Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Logs
FILE		2026-03-12 02:59:55	2026-03-12 03:01:55	120s
Reports	JSON

Analysis Log

2026-03-12 02:29:53,127 [root] INFO: Date set to: 20260312T03:00:28, timeout set to: 60
2026-03-12 03:00:28,052 [root] DEBUG: Starting analyzer from: C:\fo70alm8
2026-03-12 03:00:28,083 [root] DEBUG: Storing results at: C:\JRAvHIbPg
2026-03-12 03:00:28,083 [root] DEBUG: Pipe server name: \\.\PIPE\bHDIIWOIat
2026-03-12 03:00:28,083 [root] DEBUG: Python path: C:\Users\malware\AppData\Local\Programs\Python\Python310-32
2026-03-12 03:00:28,099 [root] INFO: analysis running as an admin
2026-03-12 03:00:28,099 [root] DEBUG: no analysis package configured, picking one for you
2026-03-12 03:00:28,130 [root] INFO: analysis package selected: "batch"
2026-03-12 03:00:28,161 [root] DEBUG: importing analysis package module: "modules.packages.batch"...
2026-03-12 03:00:28,255 [root] DEBUG: imported analysis package "batch"
2026-03-12 03:00:28,255 [root] DEBUG: initializing analysis package "batch"...
2026-03-12 03:00:28,255 [lib.common.common] INFO: wrapping
2026-03-12 03:00:28,255 [lib.core.compound] INFO: C:\Users\malware\AppData\Local\Temp already exists, skipping creation
2026-03-12 03:00:28,255 [root] DEBUG: New location of moved file: C:\Users\malware\AppData\Local\Temp\test_win.bat
2026-03-12 03:00:28,255 [root] INFO: Analyzer: Package modules.packages.batch does not specify a DLL option
2026-03-12 03:00:28,255 [root] INFO: Analyzer: Package modules.packages.batch does not specify a DLL_64 option
2026-03-12 03:00:28,255 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option
2026-03-12 03:00:28,255 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option
2026-03-12 03:00:28,770 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-03-12 03:00:28,770 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-03-12 03:00:29,082 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-03-12 03:00:29,145 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-03-12 03:00:29,192 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-03-12 03:00:29,192 [lib.api.screenshot] ERROR: No module named 'PIL'
2026-03-12 03:00:29,192 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-03-12 03:00:29,208 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-03-12 03:00:29,223 [root] DEBUG: Initialized auxiliary module "Browser"
2026-03-12 03:00:29,223 [root] DEBUG: attempting to configure 'Browser' from data
2026-03-12 03:00:29,223 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-03-12 03:00:29,223 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-03-12 03:00:29,223 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-03-12 03:00:29,239 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-03-12 03:00:29,239 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-03-12 03:00:29,239 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-03-12 03:00:29,239 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-03-12 03:00:29,239 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-03-12 03:00:29,708 [modules.auxiliary.digisig] DEBUG: File format not recognized
2026-03-12 03:00:29,708 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-03-12 03:00:29,739 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-03-12 03:00:29,739 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-03-12 03:00:29,739 [root] DEBUG: attempting to configure 'Disguise' from data
