CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log
FILE	js	2025-07-14 10:34:04	2025-07-14 10:39:18	314 seconds	Show Options	Show Log

procdump=1
amsidump=1

2024-04-29 04:32:59,031 [root] INFO: Date set to: 20250714T03:34:03, timeout set to: 280
2025-07-14 03:34:03,015 [root] DEBUG: Starting analyzer from: C:\tmpd65zellw
2025-07-14 03:34:03,015 [root] DEBUG: Storing results at: C:\AJTYXNpIQ
2025-07-14 03:34:03,015 [root] DEBUG: Pipe server name: \\.\PIPE\vFLFqRLBVT
2025-07-14 03:34:03,015 [root] DEBUG: Python path: C:\olddocs
2025-07-14 03:34:03,015 [root] DEBUG: No analysis package specified, trying to detect it automagically
2025-07-14 03:34:03,015 [root] INFO: Automatically selected analysis package "js"
2025-07-14 03:34:03,015 [root] DEBUG: Importing analysis package "js"...
2025-07-14 03:34:03,015 [root] DEBUG: Initializing analysis package "js"...
2025-07-14 03:34:03,015 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2025-07-14 03:34:03,015 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2025-07-14 03:34:03,015 [root] INFO: Analyzer: Package modules.packages.js does not specify a loader option
2025-07-14 03:34:03,015 [root] INFO: Analyzer: Package modules.packages.js does not specify a loader_64 option
2025-07-14 03:34:03,031 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2025-07-14 03:34:03,046 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2025-07-14 03:34:03,046 [root] DEBUG: Importing auxiliary module "modules.auxiliary.default_apps"...
2025-07-14 03:34:03,046 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2025-07-14 03:34:03,062 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2025-07-14 03:34:03,062 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2025-07-14 03:34:03,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.fiddler"...
2025-07-14 03:34:03,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2025-07-14 03:34:03,093 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2025-07-14 03:34:03,093 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-07-14 03:34:03,140 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-07-14 03:34:03,156 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-07-14 03:34:03,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2025-07-14 03:34:03,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2025-07-14 03:34:03,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2025-07-14 03:34:03,156 [root] DEBUG: Initializing auxiliary module "Browser"...
2025-07-14 03:34:03,156 [root] DEBUG: Started auxiliary module Browser
2025-07-14 03:34:03,156 [root] DEBUG: Initializing auxiliary module "Curtain"...
2025-07-14 03:34:03,171 [root] DEBUG: Started auxiliary module Curtain
2025-07-14 03:34:03,171 [root] DEBUG: Initializing auxiliary module "DefaultApps"...
2025-07-14 03:34:03,203 [modules.auxiliary.default_apps] DEBUG: Getting current user SID using WinAPI
2025-07-14 03:34:03,203 [root] DEBUG: Started auxiliary module DefaultApps
2025-07-14 03:34:03,203 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2025-07-14 03:34:03,203 [modules.auxiliary.digisig] INFO: signtool.exe was not found in bin/
2025-07-14 03:34:03,203 [modules.auxiliary.digisig] INFO: dummy
2025-07-14 03:34:03,203 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, unsupported analyzer package
2025-07-14 03:34:03,203 [root] DEBUG: Started auxiliary module DigiSig
2025-07-14 03:34:03,203 [root] DEBUG: Initializing auxiliary module "Disguise"...
2025-07-14 03:34:03,531 [modules.auxiliary.disguise] INFO: Setting NoRecentDocsHistory
2025-07-14 03:34:03,531 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 2] The system cannot find the file specified
2025-07-14 03:34:03,531 [root] DEBUG: Initializing auxiliary module "Evtx"...
2025-07-14 03:34:03,546 [modules.auxiliary.evtx] INFO: Loading audit policy C:\tmpd65zellw\bin\auditpol.csv
2025-07-14 03:34:03,781 [modules.auxiliary.evtx] INFO: Wiping logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:34:04,453 [root] DEBUG: Started auxiliary module Evtx
2025-07-14 03:34:04,453 [root] DEBUG: Initializing auxiliary module "Fiddler"...
2025-07-14 03:34:04,453 [modules.auxiliary.fiddler] INFO: fiddler package: dummy
2025-07-14 03:34:04,468 [root] DEBUG: Started auxiliary module Fiddler
2025-07-14 03:34:04,468 [root] DEBUG: Initializing auxiliary module "Human"...
2025-07-14 03:34:04,468 [root] DEBUG: Started auxiliary module Human
2025-07-14 03:34:04,468 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2025-07-14 03:34:04,468 [root] DEBUG: Started auxiliary module Screenshots
2025-07-14 03:34:04,468 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2025-07-14 03:34:04,468 [modules.auxiliary.sysmon] INFO: Seeing if we need to update sysmon config
2025-07-14 03:34:04,468 [root] DEBUG: Started auxiliary module Sysmon
2025-07-14 03:34:04,468 [root] DEBUG: Initializing auxiliary module "TLSDumpMasterSecrets"...
2025-07-14 03:34:04,468 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 556
2025-07-14 03:34:04,468 [lib.api.process] INFO: Monitor config for process 556: C:\tmpd65zellw\dll\556.ini
2025-07-14 03:34:04,468 [modules.auxiliary.sysmon] INFO: Found Sysmon Executable
2025-07-14 03:34:04,468 [modules.auxiliary.sysmon] INFO: Found Sysmon config
2025-07-14 03:34:06,562 [modules.auxiliary.sysmon] INFO: Clearing existing sysmon logs
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'disable_hook_content' with value '3' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'yarascan' with value '0' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'caller_dump' with value '0' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'compression' with value '0' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-07-14 03:34:07,484 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpd65zellw\dll\AQErat.dll, loader C:\tmpd65zellw\bin\OQUAtNTA.exe
2025-07-14 03:34:07,515 [root] DEBUG: Loader: Injecting process 556 with C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:34:07,562 [root] DEBUG: 556: Python path set to 'C:\olddocs'.
2025-07-14 03:34:07,562 [root] DEBUG: 556: Disabling sleep skipping.
2025-07-14 03:34:07,562 [root] DEBUG: 556: Process dumps enabled.
2025-07-14 03:34:07,562 [root] DEBUG: 556: AMSI dumping enabled.
2025-07-14 03:34:07,562 [root] DEBUG: 556: In-monitor YARA scans disabled.
2025-07-14 03:34:07,562 [root] DEBUG: 556: Monitor config - unrecognised key caller_dump.
2025-07-14 03:34:07,562 [root] DEBUG: 556: Monitor config - unrecognised key ntdll_protoect.
2025-07-14 03:34:07,562 [root] DEBUG: 556: Monitor config - unrecognised key compression.
2025-07-14 03:34:07,562 [root] DEBUG: 556: TLS secret dump mode enabled.
2025-07-14 03:34:07,578 [root] DEBUG: 556: Monitor initialised: 64-bit capemon loaded in process 556 at 0x000007FEED310000, thread 2488, image base 0x00000000FFF80000, stack from 0x0000000002372000-0x0000000002380000
2025-07-14 03:34:07,578 [root] DEBUG: 556: Commandline: C:\Windows\system32\lsass.exe
2025-07-14 03:34:07,578 [root] DEBUG: 556: Hooked 5 out of 5 functions
2025-07-14 03:34:07,578 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-07-14 03:34:07,578 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:34:07,593 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 556
2025-07-14 03:34:07,593 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2025-07-14 03:34:07,593 [root] DEBUG: Initializing auxiliary module "Usage"...
2025-07-14 03:34:07,593 [root] DEBUG: Started auxiliary module Usage
2025-07-14 03:34:10,203 [root] INFO: Restarting WMI Service
2025-07-14 03:34:14,296 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\pgabriel\AppData\Local\Temp\PointDragControls.js"" with pid 700
2025-07-14 03:34:14,296 [lib.api.process] INFO: Monitor config for process 700: C:\tmpd65zellw\dll\700.ini
2025-07-14 03:34:14,296 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'disable_hook_content' with value '3' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'yarascan' with value '0' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'caller_dump' with value '0' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: Option 'compression' with value '0' sent to monitor
2025-07-14 03:34:14,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpd65zellw\dll\JPjTMI.dll, loader C:\tmpd65zellw\bin\OFvnnpn.exe
2025-07-14 03:34:14,328 [root] DEBUG: Loader: Injecting process 700 (thread 352) with C:\tmpd65zellw\dll\JPjTMI.dll.
2025-07-14 03:34:14,328 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-07-14 03:34:14,328 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\JPjTMI.dll.
2025-07-14 03:34:14,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 700
2025-07-14 03:34:16,328 [lib.api.process] INFO: Successfully resumed process with pid 700
2025-07-14 03:34:16,343 [root] DEBUG: 700: Python path set to 'C:\olddocs'.
2025-07-14 03:34:16,343 [root] DEBUG: 700: Disabling sleep skipping.
2025-07-14 03:34:16,343 [root] DEBUG: 700: Process dumps enabled.
2025-07-14 03:34:16,343 [root] DEBUG: 700: AMSI dumping enabled.
2025-07-14 03:34:16,343 [root] DEBUG: 700: In-monitor YARA scans disabled.
2025-07-14 03:34:16,343 [root] DEBUG: 700: Monitor config - unrecognised key caller_dump.
2025-07-14 03:34:16,343 [root] DEBUG: 700: Monitor config - unrecognised key ntdll_protoect.
2025-07-14 03:34:16,343 [root] DEBUG: 700: Monitor config - unrecognised key compression.
2025-07-14 03:34:16,343 [root] DEBUG: 700: Dropped file limit defaulting to 100.
2025-07-14 03:34:16,359 [root] DEBUG: 700: wscript hook set enabled
2025-07-14 03:34:16,359 [root] DEBUG: 700: Monitor initialised: 32-bit capemon loaded in process 700 at 0x74010000, thread 352, image base 0x30000, stack from 0x433000-0x440000
2025-07-14 03:34:16,359 [root] DEBUG: 700: Commandline: "C:\Windows\system32\wscript.exe" "C:\Users\pgabriel\AppData\Local\Temp\PointDragControls.js"
2025-07-14 03:34:16,375 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-07-14 03:34:16,375 [root] DEBUG: 700: set_hooks: Unable to hook GetCommandLineA
2025-07-14 03:34:16,375 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-07-14 03:34:16,375 [root] DEBUG: 700: set_hooks: Unable to hook GetCommandLineW
2025-07-14 03:34:16,375 [root] DEBUG: 700: Hooked 615 out of 617 functions
2025-07-14 03:34:16,390 [root] DEBUG: 700: WoW64 detected: 64-bit ntdll base: 0x773f0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7745b5f0, Wow64PrepareForException: 0x0
2025-07-14 03:34:16,390 [root] DEBUG: 700: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x160000
2025-07-14 03:34:16,390 [root] INFO: Loaded monitor into process with pid 700
2025-07-14 03:34:16,390 [root] DEBUG: 700: DLL loaded at 0x733D0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2025-07-14 03:34:16,437 [root] DEBUG: 700: DLL loaded at 0x74570000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2025-07-14 03:34:16,437 [root] DEBUG: 700: DLL loaded at 0x74550000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes).
2025-07-14 03:34:16,437 [root] DEBUG: 700: DLL loaded at 0x76610000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2025-07-14 03:34:16,437 [root] DEBUG: 700: DLL loaded at 0x73F60000: C:\Windows\SysWOW64\jscript (0xa6000 bytes).
2025-07-14 03:34:16,437 [root] INFO: got call to handle interop inside dcom lock
2025-07-14 03:34:16,453 [root] INFO: \Device\HarddiskVolume2\Windows\System32\svchost.exe
2025-07-14 03:34:16,453 [lib.api.process] INFO: Monitor config for process 664: C:\tmpd65zellw\dll\664.ini
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'disable_hook_content' with value '3' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'yarascan' with value '0' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'caller_dump' with value '0' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: Option 'compression' with value '0' sent to monitor
2025-07-14 03:34:16,453 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpd65zellw\dll\AQErat.dll, loader C:\tmpd65zellw\bin\OQUAtNTA.exe
2025-07-14 03:34:16,468 [root] DEBUG: Loader: Injecting process 664 with C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Python path set to 'C:\olddocs'.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Disabling sleep skipping.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Process dumps enabled.
2025-07-14 03:34:16,468 [root] DEBUG: 664: AMSI dumping enabled.
2025-07-14 03:34:16,468 [root] DEBUG: 664: In-monitor YARA scans disabled.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Monitor config - unrecognised key caller_dump.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Monitor config - unrecognised key ntdll_protoect.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Monitor config - unrecognised key compression.
2025-07-14 03:34:16,468 [root] DEBUG: 664: Dropped file limit defaulting to 100.
2025-07-14 03:34:16,468 [root] DEBUG: 664: parent_has_path: unable to get path for parent process 544
2025-07-14 03:34:16,484 [root] DEBUG: 664: Monitor initialised: 64-bit capemon loaded in process 664 at 0x000007FEED310000, thread 2512, image base 0x00000000FF290000, stack from 0x00000000011C3000-0x00000000011D0000
2025-07-14 03:34:16,484 [root] DEBUG: 664: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch
2025-07-14 03:34:16,515 [root] WARNING: b'Unable to place hook on LockResource'
2025-07-14 03:34:16,515 [root] DEBUG: 664: set_hooks: Unable to hook LockResource
2025-07-14 03:34:16,531 [root] DEBUG: 664: Hooked 609 out of 610 functions
2025-07-14 03:34:16,531 [root] INFO: Loaded monitor into process with pid 664
2025-07-14 03:34:16,546 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-07-14 03:34:16,546 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:34:16,546 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 664
2025-07-14 03:34:16,562 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:34:18,546 [root] DEBUG: 700: DLL loaded at 0x767B0000: C:\Windows\syswow64\WINTRUST (0x2f000 bytes).
2025-07-14 03:34:18,562 [root] DEBUG: 700: DLL loaded at 0x732D0000: C:\Windows\SysWOW64\CRYPTSP (0x17000 bytes).
2025-07-14 03:34:18,562 [root] DEBUG: 700: DLL loaded at 0x73290000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2025-07-14 03:34:18,562 [root] DEBUG: 700: DLL loaded at 0x74540000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2025-07-14 03:34:18,578 [root] DEBUG: 700: DLL loaded at 0x74520000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2025-07-14 03:34:18,578 [root] DEBUG: 700: DLL loaded at 0x73ED0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2025-07-14 03:34:18,578 [root] DEBUG: 700: DLL loaded at 0x75340000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2025-07-14 03:34:18,578 [root] DEBUG: 700: DLL loaded at 0x73EA0000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2025-07-14 03:34:19,266 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2025-07-14 03:34:19,454 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:34:19,696 [lib.common.results] INFO: File 1752489259649414000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:34:19,711 [lib.common.results] INFO: File 1752489259649414000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:34:19,727 [lib.common.results] INFO: File 1752489259649414000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:34:19,743 [lib.common.results] INFO: File 1752489259649414000.Application.evtx.gz size is 6787, Max size: 100000000
2025-07-14 03:34:19,758 [lib.common.results] INFO: File 1752489259696289000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:34:19,774 [lib.common.results] INFO: File 1752489259711914000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:34:19,774 [lib.common.results] INFO: File 1752489259711914000.Security.evtx.gz size is 7830, Max size: 100000000
2025-07-14 03:34:19,790 [lib.common.results] INFO: File 1752489259711914000.System.evtx.gz size is 8775, Max size: 100000000
2025-07-14 03:34:19,805 [lib.common.results] INFO: File 1752489259758789000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:34:20,290 [root] DEBUG: 700: NtTerminateProcess hook: Attempting to dump process 700
2025-07-14 03:34:20,290 [root] DEBUG: 700: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 03:34:20,290 [root] INFO: Process with pid 700 has terminated
2025-07-14 03:34:21,649 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489261.6494138.sysmon.evtx.gz to host
2025-07-14 03:34:21,665 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 8783, Max size: 100000000
2025-07-14 03:34:27,555 [lib.common.results] INFO: File c:\olddocs\1752489262555.saz size is 4599, Max size: 100000000
2025-07-14 03:34:27,571 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:34:34,836 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:34:35,102 [lib.common.results] INFO: File 1752489275055664000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:34:35,118 [lib.common.results] INFO: File 1752489275040039000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:34:35,118 [lib.common.results] INFO: File 1752489275040039000.Application.evtx.gz size is 6713, Max size: 100000000
2025-07-14 03:34:35,133 [lib.common.results] INFO: File 1752489275055664000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:34:35,165 [lib.common.results] INFO: File 1752489275102539000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:34:35,180 [lib.common.results] INFO: File 1752489275102539000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:34:35,196 [lib.common.results] INFO: File 1752489275102539000.Security.evtx.gz size is 7547, Max size: 100000000
2025-07-14 03:34:35,211 [lib.common.results] INFO: File 1752489275118164000.System.evtx.gz size is 8469, Max size: 100000000
2025-07-14 03:34:35,227 [lib.common.results] INFO: File 1752489275165039000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:34:36,665 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:34:41,758 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489281.758789.sysmon.evtx.gz to host
2025-07-14 03:34:41,758 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 12595, Max size: 100000000
2025-07-14 03:34:47,665 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:34:50,258 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:34:50,508 [lib.common.results] INFO: File 1752489290446289000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:34:50,508 [lib.common.results] INFO: File 1752489290446289000.Application.evtx.gz size is 6713, Max size: 100000000
