55,292 [root] DEBUG: 608: Hooked 5 out of 5 functions
2025-11-20 14:25:55,293 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-20 14:25:55,294 [root] DEBUG: Successfully injected DLL C:\8llta4uw\dll\OnAKlMw.dll.
2025-11-20 14:25:55,298 [lib.api.process] INFO: Injected into 64-bit <Process 608 lsass.exe>
2025-11-20 14:25:55,298 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-11-20 14:25:55,506 [root] DEBUG: 608: DLL loaded at 0x00007FFEE1420000: C:\Windows\System32\cfgmgr32 (0x4e000 bytes).
2025-11-20 14:25:55,508 [root] DEBUG: 608: DLL loaded at 0x00007FFEE0870000: C:\Windows\system32\DEVOBJ (0x33000 bytes).
2025-11-20 14:25:55,510 [root] DEBUG: 608: DLL loaded at 0x00007FFEC2550000: C:\Windows\System32\ngcpopkeysrv (0x48000 bytes).
2025-11-20 14:25:55,523 [root] DEBUG: 608: DLL loaded at 0x00007FFEB7180000: C:\Windows\system32\PCPKsp (0x118000 bytes).
2025-11-20 14:25:55,531 [root] DEBUG: 608: DLL loaded at 0x00007FFEE2C00000: C:\Windows\System32\imagehlp (0x1d000 bytes).
2025-11-20 14:25:55,533 [root] DEBUG: 608: DLL loaded at 0x00007FFED4740000: C:\Windows\system32\tbs (0x1b000 bytes).
2025-11-20 14:25:55,683 [root] DEBUG: 608: TLS 1.2 secrets logged to: C:\tufUOsbM\tlsdump\tlsdump.log
2025-11-20 14:25:58,506 [root] INFO: Restarting WMI Service
2025-11-20 14:26:00,643 [root] DEBUG: package modules.packages.python does not support configure, ignoring
2025-11-20 14:26:00,644 [root] WARNING: configuration error for package modules.packages.python: error importing data.packages.python: No module named 'data.packages'
2025-11-20 14:26:00,646 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-20 14:26:00,663 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\py.exe" with arguments "C:\Temp\app.py " with pid 2316
2025-11-20 14:26:00,664 [lib.api.process] INFO: Monitor config for <Process 2316 py.exe>: C:\8llta4uw\dll\2316.ini
2025-11-20 14:26:00,668 [lib.api.process] INFO: 32-bit DLL to inject is C:\8llta4uw\dll\vlBzeSKF.dll, loader C:\8llta4uw\bin\CJcvrnn.exe
2025-11-20 14:26:00,687 [root] DEBUG: Loader: Injecting process 2316 (thread 2336) with C:\8llta4uw\dll\vlBzeSKF.dll.
2025-11-20 14:26:00,689 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 14:26:00,690 [root] DEBUG: Successfully injected DLL C:\8llta4uw\dll\vlBzeSKF.dll.
2025-11-20 14:26:00,693 [lib.api.process] INFO: Injected into 32-bit <Process 2316 py.exe>
2025-11-20 14:26:02,697 [lib.api.process] INFO: Successfully resumed <Process 2316 py.exe>
2025-11-20 14:26:02,895 [root] DEBUG: 2316: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 14:26:02,897 [root] DEBUG: 2316: Disabling sleep skipping.
2025-11-20 14:26:02,898 [root] DEBUG: 2316: Dropped file limit defaulting to 100.
2025-11-20 14:26:02,925 [root] DEBUG: 2316: YaraInit: Compiled 43 rule files
2025-11-20 14:26:02,928 [root] DEBUG: 2316: YaraInit: Compiled rules saved to file C:\8llta4uw\data\yara\capemon.yac
2025-11-20 14:26:02,929 [root] DEBUG: 2316: YaraScan: Scanning 0x00580000, size 0xbf83e