2026-03-12 03:00:29,755 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-03-12 03:00:29,755 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-03-12 03:00:29,770 [modules.auxiliary.disguise] INFO: Disguising GUID to 3f5cd452-90a2-4074-9dda-8e5accc5f56e
2026-03-12 03:00:29,770 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-03-12 03:00:29,770 [root] DEBUG: Initialized auxiliary module "Human"
2026-03-12 03:00:29,770 [root] DEBUG: attempting to configure 'Human' from data
2026-03-12 03:00:29,786 [root] DEBUG: module Human does not support data configuration, ignoring
2026-03-12 03:00:29,786 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-03-12 03:00:30,364 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-03-12 03:00:30,380 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-03-12 03:00:30,380 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-03-12 03:00:30,395 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-03-12 03:00:30,411 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-03-12 03:00:30,411 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2026-03-12 03:00:30,411 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-03-12 03:00:30,411 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-03-12 03:00:30,411 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-03-12 03:00:30,427 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-03-12 03:00:30,427 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-03-12 03:00:30,427 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 656
2026-03-12 03:00:30,505 [lib.api.process] INFO: Monitor config for <Process 656 lsass.exe>: C:\fo70alm8\dll\656.ini
2026-03-12 03:00:30,505 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-03-12 03:00:30,536 [lib.api.process] INFO: 64-bit DLL to inject is C:\fo70alm8\dll\bdnwbBbZ.dll, loader C:\fo70alm8\bin\LQLZcLnO.exe
2026-03-12 03:00:30,661 [root] DEBUG: Loader: Injecting process 656 with C:\fo70alm8\dll\bdnwbBbZ.dll.
2026-03-12 03:00:30,708 [root] DEBUG: 656: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:30,723 [root] DEBUG: 656: Disabling sleep skipping.
2026-03-12 03:00:30,723 [root] DEBUG: 656: TLS secret dump mode enabled.
2026-03-12 03:00:30,786 [root] DEBUG: 656: RtlInsertInvertedFunctionTable 0x00007FFE45A6090E, LdrpInvertedFunctionTableSRWLock 0x00007FFE45BBD510
2026-03-12 03:00:30,786 [root] DEBUG: 656: Monitor initialised: 64-bit capemon loaded in process 656 at 0x00007FFE1EBA0000, thread 1932, image base 0x00007FF7509D0000, stack from 0x0000006D74372000-0x0000006D74380000
2026-03-12 03:00:30,786 [root] DEBUG: 656: Commandline: C:\Windows\system32\lsass.exe
2026-03-12 03:00:30,833 [root] DEBUG: 656: Hooked 5 out of 5 functions
2026-03-12 03:00:30,833 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-03-12 03:00:30,833 [root] DEBUG: Successfully injected DLL C:\fo70alm8\dll\bdnwbBbZ.dll.
2026-03-12 03:00:30,848 [lib.api.process] INFO: Injected into 64-bit <Process 656 lsass.exe>
2026-03-12 03:00:30,848 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-03-12 03:00:38,536 [root] INFO: Restarting WMI Service
2026-03-12 03:00:40,724 [root] DEBUG: package modules.packages.batch does not support configure, ignoring
2026-03-12 03:00:40,739 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'
2026-03-12 03:00:40,739 [lib.core.compound] INFO: C:\Users\malware\AppData\Local\Temp already exists, skipping creation
2026-03-12 03:00:40,755 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\malware\AppData\Local\Temp\test_win.bat"" with pid 1732