2025-07-14 03:34:50,540 [lib.common.results] INFO: File 1752489290461914000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:34:50,540 [lib.common.results] INFO: File 1752489290477539000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:34:50,555 [lib.common.results] INFO: File 1752489290493164000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:34:50,571 [lib.common.results] INFO: File 1752489290508789000.Security.evtx.gz size is 7249, Max size: 100000000
2025-07-14 03:34:50,586 [lib.common.results] INFO: File 1752489290524414000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:34:50,602 [lib.common.results] INFO: File 1752489290555664000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:34:50,618 [lib.common.results] INFO: File 1752489290540039000.System.evtx.gz size is 8360, Max size: 100000000
2025-07-14 03:34:56,774 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:35:01,852 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489301.8525388.sysmon.evtx.gz to host
2025-07-14 03:35:01,852 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5891, Max size: 100000000
2025-07-14 03:35:05,665 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:35:05,946 [lib.common.results] INFO: File 1752489305868164000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:35:05,961 [lib.common.results] INFO: File 1752489305899414000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:35:05,977 [lib.common.results] INFO: File 1752489305868164000.Application.evtx.gz size is 6713, Max size: 100000000
2025-07-14 03:35:06,008 [lib.common.results] INFO: File 1752489305930664000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:35:06,008 [lib.common.results] INFO: File 1752489305946289000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:35:06,024 [lib.common.results] INFO: File 1752489305946289000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:35:06,024 [lib.common.results] INFO: File 1752489305946289000.Security.evtx.gz size is 7299, Max size: 100000000
2025-07-14 03:35:06,055 [lib.common.results] INFO: File 1752489306008789000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:35:06,055 [lib.common.results] INFO: File 1752489306008789000.System.evtx.gz size is 8351, Max size: 100000000
2025-07-14 03:35:07,758 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:35:16,868 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:35:21,086 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:35:21,336 [lib.common.results] INFO: File 1752489321290039000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:35:21,368 [lib.common.results] INFO: File 1752489321305664000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:35:21,383 [lib.common.results] INFO: File 1752489321290039000.Application.evtx.gz size is 6916, Max size: 100000000
2025-07-14 03:35:21,399 [lib.common.results] INFO: File 1752489321321289000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:35:21,415 [lib.common.results] INFO: File 1752489321336914000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:35:21,430 [lib.common.results] INFO: File 1752489321368164000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:35:21,430 [lib.common.results] INFO: File 1752489321352539000.Security.evtx.gz size is 7063, Max size: 100000000
2025-07-14 03:35:21,461 [lib.common.results] INFO: File 1752489321399414000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:35:21,461 [lib.common.results] INFO: File 1752489321399414000.System.evtx.gz size is 8355, Max size: 100000000
2025-07-14 03:35:21,930 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489321.9306638.sysmon.evtx.gz to host
2025-07-14 03:35:21,930 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 6196, Max size: 100000000
2025-07-14 03:35:27,821 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:35:36,493 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:35:36,790 [lib.common.results] INFO: File 1752489336727539000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:35:36,805 [lib.common.results] INFO: File 1752489336711914000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:35:36,805 [lib.common.results] INFO: File 1752489336743164000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:35:36,852 [lib.common.results] INFO: File 1752489336774414000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:35:36,868 [lib.common.results] INFO: File 1752489336790039000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:35:36,868 [lib.common.results] INFO: File 1752489336805664000.Security.evtx.gz size is 7284, Max size: 100000000
2025-07-14 03:35:36,883 [lib.common.results] INFO: File 1752489336805664000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:35:36,899 [lib.common.results] INFO: File 1752489336852539000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:35:36,915 [lib.common.results] INFO: File 1752489336852539000.System.evtx.gz size is 8343, Max size: 100000000
2025-07-14 03:35:36,946 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:35:42,024 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489342.024414.sysmon.evtx.gz to host
2025-07-14 03:35:42,024 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5930, Max size: 100000000
2025-07-14 03:35:47,899 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:35:51,961 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:35:52,211 [lib.common.results] INFO: File 1752489352149414000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:35:52,243 [lib.common.results] INFO: File 1752489352149414000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:35:52,243 [lib.common.results] INFO: File 1752489352180664000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:35:52,258 [lib.common.results] INFO: File 1752489352196289000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:35:52,274 [lib.common.results] INFO: File 1752489352211914000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:35:52,305 [lib.common.results] INFO: File 1752489352243164000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:35:52,305 [lib.common.results] INFO: File 1752489352243164000.Security.evtx.gz size is 7288, Max size: 100000000
2025-07-14 03:35:52,321 [lib.common.results] INFO: File 1752489352274414000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:35:52,321 [lib.common.results] INFO: File 1752489352258789000.System.evtx.gz size is 8357, Max size: 100000000
2025-07-14 03:35:57,024 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:36:02,086 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489362.086914.sysmon.evtx.gz to host
2025-07-14 03:36:02,086 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5479, Max size: 100000000
2025-07-14 03:36:07,383 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:36:07,665 [lib.common.results] INFO: File 1752489367602539000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:36:07,680 [lib.common.results] INFO: File 1752489367602539000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:36:07,696 [lib.common.results] INFO: File 1752489367602539000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:36:07,696 [lib.common.results] INFO: File 1752489367633789000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:36:07,743 [lib.common.results] INFO: File 1752489367665039000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:36:07,758 [lib.common.results] INFO: File 1752489367680664000.Security.evtx.gz size is 7255, Max size: 100000000
2025-07-14 03:36:07,774 [lib.common.results] INFO: File 1752489367696289000.System.evtx.gz size is 8367, Max size: 100000000
2025-07-14 03:36:07,805 [lib.common.results] INFO: File 1752489367680664000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:36:07,836 [lib.common.results] INFO: File 1752489367743164000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:36:07,977 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:36:17,086 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:36:22,180 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489382.180664.sysmon.evtx.gz to host
2025-07-14 03:36:22,180 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5781, Max size: 100000000
2025-07-14 03:36:22,883 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:36:23,180 [lib.common.results] INFO: File 1752489383102539000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:36:23,180 [lib.common.results] INFO: File 1752489383118164000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:36:23,196 [lib.common.results] INFO: File 1752489383118164000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:36:23,211 [lib.common.results] INFO: File 1752489383086914000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:36:23,243 [lib.common.results] INFO: File 1752489383165039000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:36:23,258 [lib.common.results] INFO: File 1752489383180664000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:36:23,274 [lib.common.results] INFO: File 1752489383180664000.Security.evtx.gz size is 7247, Max size: 100000000
2025-07-14 03:36:23,290 [lib.common.results] INFO: File 1752489383211914000.System.evtx.gz size is 8361, Max size: 100000000
2025-07-14 03:36:23,305 [lib.common.results] INFO: File 1752489383243164000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:36:28,243 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:36:37,196 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:36:38,336 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:36:38,602 [lib.common.results] INFO: File 1752489398524414000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:36:38,618 [lib.common.results] INFO: File 1752489398524414000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:36:38,618 [lib.common.results] INFO: File 1752489398555664000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:36:38,649 [lib.common.results] INFO: File 1752489398586914000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:36:38,665 [lib.common.results] INFO: File 1752489398586914000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:36:38,665 [lib.common.results] INFO: File 1752489398602539000.Security.evtx.gz size is 7300, Max size: 100000000
2025-07-14 03:36:38,680 [lib.common.results] INFO: File 1752489398618164000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:36:38,711 [lib.common.results] INFO: File 1752489398665039000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:36:38,727 [lib.common.results] INFO: File 1752489398649414000.System.evtx.gz size is 8379, Max size: 100000000
2025-07-14 03:36:42,290 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489402.290039.sysmon.evtx.gz to host
2025-07-14 03:36:42,290 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5613, Max size: 100000000
2025-07-14 03:36:48,321 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:36:53,758 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:36:53,993 [lib.common.results] INFO: File 1752489413946289000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:36:54,008 [lib.common.results] INFO: File 1752489413946289000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:36:54,024 [lib.common.results] INFO: File 1752489413946289000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:36:54,055 [lib.common.results] INFO: File 1752489413993164000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:36:54,071 [lib.common.results] INFO: File 1752489414008789000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:36:54,086 [lib.common.results] INFO: File 1752489413993164000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:36:54,086 [lib.common.results] INFO: File 1752489414008789000.Security.evtx.gz size is 7362, Max size: 100000000
2025-07-14 03:36:54,102 [lib.common.results] INFO: File 1752489414055664000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:36:54,102 [lib.common.results] INFO: File 1752489414055664000.System.evtx.gz size is 8326, Max size: 100000000
2025-07-14 03:36:57,305 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:37:02,383 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489422.383789.sysmon.evtx.gz to host
2025-07-14 03:37:02,383 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5445, Max size: 100000000
2025-07-14 03:37:08,399 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:37:09,133 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:37:09,618 [lib.common.results] INFO: File 1752489429430664000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:37:09,633 [lib.common.results] INFO: File 1752489429430664000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:37:09,665 [lib.common.results] INFO: File 1752489429524414000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:37:09,680 [lib.common.results] INFO: File 1752489429571289000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:37:09,727 [lib.common.results] INFO: File 1752489429602539000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:37:09,790 [lib.common.results] INFO: File 1752489429649414000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:37:09,805 [lib.common.results] INFO: File 1752489429649414000.Security.evtx.gz size is 6974, Max size: 100000000
2025-07-14 03:37:09,821 [lib.common.results] INFO: File 1752489429665039000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:37:09,836 [lib.common.results] INFO: File 1752489429649414000.System.evtx.gz size is 8351, Max size: 100000000
2025-07-14 03:37:17,399 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:37:22,493 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489442.493164.sysmon.evtx.gz to host
2025-07-14 03:37:22,508 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5537, Max size: 100000000
2025-07-14 03:37:24,883 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:37:25,149 [lib.common.results] INFO: File 1752489445071289000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:37:25,180 [lib.common.results] INFO: File 1752489445071289000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:37:25,211 [lib.common.results] INFO: File 1752489445102539000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:37:25,227 [lib.common.results] INFO: File 1752489445102539000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:37:25,243 [lib.common.results] INFO: File 1752489445149414000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:37:25,258 [lib.common.results] INFO: File 1752489445165039000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:37:25,274 [lib.common.results] INFO: File 1752489445149414000.Security.evtx.gz size is 7242, Max size: 100000000
2025-07-14 03:37:25,274 [lib.common.results] INFO: File 1752489445180664000.System.evtx.gz size is 8353, Max size: 100000000
2025-07-14 03:37:25,290 [lib.common.results] INFO: File 1752489445211914000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:37:28,508 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:37:37,524 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:37:40,336 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:37:40,602 [lib.common.results] INFO: File 1752489460524414000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:37:40,618 [lib.common.results] INFO: File 1752489460555664000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:37:40,633 [lib.common.results] INFO: File 1752489460524414000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:37:40,649 [lib.common.results] INFO: File 1752489460555664000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:37:40,665 [lib.common.results] INFO: File 1752489460586914000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:37:40,680 [lib.common.results] INFO: File 1752489460602539000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:37:40,696 [lib.common.results] INFO: File 1752489460602539000.Security.evtx.gz size is 7150, Max size: 100000000
2025-07-14 03:37:40,696 [lib.common.results] INFO: File 1752489460618164000.System.evtx.gz size is 8377, Max size: 100000000
2025-07-14 03:37:40,711 [lib.common.results] INFO: File 1752489460665039000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:37:42,618 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489462.618164.sysmon.evtx.gz to host
2025-07-14 03:37:42,618 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5542, Max size: 100000000
2025-07-14 03:37:48,586 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:37:55,790 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:37:56,055 [lib.common.results] INFO: File 1752489475993164000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:37:56,071 [lib.common.results] INFO: File 1752489476024414000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:37:56,086 [lib.common.results] INFO: File 1752489475977539000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:37:56,118 [lib.common.results] INFO: File 1752489476071289000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:37:56,133 [lib.common.results] INFO: File 1752489476040039000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:37:56,149 [lib.common.results] INFO: File 1752489476055664000.Security.evtx.gz size is 7117, Max size: 100000000
2025-07-14 03:37:56,149 [lib.common.results] INFO: File 1752489476055664000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:37:56,165 [lib.common.results] INFO: File 1752489476118164000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:37:56,165 [lib.common.results] INFO: File 1752489476118164000.System.evtx.gz size is 8352, Max size: 100000000
2025-07-14 03:37:57,633 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:38:02,680 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489482.680664.sysmon.evtx.gz to host
2025-07-14 03:38:02,696 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5480, Max size: 100000000
2025-07-14 03:38:08,665 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:38:10,383 [root] DEBUG: 664: CreateProcessHandler: Injection info set for new process 2392: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x000000013F340000
2025-07-14 03:38:10,383 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2392
2025-07-14 03:38:10,383 [lib.api.process] INFO: Monitor config for process 2392: C:\tmpd65zellw\dll\2392.ini
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'disable_hook_content' with value '3' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'yarascan' with value '0' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'caller_dump' with value '0' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: Option 'compression' with value '0' sent to monitor
2025-07-14 03:38:10,383 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpd65zellw\dll\AQErat.dll, loader C:\tmpd65zellw\bin\OQUAtNTA.exe