2025-11-20 14:26:02,954 [root] DEBUG: 2316: Monitor initialised: 32-bit capemon loaded in process 2316 at 0x731a0000, thread 2336, image base 0x580000, stack from 0x3b3000-0x3c0000
2025-11-20 14:26:02,955 [root] DEBUG: 2316: Commandline: "C:\Windows\py.exe" C:\Temp\app.py
2025-11-20 14:26:03,016 [root] DEBUG: 2316: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 14:26:03,060 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 14:26:03,061 [root] DEBUG: 2316: set_hooks: Unable to hook GetCommandLineA
2025-11-20 14:26:03,062 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 14:26:03,063 [root] DEBUG: 2316: set_hooks: Unable to hook GetCommandLineW
2025-11-20 14:26:03,074 [root] DEBUG: 2316: Hooked 625 out of 627 functions
2025-11-20 14:26:03,086 [root] DEBUG: 2316: Syscall hook installed, syscall logging level 1
2025-11-20 14:26:03,094 [root] DEBUG: 2316: RestoreHeaders: Restored original import table.
2025-11-20 14:26:03,098 [root] INFO: Loaded monitor into process with pid 2316
2025-11-20 14:26:03,100 [root] DEBUG: 2316: caller_dispatch: Added region at 0x00580000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x00587F36, thread 2336).
2025-11-20 14:26:03,101 [root] DEBUG: 2316: YaraScan: Scanning 0x00580000, size 0xbf83e
2025-11-20 14:26:03,112 [root] DEBUG: 2316: ProcessImageBase: Main module image at 0x00580000 unmodified (entropy change 0.000000e+00)
2025-11-20 14:26:03,126 [root] DEBUG: 2316: DLL loaded at 0x747A0000: C:\Windows\SYSTEM32\Wldp (0x24000 bytes).
2025-11-20 14:26:03,132 [root] DEBUG: 2316: DLL loaded at 0x747D0000: C:\Windows\SYSTEM32\windows.storage (0x613000 bytes).
2025-11-20 14:26:03,134 [root] DEBUG: 2316: DLL loaded at 0x75ED0000: C:\Windows\System32\SHCORE (0x87000 bytes).
2025-11-20 14:26:03,161 [root] DEBUG: 2316: InstrumentationCallback: Added region at 0x75A163AC (base 0x758D0000) to tracked regions list (thread 2336).
2025-11-20 14:26:03,162 [root] DEBUG: 2316: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 14:26:03,184 [root] DEBUG: 2316: CreateProcessHandler: Injection info set for new process 3080: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python.exe, ImageBase: 0x00CD0000
2025-11-20 14:26:03,185 [root] INFO: Announced 32-bit process name: python.exe pid: 3080
2025-11-20 14:26:03,186 [lib.api.process] INFO: Monitor config for <Process 3080 python.exe>: C:\8llta4uw\dll\3080.ini
2025-11-20 14:26:04,211 [lib.api.process] INFO: 32-bit DLL to inject is C:\8llta4uw\dll\vlBzeSKF.dll, loader C:\8llta4uw\bin\CJcvrnn.exe
2025-11-20 14:26:04,225 [root] DEBUG: Loader: Injecting process 3080 (thread 752) with C:\8llta4uw\dll\vlBzeSKF.dll.
2025-11-20 14:26:04,226 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-20 14:26:04,227 [root] DEBUG: Successfully injected DLL C:\8llta4uw\dll\vlBzeSKF.dll.
2025-11-20 14:26:04,231 [lib.api.process] INFO: Injected into 32-bit <Process 3080 python.exe>