2026-03-12 03:00:40,755 [lib.api.process] INFO: Monitor config for <Process 1732 cmd.exe>: C:\fo70alm8\dll\1732.ini
2026-03-12 03:00:40,786 [lib.api.process] INFO: 32-bit DLL to inject is C:\fo70alm8\dll\orRMvWuZ.dll, loader C:\fo70alm8\bin\rcnLFnZ.exe
2026-03-12 03:00:40,880 [root] DEBUG: Loader: Injecting process 1732 (thread 3796) with C:\fo70alm8\dll\orRMvWuZ.dll.
2026-03-12 03:00:40,880 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-12 03:00:40,880 [root] DEBUG: Successfully injected DLL C:\fo70alm8\dll\orRMvWuZ.dll.
2026-03-12 03:00:40,895 [lib.api.process] INFO: Injected into 32-bit <Process 1732 cmd.exe>
2026-03-12 03:00:42,911 [lib.api.process] INFO: Successfully resumed <Process 1732 cmd.exe>
2026-03-12 03:00:43,317 [root] DEBUG: 1732: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:43,317 [root] DEBUG: 1732: Disabling sleep skipping.
2026-03-12 03:00:43,333 [root] DEBUG: 1732: Dropped file limit defaulting to 100.
2026-03-12 03:00:43,364 [root] DEBUG: 1732: YaraInit: Compiled 44 rule files
2026-03-12 03:00:43,396 [root] DEBUG: 1732: YaraInit: Compiled rules saved to file C:\fo70alm8\data\yara\capemon.yac
2026-03-12 03:00:43,396 [root] DEBUG: 1732: YaraScan: Scanning 0x00B20000, size 0x595ee
2026-03-12 03:00:43,411 [root] DEBUG: 1732: YaraScan hit: FindFixAndRun
2026-03-12 03:00:43,411 [root] DEBUG: 1732: Monitor initialised: 32-bit capemon loaded in process 1732 at 0x6f620000, thread 3796, image base 0xb20000, stack from 0xa03000-0xb00000
2026-03-12 03:00:43,411 [root] DEBUG: 1732: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\malware\AppData\Local\Temp\test_win.bat"
2026-03-12 03:00:43,489 [root] DEBUG: 1732: hook_api: LdrpCallInitRoutine export address 0x77952A30 obtained via GetFunctionAddress
2026-03-12 03:00:43,552 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-12 03:00:43,552 [root] DEBUG: 1732: set_hooks: Unable to hook GetCommandLineA
2026-03-12 03:00:43,552 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-12 03:00:43,552 [root] DEBUG: 1732: set_hooks: Unable to hook GetCommandLineW
2026-03-12 03:00:43,552 [root] DEBUG: 1732: Hooked 630 out of 632 functions
2026-03-12 03:00:43,552 [root] DEBUG: 1732: set_hooks_exe: Hooked FindFixAndRun at 0x00B2AD60
2026-03-12 03:00:43,552 [root] DEBUG: 1732: Syscall hook installed, syscall logging level 1
2026-03-12 03:00:43,645 [root] DEBUG: 1732: RestoreHeaders: Restored original import table.
2026-03-12 03:00:43,645 [root] INFO: Loaded monitor into process with pid 1732
2026-03-12 03:00:43,645 [root] DEBUG: 1732: caller_dispatch: Added region at 0x00B20000 to tracked regions list (ntdll::NtOpenThread returns to 0x00B309DE, thread 3796).
2026-03-12 03:00:43,661 [root] DEBUG: 1732: YaraScan: Scanning 0x00B20000, size 0x595ee
2026-03-12 03:00:43,677 [root] DEBUG: 1732: ProcessImageBase: Main module image at 0x00B20000 unmodified (entropy change 0.000000e+00)
2026-03-12 03:00:43,739 [root] DEBUG: 1732: InstrumentationCallback: Added region at 0x76D1413C (base 0x76BD0000) to tracked regions list (thread 3796).
2026-03-12 03:00:43,739 [root] DEBUG: 1732: ProcessTrackedRegion: Region at 0x76BD0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:43,755 [root] DEBUG: 1732: CreateProcessHandler: Injection info set for new process 3040: C:\Windows\system32\cmd.exe, ImageBase: 0x00B20000
2026-03-12 03:00:43,755 [root] INFO: Announced 32-bit process name: cmd.exe pid: 3040