2025-07-14 03:38:10,399 [root] DEBUG: Loader: Injecting process 2392 (thread 3052) with C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:38:10,399 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-07-14 03:38:10,399 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:38:10,399 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2392
2025-07-14 03:38:10,399 [root] WARNING: Received request to inject process with pid 2392, skipped alredy in inject list
2025-07-14 03:38:10,415 [root] DEBUG: 2392: Python path set to 'C:\olddocs'.
2025-07-14 03:38:10,415 [root] DEBUG: 2392: Process dumps enabled.
2025-07-14 03:38:10,415 [root] DEBUG: 2392: AMSI dumping enabled.
2025-07-14 03:38:10,415 [root] DEBUG: 2392: In-monitor YARA scans disabled.
2025-07-14 03:38:10,415 [root] DEBUG: 2392: Monitor config - unrecognised key caller_dump.
2025-07-14 03:38:10,415 [root] DEBUG: 2392: Monitor config - unrecognised key ntdll_protoect.
2025-07-14 03:38:10,430 [root] DEBUG: 2392: Monitor config - unrecognised key compression.
2025-07-14 03:38:10,430 [root] DEBUG: 2392: Dropped file limit defaulting to 100.
2025-07-14 03:38:10,430 [root] DEBUG: 2392: Disabling sleep skipping.
2025-07-14 03:38:10,430 [root] DEBUG: 2392: Monitor initialised: 64-bit capemon loaded in process 2392 at 0x000007FEED310000, thread 3052, image base 0x000000013F340000, stack from 0x0000000000190000-0x00000000001A0000
2025-07-14 03:38:10,430 [root] DEBUG: 2392: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2025-07-14 03:38:10,477 [root] WARNING: b'Unable to place hook on LockResource'
2025-07-14 03:38:10,477 [root] DEBUG: 2392: set_hooks: Unable to hook LockResource
2025-07-14 03:38:10,477 [root] DEBUG: 2392: Hooked 609 out of 610 functions
2025-07-14 03:38:10,493 [root] INFO: Loaded monitor into process with pid 2392
2025-07-14 03:38:10,493 [root] DEBUG: 2392: caller_dispatch: Added region at 0x000000013F340000 to tracked regions list (advapi32::RegOpenKeyExW returns to 0x000000013F348237, thread 3052).
2025-07-14 03:38:10,493 [root] DEBUG: 2392: ProcessImageBase: Main module image at 0x000000013F340000 unmodified (entropy change 0.000000e+00)
2025-07-14 03:38:10,508 [root] DEBUG: 2392: DLL loaded at 0x000007FEFCFE0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2025-07-14 03:38:10,508 [root] DEBUG: 2392: DLL loaded at 0x000007FEFBEC0000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2025-07-14 03:38:10,508 [root] DEBUG: 2392: DLL loaded at 0x000007FEFEC30000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2025-07-14 03:38:10,524 [root] DEBUG: 2392: DLL loaded at 0x000007FEFD810000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2025-07-14 03:38:10,524 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:10,524 [lib.api.process] INFO: Monitor config for process 2456: C:\tmpd65zellw\dll\2456.ini
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'disable_hook_content' with value '3' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'injection' with value '0' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'yarascan' with value '0' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'caller_dump' with value '0' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'ntdll_protoect' with value '0' sent to monitor
2025-07-14 03:38:10,524 [lib.api.process] INFO: Option 'compression' with value '0' sent to monitor
2025-07-14 03:38:10,540 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpd65zellw\dll\AQErat.dll, loader C:\tmpd65zellw\bin\OQUAtNTA.exe
2025-07-14 03:38:10,540 [root] DEBUG: Loader: Injecting process 2456 with C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:38:10,555 [root] DEBUG: 2456: Python path set to 'C:\olddocs'.
2025-07-14 03:38:10,555 [root] DEBUG: 2456: Disabling sleep skipping.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Process dumps enabled.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: AMSI dumping enabled.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: In-monitor YARA scans disabled.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Monitor config - unrecognised key caller_dump.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Monitor config - unrecognised key ntdll_protoect.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Monitor config - unrecognised key compression.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Dropped file limit defaulting to 100.
2025-07-14 03:38:10,571 [root] DEBUG: 2456: parent_has_path: unable to get path for parent process 544
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Monitor initialised: 64-bit capemon loaded in process 2456 at 0x000007FEED310000, thread 2956, image base 0x00000000FF290000, stack from 0x0000000000342000-0x0000000000350000
2025-07-14 03:38:10,571 [root] DEBUG: 2456: Commandline: C:\Windows\system32\svchost.exe -k netsvcs
2025-07-14 03:38:10,618 [root] WARNING: b'Unable to place hook on LockResource'
2025-07-14 03:38:10,618 [root] DEBUG: 2456: set_hooks: Unable to hook LockResource
2025-07-14 03:38:10,618 [root] DEBUG: 2456: Hooked 609 out of 610 functions
2025-07-14 03:38:10,633 [root] INFO: Loaded monitor into process with pid 2456
2025-07-14 03:38:10,633 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-07-14 03:38:10,633 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\AQErat.dll.
2025-07-14 03:38:10,633 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2456
2025-07-14 03:38:11,196 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:38:11,461 [lib.common.results] INFO: File 1752489491399414000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:38:11,477 [lib.common.results] INFO: File 1752489491399414000.Application.evtx.gz size is 6848, Max size: 100000000
2025-07-14 03:38:11,493 [lib.common.results] INFO: File 1752489491430664000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:38:11,508 [lib.common.results] INFO: File 1752489491461914000.Security.evtx.gz size is 7182, Max size: 100000000
2025-07-14 03:38:11,524 [lib.common.results] INFO: File 1752489491446289000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:38:11,540 [lib.common.results] INFO: File 1752489491461914000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:38:11,555 [lib.common.results] INFO: File 1752489491493164000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:38:11,571 [lib.common.results] INFO: File 1752489491524414000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:38:11,586 [lib.common.results] INFO: File 1752489491508789000.System.evtx.gz size is 8374, Max size: 100000000
2025-07-14 03:38:12,633 [root] DEBUG: 2392: DLL loaded at 0x000007FEF9EB0000: C:\Windows\system32\wbem\wbemprox (0xe000 bytes).
2025-07-14 03:38:12,633 [root] DEBUG: 2392: DLL loaded at 0x000007FEFC930000: C:\Windows\system32\CRYPTSP (0x18000 bytes).
2025-07-14 03:38:12,633 [root] DEBUG: 2392: DLL loaded at 0x000007FEFC630000: C:\Windows\system32\rsaenh (0x47000 bytes).
2025-07-14 03:38:12,649 [root] DEBUG: 2392: DLL loaded at 0x000007FEFD090000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2025-07-14 03:38:12,665 [root] DEBUG: 2392: DLL loaded at 0x000007FEF9420000: C:\Windows\system32\wbem\wbemsvc (0x13000 bytes).
2025-07-14 03:38:12,680 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,696 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,696 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,711 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,727 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,727 [root] DEBUG: 2392: DLL loaded at 0x000007FEF9350000: C:\Windows\system32\wbem\wmiutils (0x21000 bytes).
2025-07-14 03:38:12,727 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,743 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,743 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,743 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,743 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,758 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,758 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,758 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,758 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,774 [root] DEBUG: 2392: DLL loaded at 0x000007FEF6560000: C:\Windows\system32\wbem\wmiprov (0x3c000 bytes).
2025-07-14 03:38:12,774 [root] DEBUG: 2392: DLL loaded at 0x000007FEF64D0000: C:\Windows\system32\wbemcomn (0x86000 bytes).
2025-07-14 03:38:12,790 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,805 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,821 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,836 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,836 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,852 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,852 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,852 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,852 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,852 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,868 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,868 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,868 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,868 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,868 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,883 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,883 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,899 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,899 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,915 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,915 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,915 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,930 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,930 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,930 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,930 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:12,946 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:13,180 [root] DEBUG: 2456: api-rate-cap: NtSetInformationThread hook disabled due to rate
2025-07-14 03:38:13,196 [root] DEBUG: 2456: api-rate-cap: NtClose hook disabled due to rate
2025-07-14 03:38:13,290 [root] INFO: got call to handle wmi inside dcom lock
2025-07-14 03:38:17,711 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:38:22,790 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489502.790039.sysmon.evtx.gz to host
2025-07-14 03:38:22,790 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 17575, Max size: 100000000
2025-07-14 03:38:26,649 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:38:26,899 [lib.common.results] INFO: File 1752489506852539000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:38:26,915 [lib.common.results] INFO: File 1752489506821289000.Application.evtx.gz size is 7118, Max size: 100000000
2025-07-14 03:38:26,930 [lib.common.results] INFO: File 1752489506852539000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:38:26,961 [lib.common.results] INFO: File 1752489506883789000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:38:26,977 [lib.common.results] INFO: File 1752489506899414000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:38:26,993 [lib.common.results] INFO: File 1752489506915039000.Security.evtx.gz size is 7236, Max size: 100000000
2025-07-14 03:38:27,008 [lib.common.results] INFO: File 1752489506946289000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:38:27,024 [lib.common.results] INFO: File 1752489506961914000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:38:27,024 [lib.common.results] INFO: File 1752489506961914000.System.evtx.gz size is 8361, Max size: 100000000
2025-07-14 03:38:28,743 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:38:37,805 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:38:42,055 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:38:42,290 [lib.common.results] INFO: File 1752489522227539000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:38:42,305 [lib.common.results] INFO: File 1752489522227539000.Application.evtx.gz size is 7060, Max size: 100000000
2025-07-14 03:38:42,321 [lib.common.results] INFO: File 1752489522274414000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:38:42,352 [lib.common.results] INFO: File 1752489522290039000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:38:42,368 [lib.common.results] INFO: File 1752489522290039000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:38:42,368 [lib.common.results] INFO: File 1752489522321289000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:38:42,383 [lib.common.results] INFO: File 1752489522305664000.Security.evtx.gz size is 7162, Max size: 100000000
2025-07-14 03:38:42,415 [lib.common.results] INFO: File 1752489522352539000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:38:42,415 [lib.common.results] INFO: File 1752489522352539000.System.evtx.gz size is 8360, Max size: 100000000
2025-07-14 03:38:42,883 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489522.883789.sysmon.evtx.gz to host
2025-07-14 03:38:42,883 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 6736, Max size: 100000000
2025-07-14 03:38:48,805 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:38:56,493 [root] INFO: Analysis timeout hit, terminating analysis
2025-07-14 03:38:56,493 [lib.api.process] INFO: Terminate event set for process 664
2025-07-14 03:38:56,493 [root] DEBUG: 664: Terminate Event: Attempting to dump process 664
2025-07-14 03:38:56,493 [root] DEBUG: 664: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 03:38:56,508 [lib.api.process] INFO: Termination confirmed for process 664
2025-07-14 03:38:56,508 [root] DEBUG: 664: Terminate Event: monitor shutdown complete for process 664
2025-07-14 03:38:56,508 [root] INFO: Terminate event set for process 664
2025-07-14 03:38:56,508 [lib.api.process] INFO: Terminate event set for process 2392
2025-07-14 03:38:56,508 [root] DEBUG: 2392: Terminate Event: Attempting to dump process 2392
2025-07-14 03:38:56,508 [root] DEBUG: 2392: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 03:38:56,508 [lib.api.process] INFO: Termination confirmed for process 2392
2025-07-14 03:38:56,524 [root] INFO: Terminate event set for process 2392
2025-07-14 03:38:56,524 [root] DEBUG: 2392: Terminate Event: monitor shutdown complete for process 2392
2025-07-14 03:38:56,524 [lib.api.process] INFO: Terminate event set for process 2456
2025-07-14 03:38:56,524 [root] DEBUG: 2456: Terminate Event: Attempting to dump process 2456
2025-07-14 03:38:56,524 [root] DEBUG: 2456: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 03:38:56,524 [lib.api.process] INFO: Termination confirmed for process 2456
2025-07-14 03:38:56,540 [root] DEBUG: 2456: Terminate Event: monitor shutdown complete for process 2456
2025-07-14 03:38:56,540 [root] INFO: Terminate event set for process 2456
2025-07-14 03:38:56,540 [root] INFO: Created shutdown mutex
2025-07-14 03:38:57,446 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:38:57,586 [root] INFO: Shutting down package
2025-07-14 03:38:57,586 [root] INFO: Stopping auxiliary modules
2025-07-14 03:38:57,586 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [WinError 6] The handle is invalid
2025-07-14 03:38:57,586 [lib.common.results] INFO: File C:\curtain.log size is 0, Max size: 100000000
2025-07-14 03:38:57,618 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 03:38:57,883 [lib.common.results] INFO: File 1752489537633789000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:38:57,899 [lib.common.results] INFO: File 1752489537633789000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:38:57,899 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 03:38:57,915 [lib.common.results] INFO: File 1752489537618164000.Application.evtx.gz size is 7060, Max size: 100000000
2025-07-14 03:38:57,930 [lib.common.results] INFO: File 1752489537680664000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:38:57,961 [lib.common.results] INFO: File 1752489537852539000.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 03:38:57,977 [lib.common.results] INFO: File 1752489537821289000.Application.evtx.gz size is 7060, Max size: 100000000
2025-07-14 03:38:57,993 [lib.common.results] INFO: File 1752489537852539000.KeyManagementService.evtx.gz size is 4963, Max size: 100000000
2025-07-14 03:38:57,993 [lib.common.results] INFO: File 1752489537899414000.System.evtx.gz size is 8313, Max size: 100000000
2025-07-14 03:38:58,024 [lib.common.results] INFO: File 1752489537883789000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:38:58,024 [lib.common.results] INFO: File 1752489537852539000.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 03:38:58,040 [lib.common.results] INFO: File 1752489537883789000.Security.evtx.gz size is 7209, Max size: 100000000
2025-07-14 03:38:58,055 [lib.common.results] INFO: File 1752489537883789000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:38:58,055 [lib.common.results] INFO: File 1752489537946289000.Security.evtx.gz size is 7195, Max size: 100000000
2025-07-14 03:38:58,071 [lib.common.results] INFO: File 1752489537946289000.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 03:38:58,086 [lib.common.results] INFO: File 1752489537961914000.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 03:38:58,102 [lib.common.results] INFO: File 1752489537993164000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:38:58,102 [lib.common.results] INFO: File 1752489538024414000.System.evtx.gz size is 8343, Max size: 100000000
2025-07-14 03:38:58,118 [lib.common.results] INFO: File 1752489538055664000.WindowsPowerShell.evtx.gz size is 3096, Max size: 100000000
2025-07-14 03:39:03,086 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489543.086914.sysmon.evtx.gz to host
2025-07-14 03:39:03,086 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 6283, Max size: 100000000
2025-07-14 03:39:03,211 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 03:39:03,211 [modules.auxiliary.sysmon] INFO: Doing final sysmon log dump
2025-07-14 03:39:08,274 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752489548.274414.sysmon.evtx.gz to host
2025-07-14 03:39:08,290 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5553, Max size: 100000000
2025-07-14 03:39:08,305 [root] INFO: Finishing auxiliary modules
2025-07-14 03:39:08,305 [root] INFO: Shutting down pipe server and dumping dropped files
2025-07-14 03:39:08,305 [root] WARNING: Folder at path "C:\AJTYXNpIQ\debugger" does not exist, skipping
2025-07-14 03:39:08,305 [root] WARNING: Folder at path "C:\AJTYXNpIQ\tlsdump" does not exist, skipping
2025-07-14 03:39:08,305 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win7office2k3flash2800137TWN3H104	win7office2k3flash2800137TWN3H104	KVM	2025-07-14 10:34:04	2025-07-14 10:39:18	internet