2025-11-20 14:26:04,247 [root] DEBUG: 2316: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 14:26:04,273 [root] DEBUG: 3080: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-20 14:26:04,274 [root] DEBUG: 3080: Disabling sleep skipping.
2025-11-20 14:26:04,275 [root] DEBUG: 3080: Dropped file limit defaulting to 100.
2025-11-20 14:26:04,280 [root] DEBUG: 3080: YaraInit: Compiled rules loaded from existing file C:\8llta4uw\data\yara\capemon.yac
2025-11-20 14:26:04,281 [root] DEBUG: 3080: YaraScan: Scanning 0x00CD0000, size 0x18182
2025-11-20 14:26:04,285 [root] DEBUG: 3080: Monitor initialised: 32-bit capemon loaded in process 3080 at 0x731a0000, thread 752, image base 0xcd0000, stack from 0xa66000-0xa70000
2025-11-20 14:26:04,285 [root] DEBUG: 3080: Commandline: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python.exe C:\Temp\app.py
2025-11-20 14:26:04,286 [root] DEBUG: 3080: add_all_dlls_to_dll_ranges: skipping C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python313.dll
2025-11-20 14:26:04,287 [root] DEBUG: 3080: add_all_dlls_to_dll_ranges: skipping C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\VCRUNTIME140.dll
2025-11-20 14:26:04,317 [root] DEBUG: 3080: hook_api: LdrpCallInitRoutine export address 0x76FC2B50 obtained via GetFunctionAddress
2025-11-20 14:26:04,347 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-11-20 14:26:04,348 [root] DEBUG: 3080: set_hooks: Unable to hook GetCommandLineA
2025-11-20 14:26:04,349 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-11-20 14:26:04,350 [root] DEBUG: 3080: set_hooks: Unable to hook GetCommandLineW
2025-11-20 14:26:04,358 [root] DEBUG: 3080: Hooked 625 out of 627 functions
2025-11-20 14:26:04,360 [root] DEBUG: 3080: Syscall hook installed, syscall logging level 1
2025-11-20 14:26:04,365 [root] DEBUG: 3080: RestoreHeaders: Restored original import table.
2025-11-20 14:26:04,366 [root] INFO: Loaded monitor into process with pid 3080
2025-11-20 14:26:04,367 [root] DEBUG: 3080: YaraScan: Scanning 0x74200000, size 0x14b1e
2025-11-20 14:26:04,369 [root] DEBUG: 3080: caller_dispatch: Added region at 0x74200000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x74204CB5, thread 752).
2025-11-20 14:26:04,370 [root] DEBUG: 3080: caller_dispatch: Scanning calling region at 0x74200000...
2025-11-20 14:26:04,372 [root] DEBUG: 3080: VerifyHeaders: Entry point does not match, 0x0 of 0x10 matching
2025-11-20 14:26:04,373 [root] DEBUG: 3080: ProcessTrackedRegion: Interesting region at 0x74200000 mapped as \Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Python\Python313-32\vcruntime140.dll, dumping
2025-11-20 14:26:04,373 [root] DEBUG: 3080: DumpPEsInRange: Scanning range 0x74200000 - 0x74214B1E.
2025-11-20 14:26:04,374 [root] DEBUG: 3080: ScanForDisguisedPE: PE image located at: 0x74200000
2025-11-20 14:26:04,375 [root] DEBUG: 3080: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 14:26:04,376 [root] DEBUG: 3080: DumpProcess: Instantiating PeParser with address: 0x74200000.
2025-11-20 14:26:04,376 [root] DEBUG: 3080: DumpProcess: Module entry point VA is 0x0000D960.
