Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE		2026-03-12 02:59:55	2026-03-12 03:01:29	94s
Reports	JSON

Analysis Log

2026-03-12 02:59:08,172 [root] INFO: Date set to: 20260312T03:00:10, timeout set to: 60
2026-03-12 03:00:10,028 [root] DEBUG: Starting analyzer from: C:\fo9rzin5
2026-03-12 03:00:10,028 [root] DEBUG: Storing results at: C:\cviTrXvdj
2026-03-12 03:00:10,044 [root] DEBUG: Pipe server name: \\.\PIPE\inyUZdIu
2026-03-12 03:00:10,044 [root] DEBUG: Python path: C:\Users\malware\AppData\Local\Programs\Python\Python310-32
2026-03-12 03:00:10,044 [root] INFO: analysis running as an admin
2026-03-12 03:00:10,044 [root] DEBUG: no analysis package configured, picking one for you
2026-03-12 03:00:10,060 [root] INFO: analysis package selected: "batch"
2026-03-12 03:00:10,060 [root] DEBUG: importing analysis package module: "modules.packages.batch"...
2026-03-12 03:00:10,075 [root] DEBUG: imported analysis package "batch"
2026-03-12 03:00:10,075 [root] DEBUG: initializing analysis package "batch"...
2026-03-12 03:00:10,075 [lib.common.common] INFO: wrapping
2026-03-12 03:00:10,091 [lib.core.compound] INFO: C:\Users\malware\AppData\Local\Temp already exists, skipping creation
2026-03-12 03:00:10,091 [root] DEBUG: New location of moved file: C:\Users\malware\AppData\Local\Temp\test_win.bat
2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a DLL option
2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a DLL_64 option
2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option
2026-03-12 03:00:10,091 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option
2026-03-12 03:00:10,372 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-03-12 03:00:10,482 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-03-12 03:00:10,513 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-03-12 03:00:10,544 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-03-12 03:00:10,575 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-03-12 03:00:10,575 [lib.api.screenshot] ERROR: No module named 'PIL'
2026-03-12 03:00:10,575 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-03-12 03:00:10,591 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-03-12 03:00:10,591 [root] DEBUG: Initialized auxiliary module "Browser"
2026-03-12 03:00:10,591 [root] DEBUG: attempting to configure 'Browser' from data
2026-03-12 03:00:10,607 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-03-12 03:00:10,607 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-03-12 03:00:10,607 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-03-12 03:00:10,607 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-03-12 03:00:10,607 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-03-12 03:00:10,607 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-03-12 03:00:10,607 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-03-12 03:00:10,607 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-03-12 03:00:11,204 [modules.auxiliary.digisig] DEBUG: File format not recognized
2026-03-12 03:00:11,204 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-03-12 03:00:11,204 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-03-12 03:00:11,204 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-03-12 03:00:11,204 [root] DEBUG: attempting to configure 'Disguise' from data
2026-03-12 03:00:11,204 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-03-12 03:00:11,219 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-03-12 03:00:11,219 [modules.auxiliary.disguise] INFO: Disguising GUID to b2264b3c-dd7b-4e4c-ba87-863f30d8f63d