File Details

File Name	PointDragControls.js
File Size	25122 bytes
File Type	ASCII text
MD5	f9ce25c8a6ae1309c62ee8225850af5a
SHA1	ed702e74337702868adf5dd5a823809f2d83cb21
SHA256	19d638c8730931e0a710007d3d1a0e2ae9336a5a98031ae041f6dee0d6e7c52b
SHA512	426827e2aa93342be90191801d381b3d8c401613aee950d06df206f8f7c5371f780ef7b416306dcda0920bc55a699b2016ed969f1c4046b06cb6f8735ae90c29
SHA3-384	48f973e40dfd85a4032624ca7070b565cd7f701b41a658d13f35de7876fdb29d15a43df939099c0942cf3b0e3c14a8b6
CRC32	743090F2
TLSH	T13AB2514A58B738268853657D67DF9844B23A84030949EC947ECCD284CF85B3D8EFE7DA
Ssdeep	768:4on794PKH2LlHmsVoXVYytzLF2VxQGTKUFJ:4o5Iv
	File Text
	/* point_drag_controls.js Tom Gracey August 2017 Controls for translating or rotating individual objects about specific points under three.js Version 0.2 December 2017 (c) Virtual Blue LTD. 2017 Released under the MIT license / THREE.PointDragControls = function(){ this.globals = { // globals - i.e. scoped across whole of PointDragControls // They can* be accessed externally via THREE.PointDragControls.globals // - but normally this should not be necessary. Use // an accessor function instead - e.g. .toggle_mode() raycaster: new THREE.Raycaster(), pointer: new THREE.Vector2(), // either the mouse position or the touch location rev_intercept_from: 99999999, // horrible! 'far' of infinity means nothing while this // number exists because it effectively defines the far // position beyond which the controls will stop working. // See where this variable is used in calculation for more info // TODO: find a better way of doing this pointer: { current: undefined, // where the pointer is now last: undefined, // where it was before orig: undefined // where it was when the object was clicked }, intersect: { // world coord points where the mouse click intercepts forward: undefined, // (forward) the front of the object reverse: undefined, // (reverse) the back of the object offset: undefined // vector from the origin of the object to the intercept point }, active_axes: { r: undefined, // rotation axis label (world coords) x, y or z t: undefined, // translation axis (world coords) x, y or z }, origin_touch_id: undefined, // for remembering the id of the touch event occurring // on the object to be rotated (in the 2 touch event // situation, which is basically confined to z rotations // on touch devices) init_dt: { x: 0, y: 0 }, // for remembering total mouse movement before we decide // which is the active axis dt: { x: 0, y: 0 }, // size of mouse (or finger) movement during current cycle mode: undefined, // modes are 'rotate' or 'translate'. Initial mode is // defined in defaults click_timer: undefined, // for detecting double-click or double-tap double_click_timeout: 500, // max time diff between clicks (taps) to qualify as a // double click (in ms) object_id_index: [] // track object ids for fast lookups }; var g = this.globals; function set_mode(new_mode){ if (new_mode == 'rotate' \|\| new_mode == 'translate'){ g.mode = new_mode; } else { throw "Invalid mode: "+new_mode+" not recognised"; } }; function toggle_mode(){ if (g.mode == 'translate'){ g.mode = 'rotate'; } else if (g.mode == 'rotate') { g.mode = 'translate'; } else { throw "invalid mode: "+g.mode+" not recognised"; } }; function include(objects){ for (var i = 0; i <= objects.length - 1; i++){ var already_included = false; for (var j = 0; j<= g.object_id_index.length - 1; j++){ if ( objects[i].uuid == object_id_index[j] ){ already_included= true; break; } if (! already_included ){ p.objects.push( objects[i] ); g.object_id_index.push( objects[i].uuid ); } } } } function exclude(objects){ for ( var i = 0; i <= objects.length - 1; i++ ){ for( var j = 0; j<= g.object_index.length; j++){ if ( g.object_id_index[j] == objects[i].uuid ){ p.objects.splice(j,1); g.object_id_index.splice(j,1); } } } } this.init = function(scene,camera,renderer,options){ var defaults = { objects: scene.children, // array of objects to apply controls to turning_circle: 90, // controls mouse rotation sensitivity during object rotation. // Number of pixels to move the mouse through for a full rotation // default = 1 pixel per 4 degrees near: g.raycaster.near, // nearest point to apply controls to far: g.raycaster.far, // furthest point to apply controls to snap_distance: 4, // only has effect when pointer axes are locked // this is the minimum cumulative difference between screen x and y // values (in pixels) before the active axis is chosen z_shift_distance: 10, // controls the sensitivity by which objects move towards/away from // the camera when performing translations parallel to the camera // normal vector. Bigger = less sensitive z_control_axis: 'y', mode_auto: true, // true = toggle mode by double-clicking (double-tapping) on empty // canvas area. false = don't auto change mode at all. Let the app // handle all mode changes via .toggle_mode() and set_mode(). Note // .toggle_mode() and .set_mode() still work if mode_auto = true init_mode: 'rotate', // the mode to initialise with lock_translation_axes: false, // if true, decide which pointer axis (ie x or y) is preferred early // in the pointer movement, then lock object translation to this axis lock_rotation_axes: true, // same as lock_translation_axis but for rotation. This is locked by <truncated>