2026-03-12 03:00:43,755 [lib.api.process] INFO: Monitor config for <Process 3040 cmd.exe>: C:\fo70alm8\dll\3040.ini
2026-03-12 03:00:43,786 [lib.api.process] INFO: 32-bit DLL to inject is C:\fo70alm8\dll\orRMvWuZ.dll, loader C:\fo70alm8\bin\rcnLFnZ.exe
2026-03-12 03:00:43,833 [root] DEBUG: Loader: Injecting process 3040 (thread 4800) with C:\fo70alm8\dll\orRMvWuZ.dll.
2026-03-12 03:00:43,833 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-12 03:00:43,833 [root] DEBUG: Successfully injected DLL C:\fo70alm8\dll\orRMvWuZ.dll.
2026-03-12 03:00:43,849 [lib.api.process] INFO: Injected into 32-bit <Process 3040 cmd.exe>
2026-03-12 03:00:43,865 [root] DEBUG: 1732: ProcessTrackedRegion: Region at 0x76BD0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:44,052 [root] DEBUG: 3040: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:44,052 [root] DEBUG: 3040: Disabling sleep skipping.
2026-03-12 03:00:44,052 [root] DEBUG: 3040: Dropped file limit defaulting to 100.
2026-03-12 03:00:44,067 [root] DEBUG: 3040: YaraInit: Compiled rules loaded from existing file C:\fo70alm8\data\yara\capemon.yac
2026-03-12 03:00:44,083 [root] DEBUG: 3040: YaraScan: Scanning 0x00B20000, size 0x595ee
2026-03-12 03:00:44,083 [root] DEBUG: 3040: YaraScan hit: FindFixAndRun
2026-03-12 03:00:44,083 [root] DEBUG: 3040: Monitor initialised: 32-bit capemon loaded in process 3040 at 0x6f620000, thread 4800, image base 0xb20000, stack from 0x2ca3000-0x2da0000
2026-03-12 03:00:44,083 [root] DEBUG: 3040: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\malware\AppData\Local\Temp\test_win.bat"
2026-03-12 03:00:44,146 [root] DEBUG: 3040: hook_api: LdrpCallInitRoutine export address 0x77952A30 obtained via GetFunctionAddress
2026-03-12 03:00:44,177 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-12 03:00:44,193 [root] DEBUG: 3040: set_hooks: Unable to hook GetCommandLineA
2026-03-12 03:00:44,193 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-12 03:00:44,208 [root] DEBUG: 3040: set_hooks: Unable to hook GetCommandLineW
2026-03-12 03:00:44,224 [root] DEBUG: 3040: Hooked 630 out of 632 functions
2026-03-12 03:00:44,224 [root] DEBUG: 3040: set_hooks_exe: Hooked FindFixAndRun at 0x00B2AD60
2026-03-12 03:00:44,240 [root] DEBUG: 3040: Syscall hook installed, syscall logging level 1
2026-03-12 03:00:44,255 [root] DEBUG: 3040: RestoreHeaders: Restored original import table.
2026-03-12 03:00:44,255 [root] INFO: Loaded monitor into process with pid 3040
2026-03-12 03:00:44,255 [root] DEBUG: 3040: caller_dispatch: Added region at 0x00B20000 to tracked regions list (ntdll::NtOpenThread returns to 0x00B309DE, thread 4800).
2026-03-12 03:00:44,255 [root] DEBUG: 3040: YaraScan: Scanning 0x00B20000, size 0x595ee
2026-03-12 03:00:44,255 [root] DEBUG: 3040: ProcessImageBase: Main module image at 0x00B20000 unmodified (entropy change 0.000000e+00)
2026-03-12 03:00:44,255 [root] DEBUG: 3040: InstrumentationCallback: Added region at 0x76D1413C (base 0x76BD0000) to tracked regions list (thread 4800).
2026-03-12 03:00:44,255 [root] DEBUG: 3040: ProcessTrackedRegion: Region at 0x76BD0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:44,411 [root] DEBUG: 3040: DLL loaded at 0x6F610000: C:\Windows\SYSTEM32\cmdext (0xa000 bytes).
2026-03-12 03:00:44,552 [root] DEBUG: 3040: CreateProcessHandler: Injection info set for new process 1532: C:\Windows\system32\ipconfig.exe, ImageBase: 0x00250000
2026-03-12 03:00:44,552 [root] INFO: Announced 32-bit process name: ipconfig.exe pid: 1532
2026-03-12 03:00:44,567 [lib.api.process] INFO: Monitor config for <Process 1532 ipconfig.exe>: C:\fo70alm8\dll\1532.ini
2026-03-12 03:00:44,583 [lib.api.process] INFO: 32-bit DLL to inject is C:\fo70alm8\dll\orRMvWuZ.dll, loader C:\fo70alm8\bin\rcnLFnZ.exe
2026-03-12 03:00:44,630 [root] DEBUG: Loader: Injecting process 1532 (thread 2704) with C:\fo70alm8\dll\orRMvWuZ.dll.
2026-03-12 03:00:44,630 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-03-12 03:00:44,645 [root] DEBUG: Successfully injected DLL C:\fo70alm8\dll\orRMvWuZ.dll.
2026-03-12 03:00:44,645 [lib.api.process] INFO: Injected into 32-bit <Process 1532 ipconfig.exe>
2026-03-12 03:00:44,677 [root] DEBUG: 3040: ProcessTrackedRegion: Region at 0x76BD0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:44,740 [root] DEBUG: 1532: Python path set to 'C:\Users\malware\AppData\Local\Programs\Python\Python310-32'.
2026-03-12 03:00:44,754 [root] DEBUG: 1532: Dropped file limit defaulting to 100.
2026-03-12 03:00:44,754 [root] DEBUG: 1532: Disabling sleep skipping.
2026-03-12 03:00:44,961 [root] DEBUG: 1532: YaraInit: Compiled rules loaded from existing file C:\fo70alm8\data\yara\capemon.yac
2026-03-12 03:00:44,973 [root] DEBUG: 1532: YaraScan: Scanning 0x00250000, size 0xa412
2026-03-12 03:00:44,973 [root] DEBUG: 1532: Monitor initialised: 32-bit capemon loaded in process 1532 at 0x6f620000, thread 2704, image base 0x250000, stack from 0x2894000-0x28a0000
2026-03-12 03:00:44,973 [root] DEBUG: 1532: Commandline: ipconfig
2026-03-12 03:00:45,021 [root] DEBUG: 1532: hook_api: LdrpCallInitRoutine export address 0x77952A30 obtained via GetFunctionAddress
2026-03-12 03:00:45,068 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-03-12 03:00:45,068 [root] DEBUG: 1532: set_hooks: Unable to hook GetCommandLineA
2026-03-12 03:00:45,068 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-03-12 03:00:45,068 [root] DEBUG: 1532: set_hooks: Unable to hook GetCommandLineW
2026-03-12 03:00:45,099 [root] DEBUG: 1532: Hooked 630 out of 632 functions
2026-03-12 03:00:45,099 [root] DEBUG: 1532: Syscall hook installed, syscall logging level 1
2026-03-12 03:00:45,114 [root] DEBUG: 1532: RestoreHeaders: Restored original import table.
2026-03-12 03:00:45,114 [root] INFO: Loaded monitor into process with pid 1532
2026-03-12 03:00:45,114 [root] DEBUG: 1532: caller_dispatch: Added region at 0x00250000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00254F5A, thread 2704).
2026-03-12 03:00:45,114 [root] DEBUG: 1532: YaraScan: Scanning 0x00250000, size 0xa412
2026-03-12 03:00:45,130 [root] DEBUG: 1532: ProcessImageBase: Main module image at 0x00250000 unmodified (entropy change 0.000000e+00)
2026-03-12 03:00:45,161 [root] DEBUG: 1532: InstrumentationCallback: Added region at 0x76D1413C (base 0x76BD0000) to tracked regions list (thread 2704).
2026-03-12 03:00:45,161 [root] DEBUG: 1532: ProcessTrackedRegion: Region at 0x76BD0000 mapped as \Device\HarddiskVolume2\Windows\SysWOW64\KernelBase.dll is in known range, skipping
2026-03-12 03:00:45,270 [root] DEBUG: 1532: NtTerminateProcess hook: Attempting to dump process 1532
2026-03-12 03:00:45,286 [root] DEBUG: 1532: DoProcessDump: Skipping process dump as code is identical on disk.
2026-03-12 03:00:45,302 [root] INFO: Process with pid 1532 has terminated
2026-03-12 03:01:43,161 [root] INFO: Analysis timeout hit, terminating analysis
2026-03-12 03:01:43,161 [lib.api.process] INFO: Terminate event set for <Process 1732 cmd.exe>
2026-03-12 03:01:43,161 [root] DEBUG: 1732: Terminate Event: Attempting to dump process 1732
2026-03-12 03:01:43,176 [root] DEBUG: 1732: VerifyCodeSection: Executable code does not match, 0x9d62 of 0x2bfcb matching
2026-03-12 03:01:43,176 [root] DEBUG: 1732: DoProcessDump: Code modification detected, dumping Imagebase at 0x00B20000.
2026-03-12 03:01:43,176 [root] DEBUG: 1732: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-03-12 03:01:43,192 [root] DEBUG: 1732: DumpProcess: Instantiating PeParser with address: 0x00B20000.
2026-03-12 03:01:43,192 [root] DEBUG: 1732: DumpProcess: Module entry point VA is 0x00B36B20.
2026-03-12 03:01:43,317 [lib.common.results] INFO: Uploading file C:\JRAvHIbPg\CAPE\1732_123414311012432026 to procdump\b77a8d902a6d61b3739f4c1fbad4d7a19e54f8538a340bf68df594a6b72d23a8; Size is 346624; Max size: 100000000
2026-03-12 03:01:43,349 [root] DEBUG: 1732: DumpProcess: Module image dump success - dump size 0x54a00.
2026-03-12 03:01:43,380 [lib.api.process] INFO: Termination confirmed for <Process 1732 cmd.exe>
2026-03-12 03:01:43,380 [root] DEBUG: 1732: Terminate Event: monitor shutdown complete for process 1732
2026-03-12 03:01:43,380 [root] INFO: Terminate event set for process 1732
2026-03-12 03:01:43,396 [lib.api.process] INFO: Terminate event set for <Process 3040 cmd.exe>
2026-03-12 03:01:43,396 [root] DEBUG: 3040: Terminate Event: Attempting to dump process 3040
2026-03-12 03:01:43,411 [root] DEBUG: 3040: VerifyCodeSection: Executable code does not match, 0x9d62 of 0x2bfcb matching
2026-03-12 03:01:43,427 [root] DEBUG: 3040: DoProcessDump: Code modification detected, dumping Imagebase at 0x00B20000.
2026-03-12 03:01:43,427 [root] DEBUG: 3040: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-03-12 03:01:43,442 [root] DEBUG: 3040: DumpProcess: Instantiating PeParser with address: 0x00B20000.
2026-03-12 03:01:43,442 [root] DEBUG: 3040: DumpProcess: Module entry point VA is 0x00B36B20.
2026-03-12 03:01:43,567 [lib.common.results] INFO: Uploading file C:\JRAvHIbPg\CAPE\3040_213204311012432026 to procdump\97d270e310b9d835ae345e5abbc0a937242c2164f96f79f5dc6313f2f5deaa83; Size is 347648; Max size: 100000000
2026-03-12 03:01:43,583 [root] DEBUG: 3040: DumpProcess: Module image dump success - dump size 0x54e00.
2026-03-12 03:01:43,599 [lib.api.process] INFO: Termination confirmed for <Process 3040 cmd.exe>
2026-03-12 03:01:43,599 [root] DEBUG: 3040: Terminate Event: monitor shutdown complete for process 3040
2026-03-12 03:01:43,599 [root] INFO: Terminate event set for process 3040
2026-03-12 03:01:43,614 [root] INFO: Created shutdown mutex
2026-03-12 03:01:44,630 [root] INFO: Shutting down package
2026-03-12 03:01:44,630 [root] INFO: Stopping auxiliary modules
2026-03-12 03:01:44,630 [root] INFO: Stopping auxiliary module: Browser
2026-03-12 03:01:44,630 [root] INFO: Stopping auxiliary module: Human
2026-03-12 03:01:44,958 [root] INFO: Stopping auxiliary module: Screenshots
2026-03-12 03:01:44,958 [root] INFO: Finishing auxiliary modules
2026-03-12 03:01:44,958 [root] INFO: Shutting down pipe server and dumping dropped files
2026-03-12 03:01:46,771 [root] WARNING: Folder at path "C:\JRAvHIbPg\debugger" does not exist, skipping
2026-03-12 03:01:46,849 [root] WARNING: Folder at path "C:\JRAvHIbPg\tlsdump" does not exist, skipping
2026-03-12 03:01:46,974 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On
win10	win10	KVM	2026-03-12 02:59:55	2026-03-12 03:01:54