2026-03-12 03:00:11,219 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-03-12 03:00:11,219 [root] DEBUG: Initialized auxiliary module "Human"
2026-03-12 03:00:11,219 [root] DEBUG: attempting to configure 'Human' from data
2026-03-12 03:00:11,219 [root] DEBUG: module Human does not support data configuration, ignoring
2026-03-12 03:00:11,219 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-03-12 03:00:11,235 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-03-12 03:00:11,235 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-03-12 03:00:11,235 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-03-12 03:00:11,235 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-03-12 03:00:11,235 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-03-12 03:00:11,250 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2026-03-12 03:00:11,250 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-03-12 03:00:11,250 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-03-12 03:00:11,250 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-03-12 03:00:11,250 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-03-12 03:00:11,266 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-03-12 03:00:11,266 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 748
2026-03-12 03:00:11,329 [lib.api.process] INFO: Monitor config for <Process 748 lsass.exe>: C:\fo9rzin5\dll\748.ini
2026-03-12 03:00:11,329 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-03-12 03:00:11,344 [lib.api.process] INFO: 64-bit DLL to inject is C:\fo9rzin5\dll\vExnnK.dll, loader C:\fo9rzin5\bin\QvBkPcCr.exe
2026-03-12 03:00:11,500 [root] DEBUG: Loader: Injecting process 748 with C:\fo9rzin5\dll\vExnnK.dll.
2026-03-12 03:00:11,867 [root] DEBUG: 748: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:11,883 [root] DEBUG: 748: Disabling sleep skipping.
2026-03-12 03:00:11,883 [root] DEBUG: 748: TLS secret dump mode enabled.
2026-03-12 03:00:11,945 [root] DEBUG: 748: RtlInsertInvertedFunctionTable 0x00007FF9CA43BBEA, LdrpInvertedFunctionTableSRWLock 0x00007FF9CA5970F0
2026-03-12 03:00:11,945 [root] DEBUG: 748: Monitor initialised: 64-bit capemon loaded in process 748 at 0x00007FF982320000, thread 5560, image base 0x00007FF7F2AF0000, stack from 0x0000000C69BB2000-0x0000000C69BC0000
2026-03-12 03:00:11,945 [root] DEBUG: 748: Commandline: C:\Windows\system32\lsass.exe
2026-03-12 03:00:11,992 [root] DEBUG: 748: Hooked 5 out of 5 functions
2026-03-12 03:00:11,992 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-03-12 03:00:11,992 [root] DEBUG: Successfully injected DLL C:\fo9rzin5\dll\vExnnK.dll.
2026-03-12 03:00:11,992 [lib.api.process] INFO: Injected into 64-bit <Process 748 lsass.exe>
2026-03-12 03:00:11,992 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-03-12 03:00:17,700 [root] INFO: Restarting WMI Service
2026-03-12 03:00:19,809 [root] DEBUG: package modules.packages.batch does not support configure, ignoring
2026-03-12 03:00:19,809 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'
2026-03-12 03:00:19,809 [lib.core.compound] INFO: C:\Users\malware\AppData\Local\Temp already exists, skipping creation
2026-03-12 03:00:19,825 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\malware\AppData\Local\Temp\test_win.bat"" with pid 4136
2026-03-12 03:00:19,825 [lib.api.process] INFO: Monitor config for <Process 4136 cmd.exe>: C:\fo9rzin5\dll\4136.ini
2026-03-12 03:00:19,825 [lib.api.process] INFO: 32-bit DLL to inject is C:\fo9rzin5\dll\UStemzU.dll, loader C:\fo9rzin5\bin\TNeyeLA.exe
