Analysis Details
| Category | Package | Started | Completed | Duration | Options | Logs | ||||
|---|---|---|---|---|---|---|---|---|---|---|
| FILE | batch | 2026-06-30 16:11:10 | 2026-06-30 16:14:14 | 184s |
|
|||||
| Reports | JSON | |||||||||
Options
vnc_port=5900
Analysis Log
2026-06-30 06:08:42,598 [root] INFO: Date set to: 20260630T16:11:14, timeout set to: 150 2026-06-30 16:11:14,082 [root] DEBUG: Starting analyzer from: C:\1quxgwlh 2026-06-30 16:11:14,084 [root] DEBUG: Storing results at: C:\ybKuGCDHA 2026-06-30 16:11:14,085 [root] DEBUG: Pipe server name: \\.\PIPE\mymFpBV 2026-06-30 16:11:14,085 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314 2026-06-30 16:11:14,086 [root] INFO: analysis running as an admin 2026-06-30 16:11:14,086 [root] DEBUG: no analysis package configured, picking one for you 2026-06-30 16:11:14,087 [root] INFO: analysis package selected: "batch" 2026-06-30 16:11:14,087 [root] DEBUG: importing analysis package module: "modules.packages.batch"... 2026-06-30 16:11:14,095 [root] DEBUG: imported analysis package "batch" 2026-06-30 16:11:14,095 [root] DEBUG: initializing analysis package "batch"... 2026-06-30 16:11:14,096 [lib.common.common] INFO: no wrapping 2026-06-30 16:11:14,096 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation 2026-06-30 16:11:14,097 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\testt.bat 2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll option 2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll_64 option 2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option 2026-06-30 16:11:14,097 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option 2026-06-30 16:11:14,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2026-06-30 16:11:14,222 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2026-06-30 16:11:14,603 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2026-06-30 16:11:15,908 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2026-06-30 16:11:15,912 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2026-06-30 16:11:15,913 [root] DEBUG: Initialized auxiliary module "Browser" 2026-06-30 16:11:15,914 [root] DEBUG: attempting to configure 'Browser' from data 2026-06-30 16:11:15,916 [root] DEBUG: module Browser does not support data configuration, ignoring 2026-06-30 16:11:15,916 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2026-06-30 16:11:15,968 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2026-06-30 16:11:15,968 [root] DEBUG: Initialized auxiliary module "DigiSig" 2026-06-30 16:11:15,969 [root] DEBUG: attempting to configure 'DigiSig' from data 2026-06-30 16:11:15,970 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2026-06-30 16:11:15,970 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2026-06-30 16:11:15,970 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2026-06-30 16:11:16,504 [modules.auxiliary.digisig] DEBUG: File has an invalid signature 2026-06-30 16:11:16,505 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2026-06-30 16:11:16,506 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2026-06-30 16:11:16,506 [root] DEBUG: Initialized auxiliary module "Disguise" 2026-06-30 16:11:16,506 [root] DEBUG: attempting to configure 'Disguise' from data 2026-06-30 16:11:16,507 [root] DEBUG: module Disguise does not support data configuration, ignoring 2026-06-30 16:11:16,507 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2026-06-30 16:11:16,512 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 2728) 2026-06-30 16:11:16,518 [modules.auxiliary.disguise] INFO: Disguising GUID to 3e02f164-72bf-4b30-b527-684cb02b52d5 2026-06-30 16:11:16,519 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2026-06-30 16:11:16,519 [root] DEBUG: Initialized auxiliary module "Human" 2026-06-30 16:11:16,519 [root] DEBUG: attempting to configure 'Human' from data 2026-06-30 16:11:16,520 [root] DEBUG: module Human does not support data configuration, ignoring 2026-06-30 16:11:16,520 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2026-06-30 16:11:16,530 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2026-06-30 16:11:16,531 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2026-06-30 16:11:16,531 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2026-06-30 16:11:16,533 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2026-06-30 16:11:16,539 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2026-06-30 16:11:16,624 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process 2026-06-30 16:11:16,625 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2026-06-30 16:11:23,526 [root] INFO: Restarting WMI Service 2026-06-30 16:11:25,697 [root] DEBUG: package modules.packages.batch does not support configure, ignoring 2026-06-30 16:11:25,702 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages' 2026-06-30 16:11:25,704 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation 2026-06-30 16:11:25,710 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"" with pid 540 2026-06-30 16:11:26,057 [lib.api.process] INFO: Monitor config for process 540: C:\1quxgwlh\dll\540.ini 2026-06-30 16:11:26,117 [lib.api.process] INFO: 64-bit DLL to inject is C:\1quxgwlh\dll\DcRWkaHN.dll, loader C:\1quxgwlh\bin\mKZTghWt.exe 2026-06-30 16:11:26,144 [root] DEBUG: Loader: Injecting process 540 (thread 1432) with C:\1quxgwlh\dll\DcRWkaHN.dll. 2026-06-30 16:11:26,146 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-06-30 16:11:26,147 [root] DEBUG: Successfully injected DLL C:\1quxgwlh\dll\DcRWkaHN.dll. 2026-06-30 16:11:26,151 [lib.api.process] INFO: Injected into 64-bit <Process 540 cmd.exe> 2026-06-30 16:11:28,159 [lib.api.process] INFO: Successfully resumed process with pid 540 2026-06-30 16:11:28,372 [root] DEBUG: 540: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'. 2026-06-30 16:11:28,376 [root] DEBUG: 540: Disabling sleep skipping. 2026-06-30 16:11:28,378 [root] DEBUG: 540: Dropped file limit defaulting to 100. 2026-06-30 16:11:28,403 [root] DEBUG: 540: YaraInit: Compiled 44 rule files 2026-06-30 16:11:28,407 [root] DEBUG: 540: YaraInit: Compiled rules saved to file C:\1quxgwlh\data\yara\capemon.yac 2026-06-30 16:11:28,496 [root] DEBUG: 540: RtlInsertInvertedFunctionTable 0x00007FF82D5E090E, LdrpInvertedFunctionTableSRWLock 0x00007FF82D73B4F0 2026-06-30 16:11:28,498 [root] DEBUG: 540: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a 2026-06-30 16:11:28,505 [root] DEBUG: 540: YaraScan hit: FindFixAndRun 2026-06-30 16:11:28,506 [root] DEBUG: 540: Monitor initialised: 64-bit capemon loaded in process 540 at 0x00007FF801740000, thread 1432, image base 0x00007FF60E030000, stack from 0x000000EDAD4D4000-0x000000EDAD5D0000 2026-06-30 16:11:28,507 [root] DEBUG: 540: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\testt.bat" 2026-06-30 16:11:28,525 [root] DEBUG: 540: hook_api: LdrpCallInitRoutine export address 0x00007FF82D5E99BC obtained via GetFunctionAddress 2026-06-30 16:11:28,585 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2' 2026-06-30 16:11:28,586 [root] DEBUG: 540: set_hooks: Unable to hook LockResource 2026-06-30 16:11:28,606 [root] DEBUG: 540: Hooked 630 out of 631 functions 2026-06-30 16:11:28,614 [root] DEBUG: 540: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF60E03C620 2026-06-30 16:11:28,617 [root] DEBUG: 540: Syscall hook installed, syscall logging level 1 2026-06-30 16:11:28,639 [root] DEBUG: 540: RestoreHeaders: Restored original import table. 2026-06-30 16:11:28,640 [root] INFO: Loaded monitor into process with pid 540 2026-06-30 16:11:28,645 [root] DEBUG: 540: caller_dispatch: Added region at 0x00007FF60E030000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF60E0493C1, thread 1432). 2026-06-30 16:11:28,647 [root] DEBUG: 540: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a 2026-06-30 16:11:28,656 [root] DEBUG: 540: ProcessImageBase: Main module image at 0x00007FF60E030000 unmodified (entropy change 0.000000e+00) 2026-06-30 16:11:28,682 [root] DEBUG: 540: DLL loaded at 0x00007FF82A670000: C:\Windows\system32\Wldp (0x2c000 bytes). 2026-06-30 16:11:28,684 [root] DEBUG: 540: DLL loaded at 0x00007FF828E10000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes). 2026-06-30 16:11:28,689 [root] DEBUG: 540: DLL loaded at 0x00007FF82C9E0000: C:\Windows\System32\SHCORE (0xad000 bytes). 2026-06-30 16:11:28,693 [root] DEBUG: 540: CreateProcessHandler: Injection info set for new process 3712: C:\Windows\system32\cmd.exe, ImageBase: 0x00007FF60E030000 2026-06-30 16:11:28,695 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3712 2026-06-30 16:11:28,696 [lib.api.process] INFO: Monitor config for process 3712: C:\1quxgwlh\dll\3712.ini 2026-06-30 16:11:28,706 [lib.api.process] INFO: 64-bit DLL to inject is C:\1quxgwlh\dll\DcRWkaHN.dll, loader C:\1quxgwlh\bin\mKZTghWt.exe 2026-06-30 16:11:28,720 [root] DEBUG: Loader: Injecting process 3712 (thread 4076) with C:\1quxgwlh\dll\DcRWkaHN.dll. 2026-06-30 16:11:28,721 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-06-30 16:11:28,722 [root] DEBUG: Successfully injected DLL C:\1quxgwlh\dll\DcRWkaHN.dll. 2026-06-30 16:11:28,725 [lib.api.process] INFO: Injected into 64-bit <Process 3712 cmd.exe> 2026-06-30 16:11:28,728 [root] INFO: Announced 64-bit process name: cmd.exe pid: 3712 2026-06-30 16:11:28,728 [lib.api.process] INFO: Monitor config for process 3712: C:\1quxgwlh\dll\3712.ini 2026-06-30 16:11:28,730 [lib.api.process] INFO: 64-bit DLL to inject is C:\1quxgwlh\dll\DcRWkaHN.dll, loader C:\1quxgwlh\bin\mKZTghWt.exe 2026-06-30 16:11:28,742 [root] DEBUG: Loader: Injecting process 3712 (thread 4076) with C:\1quxgwlh\dll\DcRWkaHN.dll. 2026-06-30 16:11:28,744 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2026-06-30 16:11:28,745 [root] DEBUG: Successfully injected DLL C:\1quxgwlh\dll\DcRWkaHN.dll. 2026-06-30 16:11:28,748 [lib.api.process] INFO: Injected into 64-bit <Process 3712 cmd.exe> 2026-06-30 16:11:28,938 [root] DEBUG: 3712: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'. 2026-06-30 16:11:28,940 [root] DEBUG: 3712: Dropped file limit defaulting to 100. 2026-06-30 16:11:28,945 [root] DEBUG: 3712: Disabling sleep skipping. 2026-06-30 16:11:28,956 [root] DEBUG: 3712: YaraInit: Compiled rules loaded from existing file C:\1quxgwlh\data\yara\capemon.yac 2026-06-30 16:11:28,977 [root] DEBUG: 3712: RtlInsertInvertedFunctionTable 0x00007FF82D5E090E, LdrpInvertedFunctionTableSRWLock 0x00007FF82D73B4F0 2026-06-30 16:11:28,979 [root] DEBUG: 3712: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a 2026-06-30 16:11:28,990 [root] DEBUG: 3712: YaraScan hit: FindFixAndRun 2026-06-30 16:11:28,991 [root] DEBUG: 3712: Monitor initialised: 64-bit capemon loaded in process 3712 at 0x00007FF801740000, thread 4076, image base 0x00007FF60E030000, stack from 0x0000007587D04000-0x0000007587E00000 2026-06-30 16:11:28,993 [root] DEBUG: 3712: Commandline: C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\testt.bat" 2026-06-30 16:11:29,051 [root] DEBUG: 3712: hook_api: LdrpCallInitRoutine export address 0x00007FF82D5E99BC obtained via GetFunctionAddress 2026-06-30 16:11:29,118 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2' 2026-06-30 16:11:29,119 [root] DEBUG: 3712: set_hooks: Unable to hook LockResource 2026-06-30 16:11:29,136 [root] DEBUG: 3712: Hooked 630 out of 631 functions 2026-06-30 16:11:29,153 [root] DEBUG: 3712: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF60E03C620 2026-06-30 16:11:29,156 [root] DEBUG: 3712: Syscall hook installed, syscall logging level 1 2026-06-30 16:11:29,172 [root] DEBUG: 3712: RestoreHeaders: Restored original import table. 2026-06-30 16:11:29,174 [root] INFO: Loaded monitor into process with pid 3712 2026-06-30 16:11:29,178 [root] DEBUG: 3712: caller_dispatch: Added region at 0x00007FF60E030000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF60E0493C1, thread 4076). 2026-06-30 16:11:29,179 [root] DEBUG: 3712: YaraScan: Scanning 0x00007FF60E030000, size 0x6630a 2026-06-30 16:11:29,199 [root] DEBUG: 3712: ProcessImageBase: Main module image at 0x00007FF60E030000 unmodified (entropy change 0.000000e+00) 2026-06-30 16:11:29,262 [root] DEBUG: 3712: DLL loaded at 0x00007FF8247A0000: C:\Windows\SYSTEM32\cmdext (0xc000 bytes). 2026-06-30 16:13:58,693 [root] INFO: Analysis timeout hit, terminating analysis 2026-06-30 16:13:58,696 [lib.api.process] INFO: Terminate event set for process 540 2026-06-30 16:13:58,699 [root] DEBUG: 540: Terminate Event: Attempting to dump process 540 2026-06-30 16:13:58,704 [root] DEBUG: 540: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching 2026-06-30 16:13:58,705 [root] DEBUG: 540: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF60E030000. 2026-06-30 16:13:58,706 [root] DEBUG: 540: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2026-06-30 16:13:58,707 [root] DEBUG: 540: DumpProcess: Instantiating PeParser with address: 0x00007FF60E030000. 2026-06-30 16:13:58,709 [root] DEBUG: 540: DumpProcess: Module entry point VA is 0x00007FF60E048F50. 2026-06-30 16:13:58,738 [lib.common.results] INFO: Uploading file C:\ybKuGCDHA\CAPE\540_2902858132330262026 to procdump\31aefc078054212033b91771ef3f0278cf9dfc7b96bb677b3cd64ff4940aaaf3; Size is 401920; Max size: 100000000 2026-06-30 16:13:58,774 [root] DEBUG: 540: DumpProcess: Module image dump success - dump size 0x62200. 2026-06-30 16:13:58,789 [root] DEBUG: 540: Terminate Event: Shutdown complete for process 540 but failed to inform analyzer. 2026-06-30 16:14:03,705 [lib.api.process] INFO: Termination confirmed for process 540 2026-06-30 16:14:03,706 [root] INFO: Terminate event set for process 540 2026-06-30 16:14:03,706 [lib.api.process] INFO: Terminate event set for process 3712 2026-06-30 16:14:03,709 [root] DEBUG: 3712: Terminate Event: Attempting to dump process 3712 2026-06-30 16:14:03,711 [root] DEBUG: 3712: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching 2026-06-30 16:14:03,712 [root] DEBUG: 3712: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF60E030000. 2026-06-30 16:14:03,714 [root] DEBUG: 3712: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2026-06-30 16:14:03,715 [root] DEBUG: 3712: DumpProcess: Instantiating PeParser with address: 0x00007FF60E030000. 2026-06-30 16:14:03,716 [root] DEBUG: 3712: DumpProcess: Module entry point VA is 0x00007FF60E048F50. 2026-06-30 16:14:03,727 [lib.common.results] INFO: Uploading file C:\ybKuGCDHA\CAPE\3712_295613142330262026 to procdump\c1f45c0a3f5ca544584ee7c67ac1c6836867e503969d246fee58443e574a9acc; Size is 403456; Max size: 100000000 2026-06-30 16:14:03,759 [root] DEBUG: 3712: DumpProcess: Module image dump success - dump size 0x62800. 2026-06-30 16:14:03,772 [lib.api.process] INFO: Termination confirmed for process 3712 2026-06-30 16:14:03,773 [root] INFO: Terminate event set for process 3712 2026-06-30 16:14:03,773 [root] INFO: Created shutdown mutex 2026-06-30 16:14:03,773 [root] DEBUG: 3712: Terminate Event: monitor shutdown complete for process 3712 2026-06-30 16:14:04,782 [root] INFO: Shutting down package 2026-06-30 16:14:04,784 [root] INFO: Stopping auxiliary modules 2026-06-30 16:14:04,784 [root] INFO: Stopping auxiliary module: Browser 2026-06-30 16:14:04,784 [root] INFO: Stopping auxiliary module: Human 2026-06-30 16:14:08,914 [root] INFO: Finishing auxiliary modules 2026-06-30 16:14:08,916 [root] INFO: Shutting down pipe server and dumping dropped files 2026-06-30 16:14:08,916 [root] WARNING: Folder at path "C:\ybKuGCDHA\debugger" does not exist, skipping 2026-06-30 16:14:08,917 [root] WARNING: Folder at path "C:\ybKuGCDHA\tlsdump" does not exist, skipping 2026-06-30 16:14:08,918 [root] INFO: Analysis completed
Process Log
Pre-Script Log
During-Script Log
Machine Information
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10 | win10 | KVM | 2026-06-30 16:11:10 | 2026-06-30 16:14:14 | internet |
File Details
| File Name |
testt.bat
|
|---|---|
| File Type | ASCII text, with very long lines (443), with no line terminators |
| File Size | 443 bytes |
| MD5 | 5eeca5cd9cdcf7b4f1bb39293a917d32 |
| SHA1 | 760a2e7fc6afc2bac32929e5863239598d4520b6 |
| SHA256 | 6aea9b9f8ad777ea38fc5e0ba596459f14dd2e99d7445efbb58e88b120958d31 VT MWDB Bazaar |
| SHA3-384 | 62b8eb1eb5a97b60bb4a156e91c7668abf06e84898b08bd2a55f861cf91bcaa7ea8f2afa977b2a48716304f6ec0c1c5c |
| CRC32 | 244EF07D |
| TLSH | T187F0F1E759DA6CDD3FD3DC73B124780B1D93482D15DD85B6B16CAAAC23C9C52221C1D2 |
| Ssdeep | 12:Ci4pvXL+V0VscTZrR0mrSbtTtD7Kqlrud:CiYPLvMDbtTtPyd |
Extracted Text
start "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-features=RendererCodeIntegrity "https://accounts.google.com/lifecycle/steps/signup/name?continue=https://www.google.com/&dsh=S1728256510:1782835636577168&flowEntry=SignUp&flowName=GlifWebSignIn&gae=cb-none&hl=en&ifkv=AcDsRvw1CVsatnVW1CzmzWxQ1V9pF_Jx6qr7YX2pv5dF3ZGMdZRyE_qxOcHoXhFXQ1a1udHRcipYUQ&TL=ADCchmYjO8KuFmMZ51Nd2dCy-QPkK3MUbwYbQkB1CTnKBntpStl5cylS4R6mzDzE" "
Processing 2.82s
- 2.743s CAPE
- 0.04s NetworkAnalysis
- 0.027s BehaviorAnalysis
- 0.009s AnalysisInfo
- 0.001s Debug
Signatures 0.05s
- 0.005s antiav_detectfile
- 0.005s antiav_detectreg
- 0.005s masquerade_process_name
- 0.005s ransomware_files
- 0.003s antianalysis_detectfile
- 0.003s infostealer_bitcoin
- 0.003s infostealer_ftp
- 0.003s ransomware_extensions_known
- 0.003s territorial_disputes_sigs
- 0.002s antivm_vbox_files
- 0.002s infostealer_im
- 0.002s infostealer_mail
- 0.002s uses_windows_utilities
- 0.001s network_cnc_http
- 0.001s antianalysis_detectreg
- 0.001s antidebug_devices
- 0.001s antivm_vbox_keys
- 0.001s antivm_vmware_files
- 0.001s browser_security
- 0.001s disables_backups
- 0.001s disables_browser_warn
- 0.001s disables_power_options
- 0.001s removes_startmenu_defaults
- 0.001s suspicious_command_tools
Reporting 0.00s
- 0.002s JsonDump
Signatures
Network activity detected but not expressed in monitor API logs
ip: 64.233.166.94
ip: 172.66.2.5
ip: 104.18.22.215
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"
Performs some HTTP requests
url: http://c.pki.goog/r/gsr1.crl
url: http://c.pki.goog/r/r4.crl
Uses Windows utilities for basic functionality
command: C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"
Screenshots
Summary
- C:\Users\Rajesh\AppData\Local\Temp
- C:\Users
- C:\Users\Rajesh
- C:\Users\Rajesh\AppData
- C:\Users\Rajesh\AppData\Local
- C:\Users\Rajesh\AppData\Local\Temp\testt.bat
- C:\
- C:\Windows\System32\cmdext.dll
- C:\Users\Rajesh\AppData\Local\Temp\dsh.*
- C:\Windows\System32\dsh.*
- C:\Windows\dsh.*
- C:\Windows\System32\wbem\dsh.*
- C:\Windows\System32\WindowsPowerShell\v1.0\dsh.*
- C:\Windows\System32\OpenSSH\dsh.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\dsh.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\dsh.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\dsh.*
- C:\Users\Rajesh\AppData\Local\Temp\flowEntry.*
- C:\Windows\System32\flowEntry.*
- C:\Windows\flowEntry.*
- C:\Windows\System32\wbem\flowEntry.*
- C:\Windows\System32\WindowsPowerShell\v1.0\flowEntry.*
- C:\Windows\System32\OpenSSH\flowEntry.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\flowEntry.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\flowEntry.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\flowEntry.*
- C:\Users\Rajesh\AppData\Local\Temp\flowName.*
- C:\Windows\System32\flowName.*
- C:\Windows\flowName.*
- C:\Windows\System32\wbem\flowName.*
- C:\Windows\System32\WindowsPowerShell\v1.0\flowName.*
- C:\Windows\System32\OpenSSH\flowName.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\flowName.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\flowName.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\flowName.*
- C:\Users\Rajesh\AppData\Local\Temp\gae.*
- C:\Windows\System32\gae.*
- C:\Windows\gae.*
- C:\Windows\System32\wbem\gae.*
- C:\Windows\System32\WindowsPowerShell\v1.0\gae.*
- C:\Windows\System32\OpenSSH\gae.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\gae.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\gae.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\gae.*
- C:\Users\Rajesh\AppData\Local\Temp\hl.*
- C:\Windows\System32\hl.*
- C:\Windows\hl.*
- C:\Windows\System32\wbem\hl.*
- C:\Windows\System32\WindowsPowerShell\v1.0\hl.*
- C:\Windows\System32\OpenSSH\hl.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\hl.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\hl.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\hl.*
- C:\Users\Rajesh\AppData\Local\Temp\ifkv.*
- C:\Windows\System32\ifkv.*
- C:\Windows\ifkv.*
- C:\Windows\System32\wbem\ifkv.*
- C:\Windows\System32\WindowsPowerShell\v1.0\ifkv.*
- C:\Windows\System32\OpenSSH\ifkv.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\ifkv.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\ifkv.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\ifkv.*
- C:\Users\Rajesh\AppData\Local\Temp\TL.*
- C:\Windows\System32\TL.*
- C:\Windows\TL.*
- C:\Windows\System32\wbem\TL.*
- C:\Windows\System32\WindowsPowerShell\v1.0\TL.*
- C:\Windows\System32\OpenSSH\TL.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\Scripts\TL.*
- C:\Users\Rajesh\AppData\Local\Programs\Python\Python314\TL.*
- C:\Users\Rajesh\AppData\Local\Microsoft\WindowsApps\TL.*
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
- C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\testt.bat"
No results found.
No behavioral analysis data available.
Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
No dropped files found.
Sorry! No process dumps.