Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Options	Logs
FILE	batch	2026-06-30 16:08:07	2026-06-30 16:11:09	182s
Reports	JSON

Options

vnc_port=5900

Analysis Log

2026-06-30 06:08:43,613 [root] INFO: Date set to: 20260630T16:08:11, timeout set to: 150
2026-06-30 16:08:11,092 [root] DEBUG: Starting analyzer from: C:\kt1llwhb
2026-06-30 16:08:11,093 [root] DEBUG: Storing results at: C:\WZRlJQH
2026-06-30 16:08:11,093 [root] DEBUG: Pipe server name: \\.\PIPE\kPWOmVs
2026-06-30 16:08:11,093 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-30 16:08:11,094 [root] INFO: analysis running as an admin
2026-06-30 16:08:11,094 [root] DEBUG: no analysis package configured, picking one for you
2026-06-30 16:08:11,096 [root] INFO: analysis package selected: "batch"
2026-06-30 16:08:11,096 [root] DEBUG: importing analysis package module: "modules.packages.batch"...
2026-06-30 16:08:11,101 [root] DEBUG: imported analysis package "batch"
2026-06-30 16:08:11,101 [root] DEBUG: initializing analysis package "batch"...
2026-06-30 16:08:11,101 [lib.common.common] INFO: no wrapping
2026-06-30 16:08:11,101 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-30 16:08:11,102 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\testt.bat
2026-06-30 16:08:11,102 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll option
2026-06-30 16:08:11,102 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll_64 option
2026-06-30 16:08:11,102 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option
2026-06-30 16:08:11,102 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option
2026-06-30 16:08:11,167 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-30 16:08:13,694 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-30 16:08:13,720 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-30 16:08:13,798 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-30 16:08:13,851 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-30 16:08:13,851 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-30 16:08:13,852 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-30 16:08:13,856 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-30 16:08:13,856 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-30 16:08:13,877 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-30 16:08:13,878 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-30 16:08:13,879 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-30 16:08:13,880 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-30 16:08:13,884 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-30 16:08:13,884 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-30 16:08:14,770 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-30 16:08:14,771 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-30 16:08:14,773 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-30 16:08:14,773 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-30 16:08:14,773 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-30 16:08:14,774 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-30 16:08:14,775 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-30 16:08:14,792 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3996)
2026-06-30 16:08:14,846 [modules.auxiliary.disguise] INFO: Disguising GUID to 91b001e5-f4f5-45e0-b307-a99284dcc060
2026-06-30 16:08:14,847 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-30 16:08:14,847 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-30 16:08:14,848 [root] DEBUG: attempting to configure 'Human' from data
2026-06-30 16:08:14,848 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-30 16:08:14,848 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-30 16:08:14,854 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-30 16:08:14,854 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-30 16:08:14,854 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-30 16:08:14,854 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-30 16:08:14,855 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-30 16:08:14,863 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-30 16:08:14,864 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-30 16:08:21,948 [root] INFO: Restarting WMI Service
2026-06-30 16:08:24,084 [root] DEBUG: package modules.packages.batch does not support configure, ignoring
2026-06-30 16:08:24,086 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'
2026-06-30 16:08:24,088 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-30 16:08:24,089 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"" with pid 4848
2026-06-30 16:08:24,417 [lib.api.process] INFO: Monitor config for process 4848: C:\kt1llwhb\dll\4848.ini
2026-06-30 16:08:24,436 [lib.api.process] INFO: 64-bit DLL to inject is C:\kt1llwhb\dll\jKpPoYC.dll, loader C:\kt1llwhb\bin\MHXYAwTk.exe
2026-06-30 16:08:24,468 [lib.api.process] INFO: Injected into 64-bit <Process 4848 cmd.exe>
2026-06-30 16:08:26,484 [lib.api.process] INFO: Successfully resumed process with pid 4848