2026-03-12 03:00:19,965 [root] DEBUG: Loader: Injecting process 4136 (thread 3820) with C:\fo9rzin5\dll\UStemzU.dll.
2026-03-12 03:00:19,965 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-12 03:00:19,965 [root] DEBUG: Successfully injected DLL C:\fo9rzin5\dll\UStemzU.dll.
2026-03-12 03:00:19,965 [lib.api.process] INFO: Injected into 32-bit <Process 4136 cmd.exe>
2026-03-12 03:00:21,986 [lib.api.process] INFO: Successfully resumed <Process 4136 cmd.exe>
2026-03-12 03:00:22,509 [root] DEBUG: 4136: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:22,509 [root] DEBUG: 4136: Disabling sleep skipping.
2026-03-12 03:00:22,509 [root] DEBUG: 4136: Dropped file limit defaulting to 100.
2026-03-12 03:00:22,924 [root] DEBUG: 4136: YaraInit: Compiled 44 rule files
2026-03-12 03:00:22,924 [root] DEBUG: 4136: YaraInit: Compiled rules saved to file C:\fo9rzin5\data\yara\capemon.yac
2026-03-12 03:00:22,940 [root] DEBUG: 4136: YaraScan: Scanning 0x00540000, size 0x5a54a
2026-03-12 03:00:22,940 [root] DEBUG: 4136: YaraScan hit: FindFixAndRun
2026-03-12 03:00:22,940 [root] DEBUG: 4136: Monitor initialised: 32-bit capemon loaded in process 4136 at 0x73630000, thread 3820, image base 0x540000, stack from 0x2e83000-0x2f80000
2026-03-12 03:00:22,940 [root] DEBUG: 4136: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\malware\AppData\Local\Temp\test_win.bat"
2026-03-12 03:00:23,018 [root] DEBUG: 4136: hook_api: LdrpCallInitRoutine export address 0x776066C0 obtained via GetFunctionAddress
2026-03-12 03:00:23,049 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-12 03:00:23,049 [root] DEBUG: 4136: set_hooks: Unable to hook GetCommandLineA
2026-03-12 03:00:23,049 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-12 03:00:23,049 [root] DEBUG: 4136: set_hooks: Unable to hook GetCommandLineW
2026-03-12 03:00:23,065 [root] DEBUG: 4136: Hooked 630 out of 632 functions
2026-03-12 03:00:23,080 [root] DEBUG: 4136: set_hooks_exe: Hooked FindFixAndRun at 0x0054D170
2026-03-12 03:00:23,080 [root] DEBUG: 4136: Syscall hook installed, syscall logging level 1
2026-03-12 03:00:23,096 [root] DEBUG: 4136: RestoreHeaders: Restored original import table.
2026-03-12 03:00:23,096 [root] INFO: Loaded monitor into process with pid 4136
2026-03-12 03:00:23,096 [root] DEBUG: 4136: caller_dispatch: Added region at 0x00540000 to tracked regions list (ntdll::NtOpenThread returns to 0x005539B4, thread 3820).
2026-03-12 03:00:23,096 [root] DEBUG: 4136: YaraScan: Scanning 0x00540000, size 0x5a54a
2026-03-12 03:00:23,096 [root] DEBUG: 4136: ProcessImageBase: Main module image at 0x00540000 unmodified (entropy change 0.000000e+00)
2026-03-12 03:00:23,158 [root] DEBUG: 4136: InstrumentationCallback: Added region at 0x76581D9C (base 0x76430000) to tracked regions list (thread 3820).
2026-03-12 03:00:23,158 [root] DEBUG: 4136: ProcessTrackedRegion: Region at 0x76430000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:23,174 [root] DEBUG: 4136: CreateProcessHandler: Injection info set for new process 5732: C:\Windows\system32\cmd.exe, ImageBase: 0x00540000
2026-03-12 03:00:23,190 [root] INFO: Announced 32-bit process name: cmd.exe pid: 5732
2026-03-12 03:00:23,190 [lib.api.process] INFO: Monitor config for <Process 5732 cmd.exe>: C:\fo9rzin5\dll\5732.ini
2026-03-12 03:00:23,190 [lib.api.process] INFO: 32-bit DLL to inject is C:\fo9rzin5\dll\UStemzU.dll, loader C:\fo9rzin5\bin\TNeyeLA.exe