Strings

if ( g.active_axes.t.match(/y/) ){ trans.setY( - get_translation_distance(origin_rel.z,h,orig_dt.y) - last_rel.y + origin_rel.y ) }

if ( g.active_axes.t.match(/x/) ){ trans.setX( get_translation_distance(origin_rel.z,h,orig_dt.x) + last_rel.x - origin_rel.x ) }

// They *can* be accessed externally via THREE.PointDragControls.globals

origin: g.raycaster.ray.origin.clone().addScaledVector(g.raycaster.ray.direction,g.rev_intercept_from),

// in the pointer movement, then lock object translation to this axis

// this is the minimum cumulative difference between screen x and y

lock_translation_axes: false, // if true, decide which pointer axis (ie x or y) is preferred early

lock_rotation_axes: true, // same as lock_translation_axis but for rotation. This is locked by

// See where this variable is used in calculation for more info

z_shift_distance: 10, // controls the sensitivity by which objects move towards/away from

// default under the assumption that rotations are less intuitive

offset: undefined // vector from the origin of the object to the intercept point

mode_auto: true, // true = toggle mode by double-clicking (double-tapping) on empty

// canvas area. false = don't auto change mode at all. Let the app

// handle all mode changes via .toggle_mode() and set_mode(). Note

// Number of pixels to move the mouse through for a full rotation

// the camera when performing translations parallel to the camera

auto_render: false // render whenever an object is transformed. False indicates this

// controller will not do any rendering (implies app is using an

// .toggle_mode() and .set_mode() still work if mode_auto = true

turning_circle: 90, // controls mouse rotation sensitivity during object rotation.

this.globals = { // globals - i.e. scoped across whole of PointDragControls

dt: { x: 0, y: 0 }, // size of mouse (or finger) movement during current cycle

rev_intercept_from: 99999999, // horrible! *'far' of infinity means nothing while this

// number exists* because it effectively defines the far

// position beyond which the controls will stop working.

// situation, which is basically confined to z rotations

init_dt: { x: 0, y: 0 }, // for remembering total mouse movement before we decide

var last_posn = new THREE.Vector3().getPositionFromMatrix( g.intersect.forward.object.matrixWorld );

var up4 = new THREE.Vector4(camera.up.x,camera.up.y,camera.up.z,0).applyMatrix4(camera.matrixWorld);

y : Math.asin( rel.x / Math.sqrt( Math.pow(rel.x,2) + Math.pow(rel.y,2) + Math.pow(rel.z,2) )),

origin_touch_id: undefined, // for remembering the id of the touch event occurring

double_click_timeout: 500, // max time diff between clicks (taps) to qualify as a

var posn = new THREE.Vector3().setFromMatrixPosition( g.intersect.forward.object.matrixWorld );

intersect: { // world coord points where the mouse click intercepts

mode: undefined, // modes are 'rotate' or 'translate'. Initial mode is

// an accessor function instead - e.g. .toggle_mode()

pointer: new THREE.Vector2(), // either the mouse position or the touch location

// on the object to be rotated (in the 2 touch event

// - but normally this should not be necessary. Use

// values (in pixels) before the active axis is chosen

if ( g.active_axes.t.match(/z/) ){ trans.setZ( g.dt[p.z_control_axis] / p.z_shift_distance ) }

r: undefined, // rotation axis label (world coords) x, y or z

g.pointer.last = {x:e.changedTouches[0].clientX,y:e.changedTouches[0].clientY};

var object_clicked = set_raycast_intercept( get_pointer_v(g.pointer.current),camera);

t: undefined, // translation axis (world coords) x, y or z

if ( typeof g.intersect.forward != 'undefined' && typeof g.pointer.last != 'undefined'){

camera_correction.neg = new THREE.Matrix4().getInverse( camera_correction.pos.clone() );

orig: undefined // where it was when the object was clicked

click_timer: undefined, // for detecting double-click or double-tap

snap_distance: 4, // only has effect when pointer axes are locked

var object_clicked = set_raycast_intercept( get_pointer_v( g.pointer.current ),camera);

if (ct.length == 1 && ct[0].identifier == g.origin_touch_id){ touch_num = 0; }

if (ct.length == 2 && ct[1].identifier == g.origin_touch_id){ touch_num = 1; }

// TODO: find a better way of doing this

g.pointer.current = {x:e.changedTouches[0].clientX,y:e.changedTouches[0].clientY};

forward: undefined, // (forward) the front of the object

// normal vector. Bigger = less sensitive

object_id_index: [] // track object ids for fast lookups

objects: scene.children, // array of objects to apply controls to

var trans_matrix = new THREE.Matrix4().makeTranslation(trans.x,trans.y,trans.z);

reverse: undefined, // (reverse) the back of the object

g.pointer.orig = {x:e.changedTouches[0].clientX,y:e.changedTouches[0].clientY};

far: g.raycaster.far, // furthest point to apply controls to

near: g.raycaster.near, // nearest point to apply controls to

pos: camera.matrixWorld.clone().setPosition( new THREE.Vector3(0,0,0) )

// default = 1 pixel per 4 degrees

x: e.changedTouches[touch_num].clientX,

- ( ( loc.y - rect.top ) / renderer.domElement.clientHeight ) * 2 + 1

neg: trans_matrix( transform.origin.clone().multiplyScalar(-1) ),

( ( loc.x - rect.left ) / renderer.domElement.clientWidth ) * 2 - 1,

current: undefined, // where the pointer is now

// which is the active axis

g.intersect.offset = g.intersect.forward.point.clone().sub( posn );

direction: g.raycaster.ray.direction.clone().multiplyScalar(-1)

init_mode: 'rotate', // the mode to initialise with

( g.intersect.forward.point.x + g.intersect.reverse.point.x ) / 2,

( g.intersect.forward.point.y + g.intersect.reverse.point.y ) / 2,

var last_rel = get_rel_coords( last_posn.add( g.intersect.offset ) );

( g.intersect.forward.point.z + g.intersect.reverse.point.z ) / 2

g.intersect.reverse = rev.intersects[rev.intersects.length - 1];

// double click (in ms)

last: undefined, // where it was before

// defined in defaults

var cam_horiz_v = up.clone().cross( camera.getWorldDirection() );

neg: new THREE.Matrix4().makeRotationX( - screen_rel.x ),

neg: new THREE.Matrix4().makeRotationY( - screen_rel.y ),

// on touch devices)

var old_matrix = g.intersect.forward.object.matrixWorld.clone();

pos: new THREE.Matrix4().makeRotationX( screen_rel.x ),

pos: new THREE.Matrix4().makeRotationY( screen_rel.y ),

g.mode == 'translate' && p.lock_translation_axes == true ||

// animate() function)

if (typeof p[key] == 'undefined' ){ p[key] = defaults[key]; }

rev.intersects = g.raycaster.intersectObjects(p.objects);

if (g.active_axes.r.match(/x/)){ rot.multiply( rot_set.x ); }

if (g.active_axes.r.match(/y/)){ rot.multiply( rot_set.y ); }

if (g.active_axes.r.match(/z/)){ rot.multiply( rot_set.z ); }

renderer.domElement.addEventListener('contextmenu', function(e) {

renderer.domElement.addEventListener('touchcancel', function(e) {

// than translations

renderer.domElement.addEventListener('touchleave', function(e) {

var DX = dx * Z * Math.tan(camera.fov * Math.PI / 360) / h;

for (var j = 0; j<= g.object_id_index.length - 1; j++){

renderer.domElement.addEventListener('mousedown', function(e) {

renderer.domElement.addEventListener('touchstart', function(e){

else if (g.init_dt.y - g.init_dt.x > p.snap_distance ){

renderer.domElement.addEventListener('touchmove', function(e){

renderer.domElement.addEventListener('mouseout', function(e) {

renderer.domElement.addEventListener('touchend', function(e) {

var intersects = g.raycaster.intersectObjects(p.objects);

renderer.domElement.addEventListener('mousemove',function(e){

var point_v = point.clone().sub(camera.position.clone());

renderer.domElement.addEventListener('mouseup', function(e) {

var camera_correction = get_camera_correction();

return new THREE.Matrix4().makeTranslation(v.x,v.y,v.z);

g.origin_touch_id = e.changedTouches[0].identifier;

if( axes_locked() ){ check_active_axes(); }

if ( g.init_dt.x - g.init_dt.y > p.snap_distance ){

var rect = renderer.domElement.getBoundingClientRect();

g.object_id_index.push( objects[i].uuid );

g.intersect.forward.object.matrix.copy( prep_matrix );

var origin_rel = get_rel_coords( translation_origin );

g.mode == 'rotate' && p.lock_rotation_axes == true

if ( objects[i].uuid == object_id_index[j] ){

y: e.changedTouches[touch_num].clientY

if (e.touches.length == 1 && axes_locked() ){

if ( typeof g.active_axes.r != 'undefined' ){

x: g.pointer.current.x-g.pointer.last.x,

throw "invalid mode: "+g.mode+" not recognised";

g.intersect.forward.object.matrixAutoUpdate = false;

for( var i = 0; i <= b.length - 1; i++){

if ( g.object_id_index[j] == objects[i].uuid ){

if ( typeof touch_num != 'undefined' ){

y: g.pointer.current.y-g.pointer.last.y

var transform_matrix = get_translation_transform();

throw "Invalid mode: "+new_mode+" not recognised";

g.pointer.current = {x:e.clientX,y:e.clientY};

x: new THREE.Matrix4().makeRotationX(theta.x),

y: new THREE.Matrix4().makeRotationY(theta.y),

if (new_mode == 'rotate' || new_mode == 'translate'){

z: new THREE.Matrix4().makeRotationZ(theta.z)

throw "invalid mode: "+g.mode+" not recognised";

for( var j = 0; j<= g.object_index.length; j++){

g.pointer.last = { x: e.clientX, y: e.clientY };

g.pointer.orig = { x: e.clientX, y: e.clientY };

transform_object(g.pointer.current);

if ( typeof g.intersect.forward != 'undefined'){

x: g.pointer.current.x-g.pointer.last.x,

if( typeof g.active_axes.r != 'undefined' ){

var camera_correction = get_camera_correction();

z: point_v.dot( camera.getWorldDirection() )

g.pointer.current = {x:e.clientX,y:e.clientY };

y: g.pointer.current.y-g.pointer.last.y

z: g.dt[p.z_control_axis]/ p.turning_circle

if ("buttons" in e && e.buttons == i + 1) {

for (var i = 0; i <= objects.length - 1; i++){

g.raycaster.set(rev.origin,rev.direction);

var up = new THREE.Vector3(up4.x,up4.y,up4.z);

if ( typeof g.active_axes.r == 'undefined' ){

var h = renderer.domElement.clientHeight / 2;

for ( var i = 0; i <= objects.length - 1; i++ ){

this.init = function(scene,camera,renderer,options){

g.click_timer = setTimeout(function () {

transform_object(g.pointer.current);

pos: trans_matrix( transform.origin )

trans_correction.pos.clone()

var w = renderer.domElement.clientWidth / 2;

x: g.pointer.current.x-g.pointer.orig.x,

var rel = get_rel_coords( rotation_origin );

g.raycaster.setFromCamera(event_v, camera);

g.pointer.last = g.pointer.current;

var translation_origin = new THREE.Vector3(

y: g.pointer.current.y-g.pointer.orig.y

raycaster: new THREE.Raycaster(),

p.objects.push( objects[i] );

g.object_id_index.push( p.objects.uuid );

var transform = get_rotation_transform();

g.intersect.forward = intersects[0];

** Controls for translating or rotating individual

g.pointer.last = g.pointer.current;

var rotation_origin = new THREE.Vector3(

g.object_id_index.splice(j,1);

for( var i=0; i<=p.objects.length-1; i++){

function get_translation_distance(Z,h,dx){

} else if (! axes_locked() ){

renderer.render( scene, camera );

var button = e.which || e.button;

function set_raycast_intercept(event_v){

var button = detect_mouse_button(e);

if ( typeof button != 'undefined' ){

g.pointer.last = g.pointer.orig;

g.init_dt.x += Math.abs(g.dt.x);

g.init_dt.y += Math.abs(g.dt.y);

.multiply(camera_correction.pos)

.multiply(camera_correction.neg)

** objects about specific points under three.js

already_included= true;

double_click_toggle_mode();

.multiply(trans_correction.neg)

x : Math.atan( rel.y / rel.z ),

pointer: {

var already_included = false;

if (! already_included ){

} else if (! axes_locked() ){

} else if ( g.mode == 'rotate' ){

camera_correction.pos.clone()

function get_translation_transform(){

function double_click_toggle_mode(){

clearTimeout(g.click_timer);

check_active_axes();

g.intersect.forward.point.x,

g.intersect.forward.point.y,

var trans = new THREE.Vector3();

x: point_v.dot(cam_horiz_v),

x: g.dt.y/ p.turning_circle,

y: g.dt.x/ p.turning_circle,

g.intersect.forward = undefined;

g.intersect.reverse = undefined;

}, g.double_click_timeout);

if( button == 'right'){

if (e.touches.length == 2){

double_click_toggle_mode();

if (e.touches.length == 2){

function check_active_axes(offset){

.multiply(transform.matrix)

.multiply(transform_matrix)

g.intersect.forward.point.z

matrix: rel_r.y.pos.clone()

.multiply(rel_r.y.neg),

p.objects.splice(j,1);

var ct = e.changedTouches;

touch_num = undefined;

function get_rotation_transform(){

var rot = new THREE.Matrix4();

.multiply(rel_r.x.pos)

.multiply(rel_r.x.neg)

if ( intersects.length > 0 ){

g.click_timer = null;

g.active_axes = {

if ( g.mode == 'translate' ){

function get_camera_correction(){

} else if (g.mode == 'rotate') {

if (g.click_timer == null) {

} else if (p.mode_auto){

g.pointer.current={

function detect_mouse_button(e){

if (p.auto_render == true){

function get_rel_coords(point){

origin: rotation_origin

g.pointer.last = undefined;

g.init_dt = { x: 0, y: 0 };

if ( object_clicked ){

g.active_axes = {

.multiply(old_matrix);

THREE.PointDragControls = function(){

g.click_timer = null;

g.active_axes = {

} else if (p.mode_auto) {

var camera_correction = {

return camera_correction;

function clear_active_axes(){

var b = ['left','right'];

if (button == i + 1){

return new THREE.Vector2(

if (g.mode == 'translate'){

z_control_axis: 'y',

r: 'xy',

function transform_object(){

var trans_correction = {

function translate_object(){

function get_pointer_v(loc){

for( var key in defaults ){

r: 'z',

t: 'xy'

translate_object();

y: point_v.dot(up),

this.toggle_mode = toggle_mode;

g.raycaster.near = p.near;

t: 'z'

var touch_num = 0;

.multiply(rot)

result = b[i];

** Released under the MIT license

g.mode = 'translate';

function rotate_object(){

function trans_matrix(v){

function set_mode(new_mode){

g.raycaster.far = p.far;

if (object_clicked){

r: 'xy',

t: 'x',

t: 'y',

rotate_object();

return trans_matrix;

e.stopPropagation();

clear_active_axes();

g.mode = 'rotate';

e.preventDefault();

r: 'z',

t: 'z',

t: 'xy'

e.preventDefault();

function axes_locked(){

var locked = false;

g.mode = new_mode;

function include(objects){

break;

function exclude(objects){

var p = options || {};

toggle_mode();

r: 'y'

r: 'x'

var prep_matrix =

var screen_rel = {

locked = true;

** (c) Virtual Blue LTD. 2017

g.mode = p.init_mode;

g.active_axes = {

r: undefined,

d: undefined,

this.set_mode = set_mode;

return true;

g.dt = {

t: undefined

function toggle_mode(){

var rev = {

var orig_dt = {

var rot_set = {

this.include = include;

this.exclude = exclude;

};

break;

return result;

return locked;

/* point_drag_controls.js

** Tom Gracey August 2017

var g = this.globals;

return false;

var theta = {

var rel_r = {

return false;

var defaults = {

g.dt = {

var rel = {

return rel;

var result;

this.mode = g.mode;

active_axes: {

};

}

return DX;

}

z : 0

x: {

y: {

} else {

return {

});

};

}

};

});

}

if (

** December 2017

} else {

** Version 0.2

};

);

};

);

};

){

);

}

});

};

}

};

}

Reports

JSON

EVTX

Statistics (12.83)

Processing ( 12.69 seconds )

7.373 Suricata
3.786 Zircolite
1.078 BehaviorAnalysis
0.135 NetworkAnalysis
0.101 CAPE
0.086 Deduplicate
0.052 Fiddler
0.043 TargetInfo
0.018 AnalysisInfo
0.016 Static
0.004 Strings
0.003 Debug

Signatures ( 0.13 seconds )

0.033 antiav_detectreg
0.012 infostealer_ftp
0.012 territorial_disputes_sigs
0.006 guloader_apis
0.006 infostealer_browser
0.006 infostealer_im
0.004 antianalysis_detectreg
0.003 antivm_vbox_keys
0.003 infostealer_mail
0.003 ransomware_files
0.002 decoy_document
0.002 mimics_filetime
0.002 accesses_recyclebin
0.002 stealth_file
0.002 stealth_timeout
0.002 antiav_detectfile
0.002 antivm_parallels_keys
0.002 antivm_vmware_keys
0.002 ransomware_extensions
0.002 sigma
0.001 antivm_generic_disk
0.001 antivm_generic_scsi
0.001 api_spamming
0.001 bootkit
0.001 infostealer_browser_password
0.001 kibex_behavior
0.001 persistence_autorun
0.001 NewtWire Behavior
0.001 virus
0.001 antianalysis_detectfile
0.001 antivm_generic_diskreg
0.001 antivm_vpc_keys
0.001 antivm_xen_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 infostealer_bitcoin
0.001 masquerade_process_name

Reporting ( 0.01 seconds )

0.013 JsonDump

Signatures

Dynamic (imported) function loading detected

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: uxtheme.dll/ThemeInitApiHook

DynamicLoader: USER32.dll/IsProcessDPIAware

DynamicLoader: sechost.dll/LookupAccountNameLocalW

DynamicLoader: ADVAPI32.dll/LookupAccountSidW

DynamicLoader: sechost.dll/LookupAccountSidLocalW

DynamicLoader: kernel32.dll/HeapSetInformation

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid

DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled

DynamicLoader: kernel32.dll/ResolveDelayLoadedAPI

DynamicLoader: ole32.dll/CoCreateInstance

DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel

DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel

DynamicLoader: ADVAPI32.dll/SaferCloseLevel

DynamicLoader: OLEAUT32.dll/#500

DynamicLoader: kernel32.dll/RegCreateKeyExW

DynamicLoader: kernel32.dll/RegQueryValueExW

DynamicLoader: kernel32.dll/RegCloseKey

DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW

DynamicLoader: ntmarta.dll/GetMartaExtensionInterface

DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages

DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages

DynamicLoader: kernel32.dll/LocaleNameToLCID

DynamicLoader: kernel32.dll/GetLocaleInfoEx

DynamicLoader: kernel32.dll/LCIDToLocaleName

DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName

DynamicLoader: FastProx.dll/DllGetClassObject

DynamicLoader: FastProx.dll/DllCanUnloadNow

DynamicLoader: kernel32.dll/RegOpenKeyExW

DynamicLoader: ole32.dll/CLSIDFromString

DynamicLoader: OLEAUT32.dll/#8

DynamicLoader: OLEAUT32.dll/#2

DynamicLoader: OLEAUT32.dll/#9

DynamicLoader: OLEAUT32.dll/#6

DynamicLoader: ole32.dll/CoGetCallContext

DynamicLoader: ADVAPI32.dll/EventRegister

DynamicLoader: ADVAPI32.dll/EventUnregister

DynamicLoader: ADVAPI32.dll/EventWrite

DynamicLoader: ADVAPI32.dll/EventActivityIdControl

DynamicLoader: ADVAPI32.dll/EventWriteTransfer

DynamicLoader: ADVAPI32.dll/EventEnabled

DynamicLoader: wbemcore.dll/Reinitialize

Network activity detected but not expressed in API logs

Screenshots

Hosts

Direct	IP	Country Name
Y	8.8.8.8 [VT]	United States

DNS

No domains contacted.

Summary

C:\Windows\SysWOW64\wscript.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\pgabriel\AppData\Local\Temp\PointDragControls.js
C:\Windows\inf\hdaudio.inf
C:\Windows\System32\DriverStore\en-US\hdaudio.inf_loc
C:\Windows\inf\hdaudio.PNF
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\System32\wbem\Logs\
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Windows\System32\advapi32.dll
C:\Windows\System32\en-US\advapi32.dll.mui
C:\Windows\System32\drivers\acpi.sys
C:\Windows\System32\drivers\en-US\ACPI.sys.mui
C:\Windows\System32\drivers\ndis.sys
C:\Windows\System32\drivers\en-US\ndis.sys.mui
C:\Windows\System32\drivers\mssmbios.sys
C:\Windows\System32\drivers\en-US\mssmbios.sys.mui
C:\Windows\System32\drivers\hdaudbus.sys
C:\Windows\System32\drivers\en-US\HDAudBus.sys.mui
C:\Windows\System32\drivers\intelppm.sys
C:\Windows\System32\drivers\en-US\intelppm.sys.mui
C:\Windows\System32\drivers\portcls.sys
C:\Windows\System32\drivers\en-US\portcls.SYS.mui
C:\Windows\System32\drivers\monitor.sys
C:\Windows\System32\drivers\en-US\monitor.sys
C:\Windows\System32\drivers\en\monitor.sys

C:\Windows\SysWOW64\wscript.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\pgabriel\AppData\Local\Temp\PointDragControls.js
C:\Windows\inf\hdaudio.PNF
C:\Windows\System32\wbem\WmiPrvSE.exe
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Windows\System32\advapi32.dll
C:\Windows\System32\drivers\acpi.sys
C:\Windows\System32\drivers\ndis.sys
C:\Windows\System32\drivers\mssmbios.sys
C:\Windows\System32\drivers\hdaudbus.sys
C:\Windows\System32\drivers\intelppm.sys
C:\Windows\System32\drivers\portcls.sys
C:\Windows\System32\drivers\monitor.sys
C:\Windows\System32\en-US\advapi32.dll.mui
C:\Windows\System32\drivers\en-US\ACPI.sys.mui
C:\Windows\System32\drivers\en-US\ndis.sys.mui
C:\Windows\System32\drivers\en-US\mssmbios.sys.mui
C:\Windows\System32\drivers\en-US\HDAudBus.sys.mui
C:\Windows\System32\drivers\en-US\intelppm.sys.mui
C:\Windows\System32\drivers\en-US\portcls.SYS.mui

\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\wscript.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_CLASSES_ROOT\.js
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
HKEY_CLASSES_ROOT\JSFile\ScriptEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
HKEY_CURRENT_USER\Software\Classes\JScript
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\DeviceDesc
HKEY_USERS\S-1-5-21-598517727-2769297685-998483224-1000
HKEY_USERS\S-1-5-21-598517727-2769297685-998483224-1000\Control Panel\International
HKEY_USERS\S-1-5-21-598517727-2769297685-998483224-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#elineoutwave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#elineoutwave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#elineouttopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineInWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&e975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LaunchPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{D2D588B5-D081-11d0-99E0-00C04FC2F8EC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\WDM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\IDE\DiskSAMSUNG_MZ76E120________________________2.5+____\5&2c0af145&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ACPI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NDIS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NDIS\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NDIS\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mssmbios
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssmbios\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssmbios\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HDAudBus
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HDAudBus\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HDAudBus\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\intelppm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelppm\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelppm\ImagePath
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\portcls
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\monitor
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\monitor\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\monitor\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\advapi32.dll[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\en-US\advapi32.dll.mui[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ACPI.sys[ACPIMOFResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ndis.sys[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ndis.sys.mui[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\mssmbios.sys[MofResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\mssmbios.sys.mui[MofResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\HDAudBus.sys[HDAudioMofName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\HDAudBus.sys.mui[HDAudioMofName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\intelppm.sys[PROCESSORWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\intelppm.sys.mui[PROCESSORWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\System32\Drivers\portcls.SYS[PortclsMof]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\System32\Drivers\en-US\portcls.SYS.mui[PortclsMof]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\monitor.sys[MonitorWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{49353C93-516B-11D1-AEA6-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wmi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\wmi

DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\Timeout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\DeviceDesc
HKEY_USERS\S-1-5-21-598517727-2769297685-998483224-1000\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc}\00000007\00000000\Data
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\DeviceInstance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{EB115FFC-10C8-4964-831D-6DCB02E6F23F}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{eb115ffc-10c8-4964-831d-6dcb02e6f23f}\#eLineOutWave\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Control\Linked
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\Capabilities
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\HDAUDIO\FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001\4&E975671&0&0001\ConfigFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_1AF4&DEV_0022&SUBSYS_1AF40022&REV_1001#4&E975671&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#eLineOutTopo\Properties\{840b8171-b0ad-410f-8581-cccc0382cfef}\00000000\00000000\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ServerExecutable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Log File Max Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NDIS\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NDIS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssmbios\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssmbios\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HDAudBus\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HDAudBus\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelppm\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelppm\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\monitor\MofImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\monitor\ImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wmi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\wmi

HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\IDE\DiskSAMSUNG_MZ76E120________________________2.5+____\5&2c0af145&0&0.0.0_0-{05901221-D566-11d1-B2F0-00A0C9062910}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\advapi32.dll[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\en-US\advapi32.dll.mui[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ACPI.sys[ACPIMOFResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ndis.sys[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ndis.sys.mui[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\mssmbios.sys[MofResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\mssmbios.sys.mui[MofResource]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\HDAudBus.sys[HDAudioMofName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\HDAudBus.sys.mui[HDAudioMofName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\intelppm.sys[PROCESSORWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\en-US\intelppm.sys.mui[PROCESSORWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\System32\Drivers\portcls.SYS[PortclsMof]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\System32\Drivers\en-US\portcls.SYS.mui[PortclsMof]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\monitor.sys[MonitorWMI]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\DRIVERS\monitor.sys[MonitorWMI]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\ndis.sys[MofResourceName]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\C:\Windows\system32\drivers\en-US\ndis.sys.mui[MofResourceName]

cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
kernel32.dll.HeapSetInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
dwmapi.dll.DwmIsCompositionEnabled
ole32.dll.CoCreateInstance
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
oleaut32.dll.#500
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
kernel32.dll.RegCloseKey
ntdll.dll.EtwRegisterTraceGuidsW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
fastprox.dll.DllGetClassObject
fastprox.dll.DllCanUnloadNow
kernel32.dll.RegOpenKeyExW
ole32.dll.CLSIDFromString
oleaut32.dll.#8
oleaut32.dll.#2
oleaut32.dll.#9
oleaut32.dll.#6
ole32.dll.CoGetCallContext
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
advapi32.dll.EventActivityIdControl
advapi32.dll.EventWriteTransfer
advapi32.dll.EventEnabled
wbemcore.dll.Reinitialize

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Static Analysis

            if ( g.active_axes.t.match(/y/) ){ trans.setY( - get_translation_distance(origin_rel.z,h,orig_dt.y) - last_rel.y + origin_rel.y ) }
            if ( g.active_axes.t.match(/x/) ){ trans.setX( get_translation_distance(origin_rel.z,h,orig_dt.x) + last_rel.x - origin_rel.x ) }
                                                        // They *can* be accessed externally via THREE.PointDragControls.globals
                    origin: g.raycaster.ray.origin.clone().addScaledVector(g.raycaster.ray.direction,g.rev_intercept_from),
                                                    // in the pointer movement, then lock object translation to this axis
                                                    // this is the minimum cumulative difference between screen x and y 
            lock_translation_axes:  false,          // if true, decide which pointer axis (ie x or y) is preferred early
            lock_rotation_axes:     true,           // same as lock_translation_axis but for rotation. This is locked by
                                                        // See where this variable is used in calculation for more info
            z_shift_distance:   10,                 // controls the sensitivity by which objects move towards/away from
                                                    // default under the assumption that  rotations are less intuitive 
            offset:             undefined               // vector from the origin of the object to the intercept point
            mode_auto:          true,               // true = toggle mode by double-clicking (double-tapping) on empty
                                                    // canvas area. false = don't auto change mode at all. Let the app
                                                    // handle all mode changes via .toggle_mode() and set_mode(). Note
                                                    // Number of pixels to move the mouse through for a full rotation
                                                    // the camera when performing translations parallel to the camera
            auto_render:            false           // render whenever an object is transformed. False indicates this
                                                    // controller will not do any rendering (implies app is using an 
                                                    // .toggle_mode() and .set_mode() still work if mode_auto = true
            turning_circle:     90,                 // controls mouse rotation sensitivity during object rotation. 
    this.globals = {                                    // globals - i.e. scoped across whole of PointDragControls
        dt:                     { x: 0, y: 0 },         // size of mouse (or finger) movement during current cycle
        rev_intercept_from:     99999999,               // horrible! *'far' of infinity means nothing while this 
                                                        // number exists* because it effectively defines the far 
                                                        // position beyond which the controls will stop working.
                                                        // situation, which is basically confined to z rotations
        init_dt:                { x: 0, y: 0 },         // for remembering total mouse movement before we decide
            var last_posn = new THREE.Vector3().getPositionFromMatrix( g.intersect.forward.object.matrixWorld );
            var up4 = new THREE.Vector4(camera.up.x,camera.up.y,camera.up.z,0).applyMatrix4(camera.matrixWorld);
                y : Math.asin( rel.x / Math.sqrt( Math.pow(rel.x,2) + Math.pow(rel.y,2) + Math.pow(rel.z,2)  )),
        origin_touch_id:        undefined,              // for remembering the id of the touch event occurring 
        double_click_timeout:   500,                    // max time diff between clicks (taps) to qualify as a 
                var posn = new THREE.Vector3().setFromMatrixPosition( g.intersect.forward.object.matrixWorld );
        intersect: {                                    // world coord points where the mouse click intercepts
        mode:                   undefined,              // modes are 'rotate' or 'translate'. Initial mode is 
                                                        // an accessor function instead - e.g. .toggle_mode()
        pointer:                new THREE.Vector2(),    // either the mouse position or the touch location  
                                                        // on the object to be rotated (in the 2 touch event
                                                        // - but normally this should not be necessary. Use
                                                    // values (in pixels) before the active axis is chosen
            if ( g.active_axes.t.match(/z/) ){ trans.setZ( g.dt[p.z_control_axis] / p.z_shift_distance ) }
            r:                  undefined,              // rotation axis label (world coords) x, y or z
            g.pointer.last = {x:e.changedTouches[0].clientX,y:e.changedTouches[0].clientY};           
                var object_clicked = set_raycast_intercept( get_pointer_v(g.pointer.current),camera);
            t:                  undefined,              // translation axis (world coords) x, y or z
            if ( typeof g.intersect.forward != 'undefined' && typeof g.pointer.last != 'undefined'){
            camera_correction.neg = new THREE.Matrix4().getInverse( camera_correction.pos.clone() );
            orig:               undefined               // where it was when the object was clicked
        click_timer:            undefined,              // for detecting double-click or double-tap
            snap_distance:      4,                  // only has effect when pointer axes are locked
            var object_clicked = set_raycast_intercept( get_pointer_v( g.pointer.current ),camera);
                    if (ct.length == 1 && ct[0].identifier == g.origin_touch_id){ touch_num = 0; }
                    if (ct.length == 2 && ct[1].identifier == g.origin_touch_id){ touch_num = 1; }
                                                        // TODO: find a better way of doing this
            g.pointer.current = {x:e.changedTouches[0].clientX,y:e.changedTouches[0].clientY};
            forward:            undefined,              // (forward) the front of the object 
                                                    // normal vector. Bigger = less sensitive
        object_id_index:        []                      // track object ids for fast lookups
            objects:            scene.children,     // array of objects to apply controls to
            var trans_matrix = new THREE.Matrix4().makeTranslation(trans.x,trans.y,trans.z);
            reverse:            undefined,              // (reverse) the back of the object
            g.pointer.orig = {x:e.changedTouches[0].clientX,y:e.changedTouches[0].clientY};
            far:                g.raycaster.far,    // furthest point to apply controls to
            near:               g.raycaster.near,   // nearest point to apply controls to
                pos: camera.matrixWorld.clone().setPosition( new THREE.Vector3(0,0,0) )
                                                    // default = 1 pixel per 4 degrees
                        x:    e.changedTouches[touch_num].clientX,                    
                - ( ( loc.y - rect.top ) / renderer.domElement.clientHeight ) * 2 + 1
                neg:    trans_matrix( transform.origin.clone().multiplyScalar(-1) ),
                ( ( loc.x - rect.left ) / renderer.domElement.clientWidth ) * 2 - 1,
            current:            undefined,              // where the pointer is now
                                                        // which is the active axis
                g.intersect.offset = g.intersect.forward.point.clone().sub( posn );
                    direction: g.raycaster.ray.direction.clone().multiplyScalar(-1)
            init_mode:          'rotate',           // the mode to initialise with
                ( g.intersect.forward.point.x + g.intersect.reverse.point.x ) / 2,
                ( g.intersect.forward.point.y + g.intersect.reverse.point.y ) / 2,
            var last_rel = get_rel_coords( last_posn.add( g.intersect.offset ) );
                ( g.intersect.forward.point.z + g.intersect.reverse.point.z ) / 2
                g.intersect.reverse = rev.intersects[rev.intersects.length - 1];
                                                        // double click (in ms)
            last:               undefined,              // where it was before
                                                        // defined in defaults
            var cam_horiz_v = up.clone().cross( camera.getWorldDirection() );
                    neg: new THREE.Matrix4().makeRotationX( - screen_rel.x ),
                    neg: new THREE.Matrix4().makeRotationY( - screen_rel.y ),
                                                        // on touch devices)
            var old_matrix = g.intersect.forward.object.matrixWorld.clone();
            var old_matrix = g.intersect.forward.object.matrixWorld.clone();
                    pos: new THREE.Matrix4().makeRotationX( screen_rel.x ),
                    pos: new THREE.Matrix4().makeRotationY( screen_rel.y ),
                g.mode == 'translate' && p.lock_translation_axes == true ||
                                                    // animate() function)
            if (typeof p[key] == 'undefined' ){ p[key] = defaults[key]; }
                rev.intersects = g.raycaster.intersectObjects(p.objects);
            if (g.active_axes.r.match(/x/)){ rot.multiply( rot_set.x ); }
            if (g.active_axes.r.match(/y/)){ rot.multiply( rot_set.y ); }
            if (g.active_axes.r.match(/z/)){ rot.multiply( rot_set.z ); }
        renderer.domElement.addEventListener('contextmenu', function(e) {
        renderer.domElement.addEventListener('touchcancel', function(e) {
                                                    // than translations
        renderer.domElement.addEventListener('touchleave', function(e) {
            var DX =  dx * Z * Math.tan(camera.fov * Math.PI / 360) / h;
                for (var j = 0; j<= g.object_id_index.length - 1; j++){
        renderer.domElement.addEventListener('mousedown', function(e) {
        renderer.domElement.addEventListener('touchstart', function(e){
                else if (g.init_dt.y - g.init_dt.x > p.snap_distance ){
        renderer.domElement.addEventListener('touchmove', function(e){
        renderer.domElement.addEventListener('mouseout', function(e) {
        renderer.domElement.addEventListener('touchend', function(e) {
            var intersects = g.raycaster.intersectObjects(p.objects);
        renderer.domElement.addEventListener('mousemove',function(e){
            var point_v = point.clone().sub(camera.position.clone());
        renderer.domElement.addEventListener('mouseup', function(e) {
            var camera_correction = get_camera_correction();        
            return new THREE.Matrix4().makeTranslation(v.x,v.y,v.z);
                g.origin_touch_id = e.changedTouches[0].identifier;
                if( axes_locked() ){ check_active_axes(); }        
                if ( g.init_dt.x - g.init_dt.y > p.snap_distance ){
            var rect = renderer.domElement.getBoundingClientRect();
                        g.object_id_index.push( objects[i].uuid );
            g.intersect.forward.object.matrix.copy( prep_matrix );
            g.intersect.forward.object.matrix.copy( prep_matrix );
            var origin_rel = get_rel_coords( translation_origin );
                g.mode == 'rotate' && p.lock_rotation_axes == true
                    if ( objects[i].uuid == object_id_index[j] ){
                        y:    e.changedTouches[touch_num].clientY
                    if (e.touches.length == 1 && axes_locked() ){
                    if ( typeof g.active_axes.r != 'undefined' ){
                        x: g.pointer.current.x-g.pointer.last.x,
                throw "invalid mode: "+g.mode+" not recognised";
            g.intersect.forward.object.matrixAutoUpdate = false;
            g.intersect.forward.object.matrixAutoUpdate = false;
            for( var i = 0; i <= b.length - 1; i++){            
                if ( g.object_id_index[j] == objects[i].uuid ){
                if ( typeof touch_num != 'undefined' ){        
                        y: g.pointer.current.y-g.pointer.last.y
            var transform_matrix = get_translation_transform();
            throw "Invalid mode: "+new_mode+" not recognised";
                g.pointer.current = {x:e.clientX,y:e.clientY};
                x: new THREE.Matrix4().makeRotationX(theta.x),
                y: new THREE.Matrix4().makeRotationY(theta.y),
        if (new_mode == 'rotate' || new_mode == 'translate'){
                z: new THREE.Matrix4().makeRotationZ(theta.z)
            throw "invalid mode: "+g.mode+" not recognised";
            for( var j = 0; j<= g.object_index.length; j++){
            g.pointer.last = { x: e.clientX, y: e.clientY };
            g.pointer.orig = { x: e.clientX, y: e.clientY };
                        transform_object(g.pointer.current);
            if ( typeof g.intersect.forward != 'undefined'){
                    x: g.pointer.current.x-g.pointer.last.x,
                if( typeof g.active_axes.r != 'undefined' ){
            var camera_correction = get_camera_correction();
                z: point_v.dot( camera.getWorldDirection() )
            g.pointer.current = {x:e.clientX,y:e.clientY };
                    y: g.pointer.current.y-g.pointer.last.y
                z: g.dt[p.z_control_axis]/ p.turning_circle
                if ("buttons" in e && e.buttons == i + 1) {
            for (var i = 0; i <= objects.length - 1; i++){
                g.raycaster.set(rev.origin,rev.direction);
            var up = new THREE.Vector3(up4.x,up4.y,up4.z);
            if ( typeof g.active_axes.r == 'undefined' ){
            var h = renderer.domElement.clientHeight / 2;
                                                        