2025-11-20 14:26:04,384 [lib.common.results] INFO: Uploading file C:\tufUOsbM\CAPE\3080_897642611204112025 to CAPE\0d73df4622431e5f0f2843ec68cc60a07f38fb8263c4a1e2a1e260a9075f94d1; Size is 70144; Max size: 100000000
2025-11-20 14:26:04,392 [root] DEBUG: 3080: DumpProcess: Module image dump success - dump size 0x11200.
2025-11-20 14:26:04,394 [root] DEBUG: 3080: ScanForDisguisedPE: No PE image located in range 0x74201000-0x74214B1E.
2025-11-20 14:26:04,395 [root] DEBUG: 3080: DumpRegion: Dumped PE image(s) from base address 0x74200000, size 86016 bytes.
2025-11-20 14:26:04,396 [root] DEBUG: 3080: ProcessTrackedRegion: Dumped region at 0x74200000.
2025-11-20 14:26:04,396 [root] DEBUG: 3080: YaraScan: Scanning 0x74200000, size 0x14b1e
2025-11-20 14:26:04,399 [root] DEBUG: 3080: YaraScan: Scanning 0x74220000, size 0x571868
2025-11-20 14:26:04,481 [root] DEBUG: 3080: YaraScan hit: FormhookB
2025-11-20 14:26:04,482 [root] DEBUG: 3080: Config: bp0 set to 0x00051F80.
2025-11-20 14:26:04,483 [root] DEBUG: 3080: Config: bp0 set to 0x00084B80.
2025-11-20 14:26:04,484 [root] DEBUG: 3080: Config: bp0 set to 0x000DF3F0.
2025-11-20 14:26:04,484 [root] DEBUG: 3080: Config: bp0 set to 0x000FBED0.
2025-11-20 14:26:04,485 [root] DEBUG: 3080: Config: bp0 set to 0x00160130.
2025-11-20 14:26:04,486 [root] DEBUG: 3080: Config: bp0 set to 0x0016FCE0.
2025-11-20 14:26:04,487 [root] DEBUG: 3080: Config: bp0 set to 0x001C9F10.
2025-11-20 14:26:04,488 [root] DEBUG: 3080: Config: bp0 set to 0x0020D1A0.
2025-11-20 14:26:04,488 [root] DEBUG: 3080: Config: bp0 set to 0x002447B0.
2025-11-20 14:26:04,489 [root] DEBUG: 3080: Config: Action0 set to scan.
2025-11-20 14:26:04,490 [root] DEBUG: 3080: Config: Hit count for breakpoint 0 set to 1
2025-11-20 14:26:04,491 [root] DEBUG: 3080: Config: bp1 set to 0x00051131.
2025-11-20 14:26:04,492 [root] DEBUG: 3080: Config: bp1 set to 0x0014EAC9.
2025-11-20 14:26:04,492 [root] DEBUG: 3080: Config: bp1 set to 0x00164152.
2025-11-20 14:26:04,493 [root] DEBUG: 3080: Config: Action1 set to setdst:ntdll.
2025-11-20 14:26:04,494 [root] DEBUG: 3080: Config: Count for breakpoint 1 set to 0
2025-11-20 14:26:04,495 [root] DEBUG: 3080: Config: Trace instruction count set to 0x0
2025-11-20 14:26:04,496 [root] DEBUG: 3080: SetInitialBreakpoints: Breakpoint 0 set on address 0x744647B0 (RVA 0x2447b0, type 0, hit count 1, thread 752)
2025-11-20 14:26:04,497 [root] DEBUG: 3080: SetInitialBreakpoints: Breakpoint 1 set on address 0x74384152 (RVA 0x164152, type 0, hit count 0, thread 752)
2025-11-20 14:26:04,504 [root] DEBUG: 3080: caller_dispatch: Added region at 0x74220000 to tracked regions list (ntdll::NtQueryPerformanceCounter returns to 0x74380143, thread 752).
2025-11-20 14:26:04,505 [root] DEBUG: 3080: caller_dispatch: Scanning calling region at 0x74220000...
2025-11-20 14:26:04,507 [root] DEBUG: 3080: VerifyHeaders: Entry point does not match, 0x0 of 0x10 matching
2025-11-20 14:26:04,508 [root] DEBUG: 3080: ProcessTrackedRegion: Interesting region at 0x74220000 mapped as \Device\HarddiskVolume2\Users\Admin\AppData\Local\Programs\Python\Python313-32\python313.dll, dumping
2025-11-20 14:26:04,509 [root] DEBUG: 3080: DumpPEsInRange: Scanning range 0x74220000 - 0x74791868.
2025-11-20 14:26:04,512 [root] DEBUG: 3080: ScanForDisguisedPE: PE image located at: 0x74220000
2025-11-20 14:26:04,513 [root] DEBUG: 3080: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2025-11-20 14:26:04,514 [root] DEBUG: 3080: DumpProcess: Instantiating PeParser with address: 0x74220000.
2025-11-20 14:26:04,515 [root] DEBUG: 3080: DumpProcess: Module entry point VA is 0x002D9A40.
2025-11-20 14:26:04,581 [lib.common.results] INFO: Uploading file C:\tufUOsbM\CAPE\3080_876272542611204112025 to CAPE\a619a49227347a25716800dfbbea696fab04d6262a1d1d891cb310a13550cf1a; Size is 5697024; Max size: 100000000
2025-11-20 14:26:04,630 [root] DEBUG: 3080: DumpProcess: Module image dump success - dump size 0x56ee00.
2025-11-20 14:26:04,679 [root] DEBUG: 3080: ScanForDisguisedPE: No PE image located in range 0x74221000-0x74791868.
2025-11-20 14:26:04,680 [root] DEBUG: 3080: DumpRegion: Dumped PE image(s) from base address 0x74220000, size 5709824 bytes.
2025-11-20 14:26:04,681 [root] DEBUG: 3080: ProcessTrackedRegion: Dumped region at 0x74220000.
2025-11-20 14:26:04,682 [root] DEBUG: 3080: YaraScan: Scanning 0x74220000, size 0x571868
2025-11-20 14:26:04,755 [root] DEBUG: 3080: YaraScan hit: FormhookB
2025-11-20 14:26:04,756 [root] DEBUG: 3080: Config: bp0 set to 0x00051F80.
2025-11-20 14:26:04,757 [root] DEBUG: 3080: Config: bp0 set to 0x00084B80.
2025-11-20 14:26:04,758 [root] DEBUG: 3080: Config: bp0 set to 0x000DF3F0.
2025-11-20 14:26:04,758 [root] DEBUG: 3080: Config: bp0 set to 0x000FBED0.
2025-11-20 14:26:04,759 [root] DEBUG: 3080: Config: bp0 set to 0x00160130.
2025-11-20 14:26:04,760 [root] DEBUG: 3080: Config: bp0 set to 0x0016FCE0.
2025-11-20 14:26:04,761 [root] DEBUG: 3080: Config: bp0 set to 0x001C9F10.
2025-11-20 14:26:04,762 [root] DEBUG: 3080: Config: bp0 set to 0x0020D1A0.
2025-11-20 14:26:04,762 [root] DEBUG: 3080: Config: bp0 set to 0x002447B0.
2025-11-20 14:26:04,763 [root] DEBUG: 3080: Config: Action0 set to scan.
2025-11-20 14:26:04,764 [root] DEBUG: 3080: Config: Hit count for breakpoint 0 set to 1
2025-11-20 14:26:04,765 [root] DEBUG: 3080: Config: bp1 set to 0x00051131.
2025-11-20 14:26:04,766 [root] DEBUG: 3080: Config: bp1 set to 0x0014EAC9.
2025-11-20 14:26:04,767 [root] DEBUG: 3080: Config: bp1 set to 0x00164152.
2025-11-20 14:26:04,767 [root] DEBUG: 3080: Config: Action1 set to setdst:ntdll.
2025-11-20 14:26:04,768 [root] DEBUG: 3080: Config: Count for breakpoint 1 set to 0
2025-11-20 14:26:04,769 [root] DEBUG: 3080: Config: Trace instruction count set to 0x0
2025-11-20 14:26:04,770 [root] DEBUG: 3080: SetInitialBreakpoints: Breakpoint 0 set on address 0x744647B0 (RVA 0x2447b0, type 0, hit count 1, thread 752)
