Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Log(s)
FILE	exe	2025-11-19 23:24:23	2025-11-19 23:25:50	87 seconds	Show Analysis Log

2025-11-20 02:02:23,588 [root] INFO: Date set to: 20251119T23:24:15, timeout set to: 200
2025-11-19 23:24:15,008 [root] DEBUG: Starting analyzer from: C:\zyzhoky0
2025-11-19 23:24:15,009 [root] DEBUG: Storing results at: C:\whfTNdAnp
2025-11-19 23:24:15,009 [root] DEBUG: Pipe server name: \\.\PIPE\qfGRSc
2025-11-19 23:24:15,009 [root] DEBUG: Python path: C:\Users\Admin\AppData\Local\Programs\Python\Python313-32
2025-11-19 23:24:15,009 [root] INFO: analysis running as an admin
2025-11-19 23:24:15,010 [root] INFO: analysis package specified: "exe"
2025-11-19 23:24:15,010 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-11-19 23:24:15,016 [root] DEBUG: imported analysis package "exe"
2025-11-19 23:24:15,016 [root] DEBUG: initializing analysis package "exe"...
2025-11-19 23:24:15,017 [lib.common.common] INFO: wrapping
2025-11-19 23:24:15,017 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-19 23:24:15,018 [root] DEBUG: New location of moved file: C:\Temp\vesktop.exe
2025-11-19 23:24:15,018 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-11-19 23:24:15,018 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-11-19 23:24:15,019 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-11-19 23:24:15,019 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-11-19 23:24:15,037 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-11-19 23:24:15,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-11-19 23:24:15,066 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-11-19 23:24:15,090 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-11-19 23:24:15,096 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-11-19 23:24:15,147 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-11-19 23:24:15,150 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-11-19 23:24:15,170 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2025-11-19 23:24:15,170 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-11-19 23:24:15,176 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-11-19 23:24:15,176 [root] DEBUG: Initialized auxiliary module "Browser"
2025-11-19 23:24:15,177 [root] DEBUG: attempting to configure 'Browser' from data
2025-11-19 23:24:15,179 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-11-19 23:24:15,179 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-11-19 23:24:15,180 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-11-19 23:24:15,180 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-11-19 23:24:15,181 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-11-19 23:24:15,182 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-11-19 23:24:15,182 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-11-19 23:24:15,182 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-11-19 23:24:18,583 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-11-19 23:24:18,584 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-11-19 23:24:18,588 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-11-19 23:24:18,588 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-11-19 23:24:18,588 [root] DEBUG: attempting to configure 'Disguise' from data
2025-11-19 23:24:18,589 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-11-19 23:24:18,589 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-11-19 23:24:18,589 [modules.auxiliary.disguise] INFO: Disguising GUID to 13286dca-1aec-469e-88f0-9add975f6f99
2025-11-19 23:24:18,590 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-11-19 23:24:18,590 [root] DEBUG: Initialized auxiliary module "Human"
2025-11-19 23:24:18,590 [root] DEBUG: attempting to configure 'Human' from data
2025-11-19 23:24:18,590 [root] DEBUG: module Human does not support data configuration, ignoring
2025-11-19 23:24:18,590 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-11-19 23:24:18,592 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-11-19 23:24:18,592 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-11-19 23:24:18,593 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-11-19 23:24:18,594 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-11-19 23:24:18,594 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-11-19 23:24:18,595 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-11-19 23:24:18,595 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-11-19 23:24:18,595 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-11-19 23:24:18,596 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-11-19 23:24:18,596 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-11-19 23:24:18,598 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 608
2025-11-19 23:24:18,768 [lib.api.process] INFO: Monitor config for <Process 608 lsass.exe>: C:\zyzhoky0\dll\608.ini
2025-11-19 23:24:18,770 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-11-19 23:24:18,780 [lib.api.process] INFO: 64-bit DLL to inject is C:\zyzhoky0\dll\qMKFDRL.dll, loader C:\zyzhoky0\bin\BMzKWwqq.exe
2025-11-19 23:24:18,803 [root] DEBUG: Loader: Injecting process 608 with C:\zyzhoky0\dll\qMKFDRL.dll.
2025-11-19 23:24:18,826 [root] DEBUG: 608: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:24:18,827 [root] DEBUG: 608: Disabling sleep skipping.
2025-11-19 23:24:18,828 [root] DEBUG: 608: TLS secret dump mode enabled.
2025-11-19 23:24:18,863 [root] DEBUG: 608: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:24:18,864 [root] DEBUG: 608: Monitor initialised: 64-bit capemon loaded in process 608 at 0x00007FFEC4460000, thread 3816, image base 0x00007FF60EE30000, stack from 0x000000A5F43A2000-0x000000A5F43B0000
2025-11-19 23:24:18,865 [root] DEBUG: 608: Commandline: C:\Windows\system32\lsass.exe
2025-11-19 23:24:18,873 [root] DEBUG: 608: Hooked 5 out of 5 functions
2025-11-19 23:24:18,875 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-11-19 23:24:18,875 [root] DEBUG: Successfully injected DLL C:\zyzhoky0\dll\qMKFDRL.dll.
2025-11-19 23:24:18,879 [lib.api.process] INFO: Injected into 64-bit <Process 608 lsass.exe>
2025-11-19 23:24:18,879 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-11-19 23:24:21,909 [root] INFO: Restarting WMI Service
2025-11-19 23:24:24,051 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-11-19 23:24:24,052 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-11-19 23:24:24,053 [lib.core.compound] INFO: C:\Temp already exists, skipping creation
2025-11-19 23:24:24,139 [lib.api.process] INFO: Successfully executed process from path "C:\Temp\vesktop.exe" with arguments "" with pid 3228
2025-11-19 23:24:24,140 [lib.api.process] INFO: Monitor config for <Process 3228 vesktop.exe>: C:\zyzhoky0\dll\3228.ini
2025-11-19 23:24:24,145 [lib.api.process] INFO: 64-bit DLL to inject is C:\zyzhoky0\dll\qMKFDRL.dll, loader C:\zyzhoky0\bin\BMzKWwqq.exe
2025-11-19 23:24:24,156 [root] DEBUG: Loader: Injecting process 3228 (thread 2480) with C:\zyzhoky0\dll\qMKFDRL.dll.
2025-11-19 23:24:24,157 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-11-19 23:24:24,158 [root] DEBUG: Successfully injected DLL C:\zyzhoky0\dll\qMKFDRL.dll.
2025-11-19 23:24:24,161 [lib.api.process] INFO: Injected into 64-bit <Process 3228 vesktop.exe>
2025-11-19 23:24:26,170 [lib.api.process] INFO: Successfully resumed <Process 3228 vesktop.exe>
2025-11-19 23:24:26,219 [root] DEBUG: 3228: Python path set to 'C:\Users\Admin\AppData\Local\Programs\Python\Python313-32'.
2025-11-19 23:24:26,220 [root] DEBUG: 3228: Disabling sleep skipping.
2025-11-19 23:24:26,222 [root] DEBUG: 3228: Dropped file limit defaulting to 100.
2025-11-19 23:24:26,249 [root] DEBUG: 3228: YaraInit: Compiled 43 rule files
2025-11-19 23:24:26,253 [root] DEBUG: 3228: YaraInit: Compiled rules saved to file C:\zyzhoky0\data\yara\capemon.yac
2025-11-19 23:24:26,280 [root] DEBUG: 3228: RtlInsertInvertedFunctionTable 0x00007FFEE348090E, LdrpInvertedFunctionTableSRWLock 0x00007FFEE35DD4F0
2025-11-19 23:24:26,282 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:27,302 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:27,303 [root] DEBUG: 3228: Monitor initialised: 64-bit capemon loaded in process 3228 at 0x00007FFEC4460000, thread 2480, image base 0x00007FF76D410000, stack from 0x0000004B56FF2000-0x0000004B57000000
2025-11-19 23:24:27,304 [root] DEBUG: 3228: Commandline: "C:\Temp\vesktop.exe"
2025-11-19 23:24:27,329 [root] DEBUG: 3228: hook_api: LdrpCallInitRoutine export address 0x00007FFEE34899BC obtained via GetFunctionAddress
2025-11-19 23:24:27,381 [root] WARNING: b'Unable to place hook on LockResource'
2025-11-19 23:24:27,382 [root] DEBUG: 3228: set_hooks: Unable to hook LockResource
2025-11-19 23:24:27,400 [root] DEBUG: 3228: Hooked 619 out of 620 functions
2025-11-19 23:24:28,405 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:28,406 [root] DEBUG: 3228: Syscall hook installed, syscall logging level 1
2025-11-19 23:24:28,420 [root] DEBUG: 3228: RestoreHeaders: Restored original import table.
2025-11-19 23:24:28,421 [root] INFO: Loaded monitor into process with pid 3228
2025-11-19 23:24:28,439 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE1390000: C:\Windows\System32\bcryptPrimitives (0x82000 bytes).
2025-11-19 23:24:28,450 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:29,462 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:29,466 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:30,468 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:30,472 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:31,474 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:31,479 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:32,480 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:32,486 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:33,488 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:33,493 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:34,496 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:34,501 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:35,503 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:35,506 [root] DEBUG: 3228: caller_dispatch: Scanning calling region at 0x00007FF76D410000...
2025-11-19 23:24:35,509 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:36,095 [root] DEBUG: 3228: caller_dispatch: Added region at 0x00007FF76D410000 to tracked regions list (kernel32::LoadLibraryExW returns to 0x00007FF7724F6273, thread 2480).
2025-11-19 23:24:36,101 [root] DEBUG: 3228: YaraScan: Scanning 0x00007FF76D410000, size 0xcce20da
2025-11-19 23:24:36,511 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:36,769 [root] DEBUG: 3228: ProcessImageBase: Main module image at 0x00007FF76D410000 unmodified (entropy change 0.000000e+00)
2025-11-19 23:24:37,137 [root] DEBUG: 3228: Yara error: Scanning timed out
2025-11-19 23:24:37,384 [root] DEBUG: 3228: ProcessImageBase: Main module image at 0x00007FF76D410000 unmodified (entropy change 1.496326e-07)
2025-11-19 23:24:37,689 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE09F0000: C:\Windows\SYSTEM32\powrprof (0x4b000 bytes).
2025-11-19 23:24:37,691 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE09D0000: C:\Windows\SYSTEM32\UMPDC (0x12000 bytes).
2025-11-19 23:24:37,712 [root] DEBUG: 3228: DLL loaded at 0x00007FFEDE5B0000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2025-11-19 23:24:37,735 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE0260000: C:\Windows\system32\mswsock (0x6a000 bytes).
2025-11-19 23:24:37,887 [root] DEBUG: 3228: DLL loaded at 0x00007FFEE2330000: C:\Windows\System32\SHELL32 (0x745000 bytes).
2025-11-19 23:24:37,993 [root] DEBUG: 3228: DLL loaded at 0x00007FFEDFCB0000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2025-11-19 23:24:38,136 [root] INFO: Added new file to list with pid None and path C:\Temp\debug.log
2025-11-19 23:24:38,138 [root] INFO: Process with pid 3228 has terminated
2025-11-19 23:24:38,139 [root] DEBUG: 3228: NtTerminateProcess hook: Attempting to dump process 3228
2025-11-19 23:24:38,844 [root] DEBUG: 3228: DoProcessDump: Skipping process dump as code is identical on disk.
2025-11-19 23:24:43,335 [root] INFO: Process list is empty, terminating analysis
2025-11-19 23:24:44,345 [root] INFO: Created shutdown mutex
2025-11-19 23:24:45,346 [root] INFO: Shutting down package
2025-11-19 23:24:45,347 [root] INFO: Stopping auxiliary modules
2025-11-19 23:24:45,347 [root] INFO: Stopping auxiliary module: Browser
2025-11-19 23:24:45,347 [root] INFO: Stopping auxiliary module: Human
2025-11-19 23:24:45,503 [root] INFO: Stopping auxiliary module: Screenshots
2025-11-19 23:24:46,012 [root] INFO: Finishing auxiliary modules
2025-11-19 23:24:46,013 [root] INFO: Shutting down pipe server and dumping dropped files
2025-11-19 23:24:46,015 [lib.common.results] INFO: Uploading file C:\Temp\debug.log to files\bd9b65a7b3f0e16a2382da580fdc1459544ba5c83f8b6447538a4985b1bf2a45; Size is 96; Max size: 100000000
2025-11-19 23:24:46,026 [root] WARNING: Folder at path "C:\whfTNdAnp\debugger" does not exist, skipping
2025-11-19 23:24:46,026 [root] WARNING: Folder at path "C:\whfTNdAnp\tlsdump" does not exist, skipping
2025-11-19 23:24:46,029 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
MalwareGuest	MalwareGuest	Proxmox	2025-11-19 23:24:23	2025-11-19 23:25:49	internet

Reports: JSON

Statistics (0.69)

Processing ( 0.45 seconds )

0.261 AnalysisInfo
0.149 BehaviorAnalysis
0.031 NetworkAnalysis
0.005 ProcessMemory
0.004 Debug
0.003 script_log_processing

Signatures ( 0.23 seconds )

0.025 ransomware_files
0.016 modify_oem_information
0.016 ransomware_extensions
0.014 territorial_disputes_sigs
0.013 infostealer_ftp
0.009 disables_power_options
0.007 modirat_behavior
0.006 antiav_detectreg
0.006 file_credential_store_write
0.006 disables_browser_warn
0.006 infostealer_bitcoin
0.006 infostealer_im
0.006 masquerade_process_name
0.006 persistence_rdp_shadowing
0.006 fonix_mutexes
0.006 ransomware_radamant
0.006 spreading_autoruninf
0.005 geodo_banking_trojan
0.005 browser_security
0.005 disables_backups
0.005 infostealer_mail
0.005 poullight_files
0.005 ursnif_behavior
0.004 clears_logs
0.004 dcrat_files
0.004 language_check_registry
0.003 antiav_detectfile
0.003 ketrican_regkeys
0.002 antianalysis_detectfile
0.002 antianalysis_detectreg
0.002 accesses_primary_patition
0.001 bot_drive
0.001 bot_drive2
0.001 antidebug_devices
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 deepfreeze_mutex
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 recon_fingerprint
0.001 removes_startmenu_defaults

Reporting ( 0.01 seconds )

0.007 JsonDump

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: vesktop.exe, PID 3228

Screenshots

No screenshots available.

Session Playback

No playback available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

\Device\CNG
C:\Windows\System32\ru-RU\mswsock.dll.mui
C:\Windows\System32\ru-RU\wshqos.dll.mui
\??\CONOUT$
\??\CONIN$
\Device\ConDrv\Connect
C:\Windows\System32\ntmarta.dll
C:\Temp\icudtl.dat
C:\Temp\debug.log

\??\CONOUT$
\??\CONIN$
\Device\ConDrv\Connect
C:\Temp\debug.log

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectWrite
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\ru-RU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UBR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UBR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DisplayVersion

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.