        for ( var i = 0; i <= objects.length - 1; i++ ){
    this.init = function(scene,camera,renderer,options){
                g.click_timer = setTimeout(function () {
                    transform_object(g.pointer.current);
                pos:    trans_matrix( transform.origin )
                trans_correction.pos.clone()            
            var w = renderer.domElement.clientWidth / 2;
                x: g.pointer.current.x-g.pointer.orig.x,
            var rel = get_rel_coords( rotation_origin );
            g.raycaster.setFromCamera(event_v, camera);
                    g.pointer.last = g.pointer.current;
            var translation_origin = new THREE.Vector3(
                y: g.pointer.current.y-g.pointer.orig.y
        raycaster:              new THREE.Raycaster(),
                        p.objects.push( objects[i] );
            g.object_id_index.push( p.objects.uuid );
            var transform = get_rotation_transform();
                                                    
                                                    
                                                    
                                                    
                                                    
                g.intersect.forward = intersects[0];
** Controls for translating or rotating individual 
                g.pointer.last = g.pointer.current;
           var rotation_origin = new THREE.Vector3(
                    g.object_id_index.splice(j,1);
        for( var i=0; i<=p.objects.length-1; i++){
        function get_translation_distance(Z,h,dx){
                    } else if (! axes_locked() ){
                renderer.render( scene, camera );
                var button = e.which || e.button;
                                                
        function set_raycast_intercept(event_v){
            var button = detect_mouse_button(e);
            if ( typeof button != 'undefined' ){
                g.pointer.last = g.pointer.orig;
                g.init_dt.x += Math.abs(g.dt.x);
                g.init_dt.y += Math.abs(g.dt.y);
                .multiply(camera_correction.pos)
                .multiply(camera_correction.neg)
                .multiply(camera_correction.neg)
** objects about specific points under three.js
                        already_included= true;
                    double_click_toggle_mode();
                .multiply(trans_correction.neg)
                x : Math.atan( rel.y / rel.z ),
        pointer: {                            
                                             
                var already_included = false;
                    if (! already_included ){
                } else if (! axes_locked() ){
            } else if ( g.mode == 'rotate' ){
                camera_correction.pos.clone()
        function get_translation_transform(){
                                            
        function double_click_toggle_mode(){
                clearTimeout(g.click_timer);
                        check_active_axes();
                g.intersect.forward.point.x,
                g.intersect.forward.point.y,
            var trans = new THREE.Vector3();
                x: point_v.dot(cam_horiz_v),
                x: g.dt.y/ p.turning_circle,
                y: g.dt.x/ p.turning_circle,
            g.intersect.forward = undefined;
            g.intersect.reverse = undefined;
                }, g.double_click_timeout);
                    if( button == 'right'){
                if (e.touches.length == 2){
                double_click_toggle_mode();
                if (e.touches.length == 2){
        function check_active_axes(offset){
                .multiply(transform.matrix)
                .multiply(transform_matrix)
                g.intersect.forward.point.z
                matrix: rel_r.y.pos.clone()
                    .multiply(rel_r.y.neg),
                    p.objects.splice(j,1);
                var ct = e.changedTouches;
                    touch_num = undefined;
        function get_rotation_transform(){
            var rot = new THREE.Matrix4();
                    .multiply(rel_r.x.pos)
                    .multiply(rel_r.x.neg)
            if ( intersects.length > 0 ){
                    g.click_timer = null;
                        g.active_axes = {
                        g.active_axes = {
            if ( g.mode == 'translate' ){
        function get_camera_correction(){
        } else if (g.mode == 'rotate') {
            if (g.click_timer == null) {
                } else if (p.mode_auto){
                    g.pointer.current={ 
        function detect_mouse_button(e){
            if (p.auto_render == true){
        function get_rel_coords(point){
                origin: rotation_origin
            g.pointer.last = undefined;
            g.init_dt = { x: 0, y: 0 };
                if ( object_clicked ){
                    g.active_axes = { 
                    g.active_axes = { 
                .multiply(old_matrix);
                .multiply(old_matrix);
THREE.PointDragControls = function(){
                g.click_timer = null;
                    g.active_axes = {
                    g.active_axes = {
            } else if (p.mode_auto) {
            var camera_correction = {
            return camera_correction;
        function clear_active_axes(){
            var b = ['left','right'];
                if (button == i + 1){
            return new THREE.Vector2(
        if (g.mode == 'translate'){ 
            z_control_axis:     'y',
                            r: 'xy',
        function transform_object(){
            var trans_correction = {
        function translate_object(){
        function get_pointer_v(loc){
        for( var key in defaults ){
                            r: 'z',
                            t: 'xy'
                translate_object();
                y: point_v.dot(up),
    this.toggle_mode = toggle_mode;
        g.raycaster.near = p.near;
                            t: 'z'
                var touch_num = 0;
                    .multiply(rot)
                    result = b[i];
                    result = b[i];
** Released under the MIT license
            g.mode = 'translate';
        function rotate_object(){
        function trans_matrix(v){
    function set_mode(new_mode){
        g.raycaster.far = p.far;
            if (object_clicked){
                        r: 'xy',
                        t: 'x', 
                        t: 'y', 
                rotate_object();
            return trans_matrix;
            e.stopPropagation();
            clear_active_axes();
            clear_active_axes();
            clear_active_axes();
            clear_active_axes();
            clear_active_axes();
            g.mode = 'rotate'; 
            e.preventDefault();
            e.preventDefault();
                        r: 'z',
                        t: 'z',
                        t: 'xy'
            e.preventDefault();
        function axes_locked(){
            var locked = false;
            g.mode = new_mode;
    function include(objects){
                        break;
    function exclude(objects){
        var p = options || {};
                toggle_mode();
                        r: 'y'
                        r: 'x'
            var prep_matrix = 
            var prep_matrix = 
            var screen_rel = {
                locked = true;
** (c) Virtual Blue LTD. 2017
        g.mode = p.init_mode;
            g.active_axes = {
                r: undefined,
                d: undefined,
    this.set_mode = set_mode;
                return true;
                    g.dt = {
                t: undefined
    function toggle_mode(){
                var rev = {
            var orig_dt = {
            var rot_set = {
    this.include = include;
    this.exclude = exclude;
                        };
                        };
                    break;
                    break;
            return result;
            return locked;
/* point_drag_controls.js
** Tom Gracey August 2017
    var g = this.globals;
            return false;
            var theta = {
            var rel_r = {
            return false;
            return false;
            return false;
            return false;
            return false;
            return false;
        var defaults = {
                        
                g.dt = {
                       
                       
            var rel = {
            return rel;
            var result;
    this.mode = g.mode;
        active_axes: {
                    };
                    };
                    };
                    };
                    };
                    };
            }         
            return DX;
                     
                    }
                    }
                    }
                    }
                    }
        }            
                z : 0
                x: { 
                y:  {
            } else {
            } else {
            return {
        });        
                };
            }     
                };
        });       
                },
                }
                }
                }
                }
                }
                }
                }
                }
                }
                }
                }
                }
            if ( 
** December 2017
        } else {
        } else {
                
                
                
                
                
                
** Version 0.2 
            };
            );
            };
            };
            );
            };
            };
            };
            };
            };
            ){
            );
            }
            }
            }
            }
            }
            }
            }
            }
            }
            }
            }
            }
            }
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
            
        });
        });
        });
        });
        });
        });
        });
        });
        },
        },
        },
        };
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        }
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
       
    };
    };
    };
    };
    }

Sorry! No behavior.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.