2026-03-12 03:00:23,236 [root] DEBUG: Loader: Injecting process 5732 (thread 6772) with C:\fo9rzin5\dll\UStemzU.dll.
2026-03-12 03:00:23,236 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-12 03:00:23,236 [root] DEBUG: Successfully injected DLL C:\fo9rzin5\dll\UStemzU.dll.
2026-03-12 03:00:23,236 [lib.api.process] INFO: Injected into 32-bit <Process 5732 cmd.exe>
2026-03-12 03:00:23,252 [root] DEBUG: 4136: ProcessTrackedRegion: Region at 0x76430000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:23,480 [root] DEBUG: 5732: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:23,495 [root] DEBUG: 5732: Disabling sleep skipping.
2026-03-12 03:00:23,495 [root] DEBUG: 5732: Dropped file limit defaulting to 100.
2026-03-12 03:00:23,495 [root] DEBUG: 5732: YaraInit: Compiled rules loaded from existing file C:\fo9rzin5\data\yara\capemon.yac
2026-03-12 03:00:23,511 [root] DEBUG: 5732: YaraScan: Scanning 0x00540000, size 0x5a54a
2026-03-12 03:00:23,511 [root] DEBUG: 5732: YaraScan hit: FindFixAndRun
2026-03-12 03:00:23,511 [root] DEBUG: 5732: Monitor initialised: 32-bit capemon loaded in process 5732 at 0x73630000, thread 6772, image base 0x540000, stack from 0x2a03000-0x2b00000
2026-03-12 03:00:23,511 [root] DEBUG: 5732: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\malware\AppData\Local\Temp\test_win.bat"
2026-03-12 03:00:23,558 [root] DEBUG: 5732: hook_api: LdrpCallInitRoutine export address 0x776066C0 obtained via GetFunctionAddress
2026-03-12 03:00:23,589 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-12 03:00:23,589 [root] DEBUG: 5732: set_hooks: Unable to hook GetCommandLineA
2026-03-12 03:00:23,605 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-12 03:00:23,605 [root] DEBUG: 5732: set_hooks: Unable to hook GetCommandLineW
2026-03-12 03:00:23,620 [root] DEBUG: 5732: Hooked 630 out of 632 functions
2026-03-12 03:00:23,620 [root] DEBUG: 5732: set_hooks_exe: Hooked FindFixAndRun at 0x0054D170
2026-03-12 03:00:23,636 [root] DEBUG: 5732: Syscall hook installed, syscall logging level 1
2026-03-12 03:00:23,636 [root] DEBUG: 5732: RestoreHeaders: Restored original import table.
2026-03-12 03:00:23,636 [root] INFO: Loaded monitor into process with pid 5732
2026-03-12 03:00:23,636 [root] DEBUG: 5732: caller_dispatch: Added region at 0x00540000 to tracked regions list (ntdll::NtOpenThread returns to 0x005539B4, thread 6772).
2026-03-12 03:00:23,652 [root] DEBUG: 5732: YaraScan: Scanning 0x00540000, size 0x5a54a
2026-03-12 03:00:23,652 [root] DEBUG: 5732: ProcessImageBase: Main module image at 0x00540000 unmodified (entropy change 0.000000e+00)
2026-03-12 03:00:23,721 [root] DEBUG: 5732: InstrumentationCallback: Added region at 0x76581D9C (base 0x76430000) to tracked regions list (thread 6772).
2026-03-12 03:00:23,721 [root] DEBUG: 5732: ProcessTrackedRegion: Region at 0x76430000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:23,736 [root] DEBUG: 5732: DLL loaded at 0x73620000: C:\Windows\SYSTEM32\cmdext (0xd000 bytes).
2026-03-12 03:00:23,783 [root] DEBUG: 5732: DLL loaded at 0x774B0000: C:\Windows\System32\shcore (0xc1000 bytes).
2026-03-12 03:00:23,783 [root] DEBUG: 5732: DLL loaded at 0x735E0000: C:\Windows\System32\srpapi (0x29000 bytes).
2026-03-12 03:00:23,799 [root] DEBUG: 5732: DLL loaded at 0x73610000: C:\Windows\system32\appidapi (0x10000 bytes).
2026-03-12 03:00:23,799 [root] DEBUG: 5732: DLL loaded at 0x75310000: C:\Windows\System32\bcryptprimitives (0x62000 bytes).
2026-03-12 03:00:23,799 [root] DEBUG: 5732: DLL loaded at 0x73900000: C:\Windows\system32\uxtheme (0x7f000 bytes).