File Details

File Information

File Name	test_win.bat
File Type	DOS batch file, ASCII text
File Size	93 bytes
MD5	80465455b46676f45790ee8f73e75059
SHA1	c364111154e6e2b24642399b5af52b0af075e36e
SHA256	6f7caa9e033886dc9944c6dc966a7730833622b21570d45e2da206b180083f55 VT MWDB Bazaar
SHA3-384	a577b851bc168daef4672eec933ca9a2e6416931389cb36e85a469d75d776e017f93ab1d54578bb7a3a63c2b14f13e92
CRC32	C684FC53
TLSH	T1C2B0120FF0962D73C3E1CC7428800441380C17E7C850CC2161C7193404C14C0328E931
Ssdeep	3:mKDDro+Lzjoue4FAq6xgjxFV2gjiLDzn:hnVLnouZOq6xaHM/

Tools: Extract: BinGraph Text

Extracted Text

@echo off
echo CAPE Test Sample
echo Hostname: %COMPUTERNAME%
echo User: %USERNAME%
ipconfig

Processing 4.60s

4.495s CAPE
0.058s BehaviorAnalysis
0.046s AnalysisInfo
0.004s NetworkAnalysis
0.002s Debug

Signatures 0.10s

0.011s antiav_detectreg
0.009s territorial_disputes_sigs
0.007s ransomware_files
0.006s suspicious_command_tools
0.006s uses_windows_utilities
0.005s infostealer_ftp
0.004s antiav_detectfile
0.004s masquerade_process_name
0.004s ransomware_extensions_known
0.003s infostealer_im
0.002s antianalysis_detectfile
0.002s antianalysis_detectreg
0.002s antivm_vbox_files
0.002s infostealer_bitcoin
0.002s infostealer_mail
0.001s antidebug_devices
0.001s antivm_generic_diskreg
0.001s antivm_parallels_keys
0.001s antivm_vbox_keys
0.001s antivm_vmware_files
0.001s antivm_vmware_keys
0.001s antivm_xen_keys
0.001s geodo_banking_trojan
0.001s browser_security
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s removes_windows_defender_contextmenu
0.001s azorult_mutexes
0.001s echelon_files
0.001s poullight_files
0.001s qulab_files
0.001s modify_oem_information
0.001s modify_uac_prompt
0.001s revil_mutexes
0.001s recon_fingerprint
0.001s removes_startmenu_defaults
0.001s language_check_registry
0.001s tampers_etw
0.001s targeted_flame
0.001s lokibot_mutexes
0.001s ursnif_behavior

Reporting 0.00s

0.003s JsonDump

Signatures

Queries the computer locale (possible geofencing)

Checks adapter addresses which can be used to detect virtual network interfaces

Possible date expiration check, exits too soon after checking local time

process: ipconfig.exe, PID 1532

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

Uses Windows utilities for basic functionality

command: C:\Windows\system32\cmd.exe /K "C:\Users\malware\AppData\Local\Temp\test_win.bat"

command: ipconfig

Summary

Accessed Files Modified Files Registry Keys Read Registry Keys Executed Commands

C:\Users\malware\AppData\Local\Temp
C:\Users
C:\Users\malware
C:\Users\malware\AppData
C:\Users\malware\AppData\Local
C:\Users\malware\AppData\Local\Temp\test_win.bat
C:\
C:\Windows\System32\cmdext.dll
C:\Users\malware\AppData\Local\Temp\ipconfig.*
C:\Windows\System32\ipconfig.*
C:\Windows\System32\ipconfig.COM
C:\Windows\System32\ipconfig.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\cmd.exe.mui
C:\Windows\sysnative\en-US\cmd.exe.mui
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\ipconfig.exe.mui
C:\Windows\sysnative\en-US\ipconfig.exe.mui
\??\CONOUT$

\??\CONOUT$

HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

C:\Windows\system32\cmd.exe /K "C:\Users\malware\AppData\Local\Temp\test_win.bat"
ipconfig

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.