2026-06-30 16:08:26,720 [root] DEBUG: 4848: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-30 16:08:26,722 [root] DEBUG: 4848: Disabling sleep skipping.
2026-06-30 16:08:26,723 [root] DEBUG: 4848: Dropped file limit defaulting to 100.
2026-06-30 16:08:26,753 [root] DEBUG: 4848: YaraInit: Compiled 44 rule files
2026-06-30 16:08:26,757 [root] DEBUG: 4848: YaraInit: Compiled rules saved to file C:\kt1llwhb\data\yara\capemon.yac
2026-06-30 16:08:26,825 [root] DEBUG: 4848: RtlInsertInvertedFunctionTable 0x00007FF82D5E090E, LdrpInvertedFunctionTableSRWLock 0x00007FF82D73B4F0
2026-06-30 16:08:26,826 [root] DEBUG: 4848: YaraScan: Scanning 0x00007FF7B3920000, size 0x6630a
2026-06-30 16:08:26,832 [root] DEBUG: 4848: YaraScan hit: FindFixAndRun
2026-06-30 16:08:26,833 [root] DEBUG: 4848: Monitor initialised: 64-bit capemon loaded in process 4848 at 0x00007FF801740000, thread 4684, image base 0x00007FF7B3920000, stack from 0x0000007E16424000-0x0000007E16520000
2026-06-30 16:08:26,835 [root] DEBUG: 4848: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"
2026-06-30 16:08:26,853 [root] DEBUG: 4848: hook_api: LdrpCallInitRoutine export address 0x00007FF82D5E99BC obtained via GetFunctionAddress
2026-06-30 16:08:26,911 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-30 16:08:26,912 [root] DEBUG: 4848: set_hooks: Unable to hook LockResource
2026-06-30 16:08:26,933 [root] DEBUG: 4848: Hooked 630 out of 631 functions
2026-06-30 16:08:26,941 [root] DEBUG: 4848: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF7B392C620
2026-06-30 16:08:26,943 [root] DEBUG: 4848: Syscall hook installed, syscall logging level 1
2026-06-30 16:08:26,965 [root] DEBUG: 4848: RestoreHeaders: Restored original import table.
2026-06-30 16:08:26,967 [root] INFO: Loaded monitor into process with pid 4848
2026-06-30 16:08:26,969 [root] DEBUG: 4848: caller_dispatch: Added region at 0x00007FF7B3920000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B39393C1, thread 4684).
2026-06-30 16:08:26,970 [root] DEBUG: 4848: YaraScan: Scanning 0x00007FF7B3920000, size 0x6630a
2026-06-30 16:08:26,977 [root] DEBUG: 4848: ProcessImageBase: Main module image at 0x00007FF7B3920000 unmodified (entropy change 0.000000e+00)
2026-06-30 16:08:27,002 [root] DEBUG: 4848: DLL loaded at 0x00007FF82A670000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-30 16:08:27,003 [root] DEBUG: 4848: DLL loaded at 0x00007FF828E10000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-30 16:08:27,008 [root] DEBUG: 4848: DLL loaded at 0x00007FF82C9E0000: C:\Windows\System32\SHCORE (0xad000 bytes).
2026-06-30 16:08:27,011 [root] DEBUG: 4848: CreateProcessHandler: Injection info set for new process 3980: C:\Windows\system32\cmd.exe, ImageBase: 0x00007FF7B3920000
2026-06-30 16:08:27,013 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3980
2026-06-30 16:08:27,014 [lib.api.process] INFO: Monitor config for process 3980: C:\kt1llwhb\dll\3980.ini
2026-06-30 16:08:27,017 [lib.api.process] INFO: 64-bit DLL to inject is C:\kt1llwhb\dll\jKpPoYC.dll, loader C:\kt1llwhb\bin\MHXYAwTk.exe
2026-06-30 16:08:27,037 [root] DEBUG: Loader: Injecting process 3980 (thread 2400) with C:\kt1llwhb\dll\jKpPoYC.dll.
2026-06-30 16:08:27,039 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-30 16:08:27,040 [root] DEBUG: Successfully injected DLL C:\kt1llwhb\dll\jKpPoYC.dll.
2026-06-30 16:08:27,043 [lib.api.process] INFO: Injected into 64-bit <Process 3980 cmd.exe>
2026-06-30 16:08:27,046 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3980
2026-06-30 16:08:27,047 [lib.api.process] INFO: Monitor config for process 3980: C:\kt1llwhb\dll\3980.ini
2026-06-30 16:08:27,049 [lib.api.process] INFO: 64-bit DLL to inject is C:\kt1llwhb\dll\jKpPoYC.dll, loader C:\kt1llwhb\bin\MHXYAwTk.exe
2026-06-30 16:08:27,061 [root] DEBUG: Loader: Injecting process 3980 (thread 2400) with C:\kt1llwhb\dll\jKpPoYC.dll.
2026-06-30 16:08:27,063 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-30 16:08:27,064 [root] DEBUG: Successfully injected DLL C:\kt1llwhb\dll\jKpPoYC.dll.
2026-06-30 16:08:27,066 [lib.api.process] INFO: Injected into 64-bit <Process 3980 cmd.exe>
2026-06-30 16:08:27,264 [root] DEBUG: 3980: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-30 16:08:27,266 [root] DEBUG: 3980: Dropped file limit defaulting to 100.
2026-06-30 16:08:27,274 [root] DEBUG: 3980: Disabling sleep skipping.
2026-06-30 16:08:27,290 [root] DEBUG: 3980: YaraInit: Compiled rules loaded from existing file C:\kt1llwhb\data\yara\capemon.yac
2026-06-30 16:08:27,376 [root] DEBUG: 3980: RtlInsertInvertedFunctionTable 0x00007FF82D5E090E, LdrpInvertedFunctionTableSRWLock 0x00007FF82D73B4F0
2026-06-30 16:08:27,383 [root] DEBUG: 3980: YaraScan: Scanning 0x00007FF7B3920000, size 0x6630a
2026-06-30 16:08:27,396 [root] DEBUG: 3980: YaraScan hit: FindFixAndRun
2026-06-30 16:08:27,398 [root] DEBUG: 3980: Monitor initialised: 64-bit capemon loaded in process 3980 at 0x00007FF801740000, thread 2400, image base 0x00007FF7B3920000, stack from 0x000000EBF3F04000-0x000000EBF4000000
2026-06-30 16:08:27,400 [root] DEBUG: 3980: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"
2026-06-30 16:08:27,422 [root] DEBUG: 3980: hook_api: LdrpCallInitRoutine export address 0x00007FF82D5E99BC obtained via GetFunctionAddress
2026-06-30 16:08:27,529 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-30 16:08:27,531 [root] DEBUG: 3980: set_hooks: Unable to hook LockResource
2026-06-30 16:08:27,551 [root] DEBUG: 3980: Hooked 630 out of 631 functions
2026-06-30 16:08:27,569 [root] DEBUG: 3980: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF7B392C620
2026-06-30 16:08:27,577 [root] DEBUG: 3980: Syscall hook installed, syscall logging level 1
2026-06-30 16:08:27,628 [root] DEBUG: 3980: RestoreHeaders: Restored original import table.
2026-06-30 16:08:27,679 [root] INFO: Loaded monitor into process with pid 3980
2026-06-30 16:08:27,688 [root] DEBUG: 3980: caller_dispatch: Added region at 0x00007FF7B3920000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF7B39393C1, thread 2400).
2026-06-30 16:08:27,690 [root] DEBUG: 3980: YaraScan: Scanning 0x00007FF7B3920000, size 0x6630a
2026-06-30 16:08:27,701 [root] DEBUG: 3980: ProcessImageBase: Main module image at 0x00007FF7B3920000 unmodified (entropy change 0.000000e+00)
2026-06-30 16:08:27,797 [root] DEBUG: 3980: DLL loaded at 0x00007FF8247A0000: C:\Windows\SYSTEM32\cmdext (0xc000 bytes).
2026-06-30 16:08:46,865 [modules.auxiliary.human] INFO: Found button "yes", clicking it
2026-06-30 16:10:57,214 [root] INFO: Analysis timeout hit, terminating analysis
2026-06-30 16:10:57,218 [lib.api.process] INFO: Terminate event set for process 4848
2026-06-30 16:10:57,218 [root] DEBUG: 4848: Terminate Event: Attempting to dump process 4848
2026-06-30 16:10:57,220 [root] DEBUG: 4848: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching
2026-06-30 16:10:57,222 [root] DEBUG: 4848: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF7B3920000.
2026-06-30 16:10:57,223 [root] DEBUG: 4848: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-06-30 16:10:57,225 [root] DEBUG: 4848: DumpProcess: Instantiating PeParser with address: 0x00007FF7B3920000.
2026-06-30 16:10:57,227 [root] DEBUG: 4848: DumpProcess: Module entry point VA is 0x00007FF7B3938F50.
2026-06-30 16:10:57,247 [lib.common.results] INFO: Uploading file C:\WZRlJQH\CAPE\4848_951257102330262026 to procdump\b4cad5fc664ab3ebff4fecf6ae13cdbc51478983e798d10764aaa3cdc187db68; Size is 401920; Max size: 100000000
2026-06-30 16:10:57,277 [root] DEBUG: 4848: DumpProcess: Module image dump success - dump size 0x62200.
2026-06-30 16:10:57,298 [root] DEBUG: 4848: Terminate Event: Shutdown complete for process 4848 but failed to inform analyzer.
2026-06-30 16:11:02,217 [lib.api.process] INFO: Termination confirmed for process 4848
2026-06-30 16:11:02,251 [root] INFO: Terminate event set for process 4848
2026-06-30 16:11:02,252 [lib.api.process] INFO: Terminate event set for process 3980
2026-06-30 16:11:02,254 [root] DEBUG: 3980: Terminate Event: Attempting to dump process 3980
2026-06-30 16:11:02,256 [root] DEBUG: 3980: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching
2026-06-30 16:11:02,257 [root] DEBUG: 3980: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF7B3920000.
2026-06-30 16:11:02,258 [root] DEBUG: 3980: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-06-30 16:11:02,259 [root] DEBUG: 3980: DumpProcess: Instantiating PeParser with address: 0x00007FF7B3920000.
2026-06-30 16:11:02,260 [root] DEBUG: 3980: DumpProcess: Module entry point VA is 0x00007FF7B3938F50.
2026-06-30 16:11:02,269 [lib.common.results] INFO: Uploading file C:\WZRlJQH\CAPE\3980_108242112330262026 to procdump\5f86c1e74b35fd5cd63441de6980bfb538cabf7896e3332c4e32ec20c2ff8012; Size is 403456; Max size: 100000000
2026-06-30 16:11:02,283 [root] DEBUG: 3980: DumpProcess: Module image dump success - dump size 0x62800.
2026-06-30 16:11:02,292 [lib.api.process] INFO: Termination confirmed for process 3980
2026-06-30 16:11:02,295 [root] INFO: Terminate event set for process 3980
2026-06-30 16:11:02,294 [root] DEBUG: 3980: Terminate Event: monitor shutdown complete for process 3980
2026-06-30 16:11:02,296 [root] INFO: Created shutdown mutex
2026-06-30 16:11:03,311 [root] INFO: Shutting down package
2026-06-30 16:11:03,311 [root] INFO: Stopping auxiliary modules
2026-06-30 16:11:03,312 [root] INFO: Stopping auxiliary module: Browser
2026-06-30 16:11:03,312 [root] INFO: Stopping auxiliary module: Human
2026-06-30 16:11:03,483 [root] INFO: Finishing auxiliary modules
2026-06-30 16:11:03,484 [root] INFO: Shutting down pipe server and dumping dropped files
2026-06-30 16:11:03,484 [root] WARNING: Folder at path "C:\WZRlJQH\debugger" does not exist, skipping
2026-06-30 16:11:03,484 [root] WARNING: Folder at path "C:\WZRlJQH\tlsdump" does not exist, skipping
2026-06-30 16:11:03,485 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On	Route
win10	win10	KVM	2026-06-30 16:08:07	2026-06-30 16:11:09	`internet`

File Details

File Information

File Name	testt.bat
File Type	ASCII text, with very long lines (385), with no line terminators
File Size	385 bytes
MD5	5b32148f39985f45fae5ab1bdb3161ab
SHA1	e934641b42c516d4d19a4b756aa2dcd384565f88
SHA256	c8512e34d2b101dca2c0e8b366ed8fd4704448552f2ff160b3e8d7a2c307e78f VT MWDB Bazaar
SHA3-384	640a78b8e79286127f025adad1f7937598687bd45d2beecbd14eb8adb1940ea1f42d9d5a6503241d116040c71b68f300
CRC32	9A20CA57
TLSH	T1AAE068EB5ADA18ED3BC64C72A024780A1D92056A15DD89B9B028A9A82386C52560C192
Ssdeep	6:NIFnvX1aBw+U9FU0GLIy8NVsIxTAa2MtLLQmrSxJaoTUcDldV0vilrGNH:apvXL+V0VscTZrR0mrSbtTtD7KqlruH

Tools: Extract: BinGraph Text

Extracted Text

chrome.exe --disable-features=RendererCodeIntegrity "https://accounts.google.com/lifecycle/steps/signup/name?continue=https://www.google.com/&dsh=S1728256510:1782835636577168&flowEntry=SignUp&flowName=GlifWebSignIn&gae=cb-none&hl=en&ifkv=AcDsRvw1CVsatnVW1CzmzWxQ1V9pF_Jx6qr7YX2pv5dF3ZGMdZRyE_qxOcHoXhFXQ1a1udHRcipYUQ&TL=ADCchmYjO8KuFmMZ51Nd2dCy-QPkK3MUbwYbQkB1CTnKBntpStl5cylS4R6mzDzE"