2025-11-20 14:26:04,770 [root] DEBUG: 3080: SetInitialBreakpoints: Breakpoint 1 set on address 0x74384152 (RVA 0x164152, type 0, hit count 0, thread 752)
2025-11-20 14:26:04,773 [root] DEBUG: 3080: caller_dispatch: Added region at 0x00CD0000 to tracked regions list (ntdll::memcpy returns to 0x00CD1064, thread 752).
2025-11-20 14:26:04,774 [root] DEBUG: 3080: YaraScan: Scanning 0x00CD0000, size 0x18182
2025-11-20 14:26:04,777 [root] DEBUG: 3080: ProcessImageBase: Main module image at 0x00CD0000 unmodified (entropy change 0.000000e+00)
2025-11-20 14:26:04,790 [root] DEBUG: 3080: InstrumentationCallback: Added region at 0x75A163AC (base 0x758D0000) to tracked regions list (thread 752).
2025-11-20 14:26:04,791 [root] DEBUG: 3080: ProcessTrackedRegion: Region at 0x758D0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2025-11-20 14:26:04,795 [root] DEBUG: 3080: DLL loaded at 0x75800000: C:\Windows\System32\bcryptprimitives (0x5f000 bytes).
2025-11-20 14:26:04,965 [root] DEBUG: 3080: set_hooks_by_export_directory: Hooked 0 out of 627 functions
2025-11-20 14:26:04,966 [root] DEBUG: 3080: DLL loaded at 0x73B80000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2025-11-20 14:26:04,967 [root] DEBUG: 3080: NtTerminateProcess hook: Attempting to dump process 3080
2025-11-20 14:26:04,968 [root] DEBUG: 3080: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 14:26:04,990 [root] INFO: Process with pid 3080 has terminated
2025-11-20 14:26:04,994 [root] DEBUG: 2316: set_hooks_by_export_directory: Hooked 0 out of 627 functions
2025-11-20 14:26:04,996 [root] DEBUG: 2316: DLL loaded at 0x73B80000: C:\Windows\SYSTEM32\kernel.appcore (0xf000 bytes).
2025-11-20 14:26:04,997 [root] DEBUG: 2316: NtTerminateProcess hook: Attempting to dump process 2316
2025-11-20 14:26:05,010 [root] DEBUG: 2316: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-20 14:26:05,020 [root] INFO: Process with pid 2316 has terminated
2025-11-20 14:26:24,943 [root] INFO: Process list is empty, terminating analysis
2025-11-20 14:26:25,956 [root] INFO: Created shutdown mutex
2025-11-20 14:26:26,964 [root] INFO: Shutting down package
2025-11-20 14:26:26,964 [root] INFO: Stopping auxiliary modules
2025-11-20 14:26:26,965 [root] INFO: Stopping auxiliary module: Browser
2025-11-20 14:26:26,965 [root] INFO: Stopping auxiliary module: Human
2025-11-20 14:26:31,980 [root] INFO: Stopping auxiliary module: Screenshots
2025-11-20 14:26:31,990 [root] INFO: Finishing auxiliary modules
2025-11-20 14:26:31,990 [root] INFO: Shutting down pipe server and dumping dropped files
2025-11-20 14:26:31,991 [root] WARNING: Folder at path "C:\tufUOsbM\debugger" does not exist, skipping
2025-11-20 14:26:31,991 [root] INFO: Uploading files at path "C:\tufUOsbM\tlsdump"
2025-11-20 14:26:31,992 [lib.common.results] INFO: Uploading file C:\tufUOsbM\tlsdump\tlsdump.log to tlsdump\tlsdump.log; Size is 1096; Max size: 100000000
2025-11-20 14:26:32,003 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
MalwareGuest	MalwareGuest	Proxmox	2025-11-20 14:25:54	2025-11-20 14:26:43	none

File Details

File Name	app.py
File Type	Python script, Unicode text, UTF-8 text executable, with CRLF line terminators
File Size	2628 bytes
MD5	641f1f56eeaea93c37c3205502efed82
SHA1	c7682b021add97299066aeed96e9f7a5e4aebd58
SHA256	9c7ed8833a268d5e94baa236806e1fb6054e8bde045033cd6ff258de600db6e9 [VT] [MWDB] [Bazaar]
SHA3-384	e3fbc8d114eeb0210a2b8d06b5465013865345fae801c6296a338cec31dfb6407598ce2a152888aa698cd6f36cce55a3
CRC32	A6DD38A3
TLSH	T1F95197D35C1264969932646FD4155D00E85B9237BA1A3A2771BC464C6FF2106C774C7A
Ssdeep	48:5DGkZv+LAMqGfRsdaxhhB3KMaF20pROyRvDKYnU0s3A5ghIa5:5D9wLADGZsdEhL3Y40pVR7/U0UA5ghI0
	File BinGraph Vba2Graph Text

import requests
import time
GITEA_URL = 'http://10.0.36.206:3000/-/admin/users/new'
HEADERS = {
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
    'Accept-Language': 'ru,en;q=0.9,en-GB;q=0.8,en-US;q=0.7',
    'Cache-Control': 'no-cache',
    'Connection': 'keep-alive',
    'Content-Type': 'application/x-www-form-urlencoded',
    'DNT': '1',
    'Origin': 'null',
    'Pragma': 'no-cache',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Mobile Safari/537.36 Edg/137.0.0.0',
}

COOKIES = {
    'i_like_gitea': '3ccabf46b88ddeb3',
    'lang': 'ru-RU',
    '_csrf': 'pBlRJDfD_oAdow5KnNViuGp86I86MTc1MDExMjQ2NDQ3MzAyMDY4OQ',
}

PAYLOAD_TEMPLATE = {
    '_autofill_dummy_username': '',
    '_autofill_dummy_password': '',
    '_csrf': 'r9jIGwqIwCiycDd8u184hKTuzYs6MTc1MDExMTEwNzYyMTU0OTkxNw',
    'login_type': '0-0',
    'visibility': '2',
    'login_name': '',
    'password': 'password',
}

def create_gitea_user(user_number):
    user_id = f"{user_number:02d}"
    username = f"user{user_id}"
    email = f"{username}@demo.exam"
    
    payload = PAYLOAD_TEMPLATE.copy()
    payload['user_name'] = username
    payload['email'] = email
    
    print(f"ÐÐ¾Ð¿ÑÑÐºÐ° ÑÐ¾Ð·Ð´Ð°ÑÑ Ð¿Ð¾Ð»ÑÐ·Ð¾Ð²Ð°ÑÐµÐ»Ñ: {username} ({email})...")
    
    try:
        requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
        response = requests.post(
            GITEA_URL,
            headers=HEADERS,
            cookies=COOKIES,
            data=payload,
            verify=False,
            allow_redirects=False
        )
        
        if response.status_code == 303:
            print(f"ÐÐ¾Ð»ÑÐ·Ð¾Ð²Ð°ÑÐµÐ»Ñ {username} ÑÑÐ¿ÐµÑÐ½Ð¾ ÑÐ¾Ð·Ð´Ð°Ð½. Ð¡ÑÐ°ÑÑÑ: {response.status_code}")
        else:
            print(f"Ð¾ÑÐ¸Ð±ÐºÐ° Ð½Ðµ ÑÐ´Ð°Ð»Ð¾ÑÑ ÑÐ¾Ð·Ð´Ð°ÑÑ Ð¿Ð¾Ð»ÑÐ·Ð¾Ð²Ð°ÑÐµÐ»Ñ {username}. Ð¡ÑÐ°ÑÑÑ: {response.status_code}")

    except requests.exceptions.RequestException as e:
        print(f"Ð¾ÑÐ¸Ð±ÐºÐ° Ð¿ÑÐ¸ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ð¸ Ð¿Ð¾Ð»ÑÐ·Ð¾Ð²Ð°ÑÐµÐ»Ñ {username}: {e}")

if __name__ == "__main__":
    print("--- ÐÐ°ÑÐ°Ð»Ð¾ ÑÐ¾Ð·Ð´Ð°Ð½Ð¸Ñ Ð¿Ð¾Ð»ÑÐ·Ð¾Ð²Ð°ÑÐµÐ»ÐµÐ¹ Ð² Gitea ---")
    
    for i in range(1, 76):
        create_gitea_user(i)
        time.sleep(0.5) 
        
    print("--- Ð Ð°Ð±Ð¾ÑÐ° ÑÐºÑÐ¸Ð¿ÑÐ° Ð·Ð°Ð²ÐµÑÑÐµÐ½Ð° ---")

Reports: JSON

Statistics (7.56)

Processing ( 7.44 seconds )

7.329 CAPE
0.056 BehaviorAnalysis
0.049 AnalysisInfo
0.003 Debug

Signatures ( 0.11 seconds )

0.013 antiav_detectreg
0.007 antiav_detectfile
0.007 infostealer_ftp
0.007 masquerade_process_name
0.007 ransomware_files
0.005 infostealer_im
0.005 territorial_disputes_sigs
0.004 antianalysis_detectfile
0.004 infostealer_bitcoin
0.004 ransomware_extensions
0.003 antivm_vbox_files
0.003 infostealer_mail
0.003 poullight_files
0.002 antianalysis_detectreg
0.002 antidebug_devices
0.002 antivm_vbox_keys
0.002 antivm_vmware_files
0.002 geodo_banking_trojan
0.002 qulab_files
0.002 uses_windows_utilities
0.001 accesses_sysvol
0.001 antiemu_windefend
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_vbox_devices
0.001 antivm_vmware_keys
0.001 antivm_vpc_keys
0.001 antivm_xen_keys
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 echelon_files
0.001 revil_mutexes
0.001 limerat_regkeys
0.001 modirat_behavior
0.001 obliquerat_files
0.001 rat_pcclient
0.001 recon_fingerprint
0.001 language_check_registry
0.001 tampers_etw
0.001 ursnif_behavior
0.001 suspicious_command_tools

Reporting ( 0.01 seconds )

0.011 JsonDump

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: python.exe, PID 3080

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU

Screenshots

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Temp\app.py
C:\Windows\System32\windows.storage.dll
C:\Windows\Wldp.dll
C:\Windows\System32\wldp.dll
C:\Users\Admin\AppData\Local\py.ini
C:\Windows\py.ini
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.14_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.13_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.11_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.14_3847v3x7pw1km\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.13_3847v3x7pw1km\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.12_3847v3x7pw1km\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.11_3847v3x7pw1km\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.11_hd69rhyc2wevp\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.10_3847v3x7pw1km\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.10_hd69rhyc2wevp\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_3847v3x7pw1km\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.9_hd69rhyc2wevp\python.exe
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.8_hd69rhyc2wevp\python.exe
C:\Users\Admin\AppData\Local\Programs\Python\pyvenv.cfg
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\pyvenv.cfg
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python.exe
\??\MountPointManager
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python313._pth
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python._pth
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\pybuilddir.txt
C:\Users\Admin\AppData\Local\Programs\Modules\Setup.local
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python313.zip
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\Lib\os.py
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\DLLs
C:\Windows\System32\ru-RU\KERNELBASE.dll.mui
C:\Windows\sysnative\ru-RU\KERNELBASE.dll.mui
C:\Windows\System32\tzres.dll
C:\Windows\System32\ru-RU\tzres.dll.mui
C:\Windows\sysnative\ru-RU\tzres.dll.mui
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\DLLs\*.*
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\Lib
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\Lib\*.*
C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\*.*
C:\Windows\System32\kernel.appcore.dll

HKEY_CURRENT_USER\Software\Python
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath\(Default)
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath\ExecutablePath
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath\ExecutableArguments
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\SysArchitecture
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\DisplayName
HKEY_LOCAL_MACHINE\Software\Python
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Python\PyLauncher
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\PythonPath
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Python\PythonCore\3.13-32\PythonPath

HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath\(Default)
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath\ExecutablePath
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\InstallPath\ExecutableArguments
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\SysArchitecture
HKEY_CURRENT_USER\SOFTWARE\Python\PythonCore\3.13-32\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ru-RU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\ru-RU

C:\Users\Admin\AppData\Local\Programs\Python\Python313-32\python.exe C:\Temp\app.py

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.