Recommended action: Verify the download source, file hash, and digital signature. If it came from the official vendor and reputation checks are clean, it is likely acceptable.
Why this verdict: The file showed packaging, extraction, or advanced low-level behavior, but no network activity, persistence, or direct malicious actions were observed during this run.
Important: This report should not say a file is absolutely safe. A better phrase is: no obvious malicious behavior was observed in this sandbox run.
VirusTotal: Unavailable/error from CAPE: Unable to complete connection to VirusTotal. Status code: 429
Manual lookup: Open SHA256 in VirusTotal
This report only uses VirusTotal detection counts if they are present in the CAPE JSON. A link alone is not the same as a local detection result.
| File name | LockHunter.exe |
|---|---|
| File type | PE32+ executable (GUI) x86-64, for MS Windows |
| Size | 5924400 |
| MD5 | 8dd8d1d60b404fa8595c99bfd3567cd0 |
| SHA1 | 2506ca59920ec2c00774a24d74afa66bdb8a0126 |
| SHA256 | 3e9254aad2825d496cb6929070941788b39dc8ca5f3a8154ba4ec99be9c9b351 |
| VirusTotal lookup | Open SHA256 in VirusTotal |
| Task ID | 10 |
|---|---|
| Started | 2026-06-15 18:36:14 |
| Ended | 2026-06-15 18:39:05 |
| Duration | 171 seconds |
| Package | exe |
| Route | none |
| Machine | cuckoo1 |
| CAPE score | 2.9000000000000004 |
| CAPE status | Clean |
| Digital signature | Guest signer check failed: File not found: C:\Users\IT\AppData\Local\Temp\10\LockHunter.exe |
| Severity | Confidence | Signature | Meaning |
|---|---|---|---|
| 3 | 100% | suspicious_ntdll_disk_load | Loads clean ntdll.dll from disk, possibly for syscall/anti-EDR |
| 3 | 100% | pe_deep_entrypoint | The PE entry point is located unusually far into section, indicative of an appended packer stub that jumps to the original entry point (OEP) |
| 2 | 80% | privilege_elevation_check | Queries process token information to check for Administrator privileges or UAC elevation status |
| 2 | 20% | mountpoints_volume_discovery | Queries the mount points and then resolves volume paths to enumerate storage devices |
| 2 | 100% | antianalysis_tls_section | Contains .tls (Thread Local Storage) section |
| 2 | 100% | packer_unknown_pe_section_name | The binary contains an unknown PE section name indicative of packing |
| 2 | 100% | contains_pe_overlay | The PE file contains an overlay |
| 2 | 20% | discover_registry_mount_points | Queries registry mount points to identify historical or connected removable/network drives |
| 2 | 50% | injection_rwx | Creates RWX memory |
| 1 | 100% | queries_keyboard_layout | Queries the keyboard layout |
| 1 | 40% | stealth_timeout | Possible date expiration check, exits too soon after checking local time |
| 1 | 100% | language_check_registry | Checks system language via registry key (possible geofencing) |
| Observed item | Count |
|---|---|
| Executed commands / child processes | 1 |
| File writes | 1 |
| File deletes | 0 |
| Registry writes | 0 |
| Created services | 0 |
| Started services | 0 |
| CAPE payload-like items | 2 |
| CAPE extracted configs | 0 |
| Dropped/related files captured | 1 |
CAPE extracted 2 payload-like item(s). Review if unexpected.
``` /opt/CAPEv2/storage/analyses/10/CAPE/3d6de078f162c03218d7a6d48e5c24eb27e9f512eddca0388aa3685952011d3e ``` ``` /opt/CAPEv2/storage/analyses/10/CAPE/76f2f368e063939d0e37846c6782133df6f6396253e085aba4415f02c10a8bfb ```No network activity recorded in this report.
Generated 2026-06-15T19:03:17 from /opt/CAPEv2/storage/analyses/10/reports/report.json