2026-03-12 03:00:23,924 [root] DEBUG: 5732: CreateProcessHandler: Injection info set for new process 7116: C:\Windows\system32\ipconfig.exe, ImageBase: 0x00710000
2026-03-12 03:00:23,924 [root] INFO: Announced 32-bit process name: ipconfig.exe pid: 7116
2026-03-12 03:00:23,924 [lib.api.process] INFO: Monitor config for <Process 7116 ipconfig.exe>: C:\fo9rzin5\dll\7116.ini
2026-03-12 03:00:23,924 [lib.api.process] INFO: 32-bit DLL to inject is C:\fo9rzin5\dll\UStemzU.dll, loader C:\fo9rzin5\bin\TNeyeLA.exe
2026-03-12 03:00:23,972 [root] DEBUG: Loader: Injecting process 7116 (thread 2792) with C:\fo9rzin5\dll\UStemzU.dll.
2026-03-12 03:00:23,987 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-12 03:00:23,987 [root] DEBUG: Successfully injected DLL C:\fo9rzin5\dll\UStemzU.dll.
2026-03-12 03:00:23,987 [lib.api.process] INFO: Injected into 32-bit <Process 7116 ipconfig.exe>
2026-03-12 03:00:24,003 [root] DEBUG: 5732: ProcessTrackedRegion: Region at 0x76430000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:24,144 [root] DEBUG: 7116: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:24,144 [root] DEBUG: 7116: Dropped file limit defaulting to 100.
2026-03-12 03:00:24,144 [root] DEBUG: 7116: Disabling sleep skipping.
2026-03-12 03:00:24,144 [root] DEBUG: 7116: YaraInit: Compiled rules loaded from existing file C:\fo9rzin5\data\yara\capemon.yac
2026-03-12 03:00:24,159 [root] DEBUG: 7116: YaraScan: Scanning 0x00710000, size 0xb3fe
2026-03-12 03:00:24,159 [root] DEBUG: 7116: Monitor initialised: 32-bit capemon loaded in process 7116 at 0x73630000, thread 2792, image base 0x710000, stack from 0x2de4000-0x2df0000
2026-03-12 03:00:24,159 [root] DEBUG: 7116: Commandline: ipconfig
2026-03-12 03:00:24,191 [root] DEBUG: 7116: hook_api: LdrpCallInitRoutine export address 0x776066C0 obtained via GetFunctionAddress
2026-03-12 03:00:24,237 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-12 03:00:24,237 [root] DEBUG: 7116: set_hooks: Unable to hook GetCommandLineA
2026-03-12 03:00:24,237 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-12 03:00:24,237 [root] DEBUG: 7116: set_hooks: Unable to hook GetCommandLineW
2026-03-12 03:00:24,269 [root] DEBUG: 7116: Hooked 630 out of 632 functions
2026-03-12 03:00:24,269 [root] DEBUG: 7116: Syscall hook installed, syscall logging level 1
2026-03-12 03:00:24,269 [root] DEBUG: 7116: RestoreHeaders: Restored original import table.
2026-03-12 03:00:24,269 [root] INFO: Loaded monitor into process with pid 7116
2026-03-12 03:00:24,284 [root] DEBUG: 7116: caller_dispatch: Added region at 0x00710000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x0071590A, thread 2792).
2026-03-12 03:00:24,284 [root] DEBUG: 7116: YaraScan: Scanning 0x00710000, size 0xb3fe
2026-03-12 03:00:24,284 [root] DEBUG: 7116: ProcessImageBase: Main module image at 0x00710000 unmodified (entropy change 0.000000e+00)
2026-03-12 03:00:24,300 [root] DEBUG: 7116: InstrumentationCallback: Added region at 0x76581D9C (base 0x76430000) to tracked regions list (thread 2792).
2026-03-12 03:00:24,316 [root] DEBUG: 7116: ProcessTrackedRegion: Region at 0x76430000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:24,409 [root] DEBUG: 7116: NtTerminateProcess hook: Attempting to dump process 7116
2026-03-12 03:00:24,409 [root] DEBUG: 7116: DoProcessDump: Skipping process dump as code is identical on disk.
2026-03-12 03:00:24,472 [root] INFO: Process with pid 7116 has terminated
2026-03-12 03:01:22,775 [root] INFO: Analysis timeout hit, terminating analysis
2026-03-12 03:01:22,775 [lib.api.process] INFO: Terminate event set for <Process 4136 cmd.exe>
2026-03-12 03:01:22,775 [root] DEBUG: 4136: Terminate Event: Attempting to dump process 4136
2026-03-12 03:01:22,775 [root] DEBUG: 4136: VerifyCodeSection: Executable code does not match, 0xc172 of 0x2df59 matching
2026-03-12 03:01:22,775 [root] DEBUG: 4136: DoProcessDump: Code modification detected, dumping Imagebase at 0x00540000.
2026-03-12 03:01:22,791 [root] DEBUG: 4136: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-03-12 03:01:22,791 [root] DEBUG: 4136: DumpProcess: Instantiating PeParser with address: 0x00540000.
2026-03-12 03:01:22,791 [root] DEBUG: 4136: DumpProcess: Module entry point VA is 0x0055BD70.
2026-03-12 03:01:22,916 [lib.common.results] INFO: Uploading file C:\cviTrXvdj\CAPE\4136_330462211012432026 to procdump\4c0faeea52c90d27fc245f77c8c05d5e36e4e5d3e667aca752d7f82d3425ca55; Size is 355840; Max size: 100000000
2026-03-12 03:01:22,947 [root] DEBUG: 4136: DumpProcess: Module image dump success - dump size 0x56e00.
2026-03-12 03:01:22,947 [lib.api.process] INFO: Termination confirmed for <Process 4136 cmd.exe>
2026-03-12 03:01:22,947 [root] DEBUG: 4136: Terminate Event: monitor shutdown complete for process 4136
2026-03-12 03:01:22,963 [root] INFO: Terminate event set for process 4136
2026-03-12 03:01:22,963 [lib.api.process] INFO: Terminate event set for <Process 5732 cmd.exe>
2026-03-12 03:01:22,963 [root] DEBUG: 5732: Terminate Event: Attempting to dump process 5732
2026-03-12 03:01:22,978 [root] DEBUG: 5732: VerifyCodeSection: Executable code does not match, 0xc172 of 0x2df59 matching
2026-03-12 03:01:22,978 [root] DEBUG: 5732: DoProcessDump: Code modification detected, dumping Imagebase at 0x00540000.
2026-03-12 03:01:22,978 [root] DEBUG: 5732: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-03-12 03:01:22,978 [root] DEBUG: 5732: DumpProcess: Instantiating PeParser with address: 0x00540000.
2026-03-12 03:01:22,994 [root] DEBUG: 5732: DumpProcess: Module entry point VA is 0x0055BD70.
2026-03-12 03:01:23,072 [lib.common.results] INFO: Uploading file C:\cviTrXvdj\CAPE\5732_407542211012432026 to procdump\a319c40cd65e2aaf276b878cb491f56ec21ab307ee06aded3b10b328006e34e5; Size is 356864; Max size: 100000000
2026-03-12 03:01:23,103 [root] DEBUG: 5732: DumpProcess: Module image dump success - dump size 0x57200.
2026-03-12 03:01:23,119 [lib.api.process] INFO: Termination confirmed for <Process 5732 cmd.exe>
2026-03-12 03:01:23,119 [root] DEBUG: 5732: Terminate Event: monitor shutdown complete for process 5732
2026-03-12 03:01:23,119 [root] INFO: Terminate event set for process 5732
2026-03-12 03:01:23,119 [root] INFO: Created shutdown mutex
2026-03-12 03:01:24,166 [root] INFO: Shutting down package
2026-03-12 03:01:24,244 [root] INFO: Stopping auxiliary modules
2026-03-12 03:01:24,338 [root] INFO: Stopping auxiliary module: Browser
2026-03-12 03:01:24,431 [root] INFO: Stopping auxiliary module: Human
2026-03-12 03:01:25,245 [root] INFO: Stopping auxiliary module: Screenshots
2026-03-12 03:01:25,245 [root] INFO: Finishing auxiliary modules
2026-03-12 03:01:25,245 [root] INFO: Shutting down pipe server and dumping dropped files
2026-03-12 03:01:25,245 [root] WARNING: Folder at path "C:\cviTrXvdj\debugger" does not exist, skipping
2026-03-12 03:01:25,245 [root] WARNING: Folder at path "C:\cviTrXvdj\tlsdump" does not exist, skipping
2026-03-12 03:01:25,245 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win11	win11	KVM	2026-03-12 02:59:55	2026-03-12 03:01:28

File Details

File Information

File Name	test_win.bat
File Type	DOS batch file, ASCII text
File Size	93 bytes
MD5	80465455b46676f45790ee8f73e75059
SHA1	c364111154e6e2b24642399b5af52b0af075e36e
SHA256	6f7caa9e033886dc9944c6dc966a7730833622b21570d45e2da206b180083f55 VT MWDB Bazaar
SHA3-384	a577b851bc168daef4672eec933ca9a2e6416931389cb36e85a469d75d776e017f93ab1d54578bb7a3a63c2b14f13e92
CRC32	C684FC53
TLSH	T1C2B0120FF0962D73C3E1CC7428800441380C17E7C850CC2161C7193404C14C0328E931
Ssdeep	3:mKDDro+Lzjoue4FAq6xgjxFV2gjiLDzn:hnVLnouZOq6xaHM/

Tools: Extract: BinGraph Text

Extracted Text

@echo off
echo CAPE Test Sample
echo Hostname: %COMPUTERNAME%
echo User: %USERNAME%
ipconfig

Processing 3.75s

3.642s CAPE
0.063s BehaviorAnalysis
0.021s AnalysisInfo
0.019s NetworkAnalysis
0.002s Debug

Signatures 0.09s

0.013s antiav_detectreg
0.008s ransomware_extensions_known
0.007s ransomware_files
0.006s infostealer_ftp
0.006s territorial_disputes_sigs
0.004s antiav_detectfile
0.004s infostealer_im
0.004s uses_windows_utilities
0.003s antianalysis_detectreg
0.003s suspicious_command_tools
0.002s antianalysis_detectfile
0.002s antivm_vbox_files
0.002s antivm_vbox_keys
0.002s infostealer_bitcoin
0.002s infostealer_mail
0.002s masquerade_process_name
0.001s antidebug_devices
0.001s antivm_generic_diskreg
0.001s antivm_parallels_keys
0.001s antivm_vmware_files
0.001s antivm_vmware_keys
0.001s antivm_vpc_keys
0.001s antivm_xen_keys
0.001s geodo_banking_trojan
0.001s browser_security
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s azorult_mutexes
0.001s echelon_files
0.001s poullight_files
0.001s qulab_files
0.001s modify_oem_information
0.001s revil_mutexes
0.001s recon_fingerprint
0.001s language_check_registry
0.001s tampers_etw
0.001s ursnif_behavior

Reporting 0.01s

0.007s JsonDump

Signatures

Queries the computer locale (possible geofencing)

Checks adapter addresses which can be used to detect virtual network interfaces

Possible date expiration check, exits too soon after checking local time

process: ipconfig.exe, PID 7116

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

Uses Windows utilities for basic functionality

command: C:\Windows\system32\cmd.exe /K "C:\Users\malware\AppData\Local\Temp\test_win.bat"

command: ipconfig

Hosts

Direct	IP	Country Name
Y	151.205.4.185 [VT]	unknown
Y	151.205.4.91 [VT]	unknown
Y	151.205.0.39 [VT]	unknown

Summary

Accessed Files Modified Files Registry Keys Read Registry Keys Executed Commands

C:\Users\malware\AppData\Local\Temp
C:\Users
C:\Users\malware
C:\Users\malware\AppData
C:\Users\malware\AppData\Local
C:\Users\malware\AppData\Local\Temp\test_win.bat
C:\
C:\Windows\System32\cmdext.dll
\Device\SrpDevice
C:\Users\malware\AppData\Local\Temp\ipconfig.*
C:\Windows\System32\ipconfig.*
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\sysnative\en-US\cmd.exe.mui
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\ipconfig.exe.mui
C:\Windows\sysnative\en-US\ipconfig.exe.mui
\??\CONOUT$

\??\CONOUT$

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\System\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000604xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySleepLoopWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelaySpinCountThreshold
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayBaseYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtFactorYield
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SmtDelayMaxYield
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\Gp\RuleCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000604xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

C:\Windows\system32\cmd.exe /K "C:\Users\malware\AppData\Local\Temp\test_win.bat"
ipconfig

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Analysis Details

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

Extracted Text

Statistics 3.85s

Signatures

Hosts

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP