Analysis

Category Package Started Completed Duration Options Log
FILE bat 2025-07-14 11:04:28 2025-07-14 11:07:32 184 seconds Show Options Show Log 
procdump=1
amsidump=1
2024-04-29 04:32:59,000 [root] INFO: Date set to: 20250714T04:04:27, timeout set to: 150
2025-07-14 04:04:27,015 [root] DEBUG: Starting analyzer from: C:\tmpd65zellw
2025-07-14 04:04:27,015 [root] DEBUG: Storing results at: C:\mEBmNK
2025-07-14 04:04:27,015 [root] DEBUG: Pipe server name: \\.\PIPE\whrsfDzbx
2025-07-14 04:04:27,015 [root] DEBUG: Python path: C:\olddocs
2025-07-14 04:04:27,015 [root] DEBUG: No analysis package specified, trying to detect it automagically
2025-07-14 04:04:27,015 [root] INFO: Automatically selected analysis package "bat"
2025-07-14 04:04:27,015 [root] DEBUG: Importing analysis package "bat"...
2025-07-14 04:04:27,031 [root] DEBUG: Initializing analysis package "bat"...
2025-07-14 04:04:27,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a DLL option
2025-07-14 04:04:27,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a DLL_64 option
2025-07-14 04:04:27,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a loader option
2025-07-14 04:04:27,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a loader_64 option
2025-07-14 04:04:27,062 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2025-07-14 04:04:27,062 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2025-07-14 04:04:27,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.default_apps"...
2025-07-14 04:04:27,093 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2025-07-14 04:04:27,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2025-07-14 04:04:27,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2025-07-14 04:04:27,125 [root] DEBUG: Importing auxiliary module "modules.auxiliary.fiddler"...
2025-07-14 04:04:27,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2025-07-14 04:04:27,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2025-07-14 04:04:27,140 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-07-14 04:04:27,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2025-07-14 04:04:27,218 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-07-14 04:04:27,234 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2025-07-14 04:04:27,234 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2025-07-14 04:04:27,234 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2025-07-14 04:04:27,234 [root] DEBUG: Initializing auxiliary module "Browser"...
2025-07-14 04:04:27,234 [root] DEBUG: Started auxiliary module Browser
2025-07-14 04:04:27,234 [root] DEBUG: Initializing auxiliary module "Curtain"...
2025-07-14 04:04:27,234 [root] DEBUG: Started auxiliary module Curtain
2025-07-14 04:04:27,234 [root] DEBUG: Initializing auxiliary module "DefaultApps"...
2025-07-14 04:04:27,265 [modules.auxiliary.default_apps] DEBUG: Getting current user SID using WinAPI
2025-07-14 04:04:27,265 [root] DEBUG: Started auxiliary module DefaultApps
2025-07-14 04:04:27,265 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2025-07-14 04:04:27,265 [modules.auxiliary.digisig] INFO: signtool.exe was not found in bin/
2025-07-14 04:04:27,265 [modules.auxiliary.digisig] INFO: dummy
2025-07-14 04:04:27,265 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, unsupported analyzer package
2025-07-14 04:04:27,265 [root] DEBUG: Started auxiliary module DigiSig
2025-07-14 04:04:27,265 [root] DEBUG: Initializing auxiliary module "Disguise"...
2025-07-14 04:04:27,609 [modules.auxiliary.disguise] INFO: Setting NoRecentDocsHistory
2025-07-14 04:04:27,609 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 2] The system cannot find the file specified
2025-07-14 04:04:27,609 [root] DEBUG: Initializing auxiliary module "Evtx"...
2025-07-14 04:04:27,625 [modules.auxiliary.evtx] INFO: Loading audit policy C:\tmpd65zellw\bin\auditpol.csv
2025-07-14 04:04:27,921 [modules.auxiliary.evtx] INFO: Wiping logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:04:28,546 [root] DEBUG: Started auxiliary module Evtx
2025-07-14 04:04:28,562 [root] DEBUG: Initializing auxiliary module "Fiddler"...
2025-07-14 04:04:28,562 [modules.auxiliary.fiddler] INFO: fiddler package: dummy
2025-07-14 04:04:28,562 [root] DEBUG: Started auxiliary module Fiddler
2025-07-14 04:04:28,562 [root] DEBUG: Initializing auxiliary module "Human"...
2025-07-14 04:04:28,562 [root] DEBUG: Started auxiliary module Human
2025-07-14 04:04:28,562 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2025-07-14 04:04:28,562 [root] DEBUG: Started auxiliary module Screenshots
2025-07-14 04:04:28,562 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2025-07-14 04:04:28,578 [modules.auxiliary.sysmon] INFO: Seeing if we need to update sysmon config
2025-07-14 04:04:28,578 [root] DEBUG: Started auxiliary module Sysmon
2025-07-14 04:04:28,578 [root] DEBUG: Initializing auxiliary module "TLSDumpMasterSecrets"...
2025-07-14 04:04:28,578 [modules.auxiliary.sysmon] INFO: Found Sysmon Executable
2025-07-14 04:04:28,578 [modules.auxiliary.sysmon] INFO: Found Sysmon config
2025-07-14 04:04:28,578 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 556
2025-07-14 04:04:28,578 [lib.api.process] INFO: Monitor config for process 556: C:\tmpd65zellw\dll\556.ini
2025-07-14 04:04:30,734 [modules.auxiliary.sysmon] INFO: Clearing existing sysmon logs
2025-07-14 04:04:31,593 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 04:04:31,593 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 04:04:31,593 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2025-07-14 04:04:31,593 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-07-14 04:04:31,593 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpd65zellw\dll\gzPeIaW.dll, loader C:\tmpd65zellw\bin\WZCfWkPJ.exe
2025-07-14 04:04:31,609 [root] DEBUG: Loader: Injecting process 556 with C:\tmpd65zellw\dll\gzPeIaW.dll.
2025-07-14 04:04:31,640 [root] DEBUG: 556: Python path set to 'C:\olddocs'.
2025-07-14 04:04:31,640 [root] DEBUG: 556: Disabling sleep skipping.
2025-07-14 04:04:31,640 [root] DEBUG: 556: Process dumps enabled.
2025-07-14 04:04:31,640 [root] DEBUG: 556: AMSI dumping enabled.
2025-07-14 04:04:31,656 [root] DEBUG: 556: TLS secret dump mode enabled.
2025-07-14 04:04:31,656 [root] DEBUG: 556: Monitor initialised: 64-bit capemon loaded in process 556 at 0x000007FEED6D0000, thread 2340, image base 0x00000000FFF80000, stack from 0x0000000002293000-0x00000000022A0000
2025-07-14 04:04:31,656 [root] DEBUG: 556: Commandline: C:\Windows\system32\lsass.exe
2025-07-14 04:04:31,656 [root] DEBUG: 556: Hooked 5 out of 5 functions
2025-07-14 04:04:31,671 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-07-14 04:04:31,671 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\gzPeIaW.dll.
2025-07-14 04:04:31,718 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 556
2025-07-14 04:04:31,718 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2025-07-14 04:04:31,718 [root] DEBUG: Initializing auxiliary module "Usage"...
2025-07-14 04:04:31,718 [root] DEBUG: Started auxiliary module Usage
2025-07-14 04:04:34,359 [root] INFO: Restarting WMI Service
2025-07-14 04:04:38,421 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"" with pid 2164
2025-07-14 04:04:38,421 [lib.api.process] INFO: Monitor config for process 2164: C:\tmpd65zellw\dll\2164.ini
2025-07-14 04:04:38,437 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 04:04:38,437 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 04:04:38,437 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2025-07-14 04:04:38,437 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpd65zellw\dll\PtlLCDGx.dll, loader C:\tmpd65zellw\bin\utcKfUI.exe
2025-07-14 04:04:38,453 [root] DEBUG: Loader: Injecting process 2164 (thread 2688) with C:\tmpd65zellw\dll\PtlLCDGx.dll.
2025-07-14 04:04:38,468 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-07-14 04:04:38,468 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\PtlLCDGx.dll.
2025-07-14 04:04:38,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2164
2025-07-14 04:04:40,468 [lib.api.process] INFO: Successfully resumed process with pid 2164
2025-07-14 04:04:40,515 [root] DEBUG: 2164: Python path set to 'C:\olddocs'.
2025-07-14 04:04:40,515 [root] DEBUG: 2164: Disabling sleep skipping.
2025-07-14 04:04:40,515 [root] DEBUG: 2164: Process dumps enabled.
2025-07-14 04:04:40,515 [root] DEBUG: 2164: AMSI dumping enabled.
2025-07-14 04:04:40,515 [root] DEBUG: 2164: Dropped file limit defaulting to 100.
2025-07-14 04:04:40,531 [root] DEBUG: 2164: YaraInit: Compiled 43 rule files
2025-07-14 04:04:40,546 [root] DEBUG: 2164: YaraInit: Compiled rules saved to file C:\tmpd65zellw\data\yara\capemon.yac
2025-07-14 04:04:40,546 [root] DEBUG: 2164: YaraScan: Scanning 0x4A2A0000, size 0x4bb2e
2025-07-14 04:04:40,546 [root] DEBUG: 2164: Monitor initialised: 32-bit capemon loaded in process 2164 at 0x74010000, thread 2688, image base 0x4a2a0000, stack from 0x113000-0x210000
2025-07-14 04:04:40,546 [root] DEBUG: 2164: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
2025-07-14 04:04:40,578 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-07-14 04:04:40,578 [root] DEBUG: 2164: set_hooks: Unable to hook GetCommandLineA
2025-07-14 04:04:40,578 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-07-14 04:04:40,578 [root] DEBUG: 2164: set_hooks: Unable to hook GetCommandLineW
2025-07-14 04:04:40,578 [root] DEBUG: 2164: Hooked 615 out of 617 functions
2025-07-14 04:04:40,578 [root] DEBUG: 2164: WoW64 detected: 64-bit ntdll base: 0x773f0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7745b5f0, Wow64PrepareForException: 0x0
2025-07-14 04:04:40,578 [root] DEBUG: 2164: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2d0000
2025-07-14 04:04:40,593 [root] INFO: Loaded monitor into process with pid 2164
2025-07-14 04:04:40,593 [root] DEBUG: 2164: caller_dispatch: Added region at 0x4A2A0000 to tracked regions list (ntdll::NtOpenThread returns to 0x4A2A732B, thread 2688).
2025-07-14 04:04:40,593 [root] DEBUG: 2164: YaraScan: Scanning 0x4A2A0000, size 0x4bb2e
2025-07-14 04:04:40,593 [root] DEBUG: 2164: ProcessImageBase: Main module image at 0x4A2A0000 unmodified (entropy change 0.000000e+00)
2025-07-14 04:04:40,609 [root] DEBUG: 2164: CreateProcessHandler: Injection info set for new process 2828: C:\Windows\system32\cmd.exe, ImageBase: 0x4A2A0000
2025-07-14 04:04:40,609 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2828
2025-07-14 04:04:40,609 [lib.api.process] INFO: Monitor config for process 2828: C:\tmpd65zellw\dll\2828.ini
2025-07-14 04:04:40,609 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 04:04:40,609 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 04:04:40,609 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2025-07-14 04:04:40,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpd65zellw\dll\PtlLCDGx.dll, loader C:\tmpd65zellw\bin\utcKfUI.exe
2025-07-14 04:04:40,625 [root] DEBUG: Loader: Injecting process 2828 (thread 1488) with C:\tmpd65zellw\dll\PtlLCDGx.dll.
2025-07-14 04:04:40,625 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-07-14 04:04:40,640 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\PtlLCDGx.dll.
2025-07-14 04:04:40,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2828
2025-07-14 04:04:40,640 [root] DEBUG: 2164: DLL loaded at 0x72810000: C:\Windows\system32\apphelp (0x4c000 bytes).
2025-07-14 04:04:40,640 [root] WARNING: Received request to inject process with pid 2828, skipped alredy in inject list
2025-07-14 04:04:40,671 [root] DEBUG: 2828: Python path set to 'C:\olddocs'.
2025-07-14 04:04:40,687 [root] DEBUG: 2828: Disabling sleep skipping.
2025-07-14 04:04:40,687 [root] DEBUG: 2828: Process dumps enabled.
2025-07-14 04:04:40,687 [root] DEBUG: 2828: AMSI dumping enabled.
2025-07-14 04:04:40,687 [root] DEBUG: 2828: Dropped file limit defaulting to 100.
2025-07-14 04:04:40,687 [root] DEBUG: 2828: YaraInit: Compiled rules loaded from existing file C:\tmpd65zellw\data\yara\capemon.yac
2025-07-14 04:04:40,687 [root] DEBUG: 2828: YaraScan: Scanning 0x4A2A0000, size 0x4bb2e
2025-07-14 04:04:40,687 [root] DEBUG: 2828: Monitor initialised: 32-bit capemon loaded in process 2828 at 0x74010000, thread 1488, image base 0x4a2a0000, stack from 0x233000-0x330000
2025-07-14 04:04:40,687 [root] DEBUG: 2828: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
2025-07-14 04:04:40,718 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-07-14 04:04:40,718 [root] DEBUG: 2828: set_hooks: Unable to hook GetCommandLineA
2025-07-14 04:04:40,718 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-07-14 04:04:40,718 [root] DEBUG: 2828: set_hooks: Unable to hook GetCommandLineW
2025-07-14 04:04:40,718 [root] DEBUG: 2828: Hooked 615 out of 617 functions
2025-07-14 04:04:40,718 [root] DEBUG: 2828: WoW64 detected: 64-bit ntdll base: 0x773f0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7745b5f0, Wow64PrepareForException: 0x0
2025-07-14 04:04:40,718 [root] DEBUG: 2828: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x150000
2025-07-14 04:04:40,718 [root] INFO: Loaded monitor into process with pid 2828
2025-07-14 04:04:40,734 [root] DEBUG: 2828: caller_dispatch: Added region at 0x4A2A0000 to tracked regions list (ntdll::NtOpenThread returns to 0x4A2A732B, thread 1488).
2025-07-14 04:04:40,734 [root] DEBUG: 2828: YaraScan: Scanning 0x4A2A0000, size 0x4bb2e
2025-07-14 04:04:40,734 [root] DEBUG: 2828: ProcessImageBase: Main module image at 0x4A2A0000 unmodified (entropy change 0.000000e+00)
2025-07-14 04:04:40,781 [root] DEBUG: 2828: CreateProcessHandler: Injection info set for new process 2452: C:\Windows\system32\calc.exe, ImageBase: 0x003A0000
2025-07-14 04:04:40,781 [root] INFO: Announced 32-bit process name: calc.exe pid: 2452
2025-07-14 04:04:40,781 [lib.api.process] INFO: Monitor config for process 2452: C:\tmpd65zellw\dll\2452.ini
2025-07-14 04:04:40,781 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2025-07-14 04:04:40,781 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2025-07-14 04:04:40,781 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2025-07-14 04:04:40,781 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpd65zellw\dll\PtlLCDGx.dll, loader C:\tmpd65zellw\bin\utcKfUI.exe
2025-07-14 04:04:40,796 [root] DEBUG: Loader: Injecting process 2452 (thread 2668) with C:\tmpd65zellw\dll\PtlLCDGx.dll.
2025-07-14 04:04:40,812 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2025-07-14 04:04:40,812 [root] DEBUG: Successfully injected DLL C:\tmpd65zellw\dll\PtlLCDGx.dll.
2025-07-14 04:04:40,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2452
2025-07-14 04:04:40,812 [root] DEBUG: 2828: DLL loaded at 0x72810000: C:\Windows\system32\apphelp (0x4c000 bytes).
2025-07-14 04:04:40,828 [root] WARNING: Received request to inject process with pid 2452, skipped alredy in inject list
2025-07-14 04:04:40,843 [root] DEBUG: 2452: Python path set to 'C:\olddocs'.
2025-07-14 04:04:40,843 [root] DEBUG: 2452: Process dumps enabled.
2025-07-14 04:04:40,843 [root] DEBUG: 2452: AMSI dumping enabled.
2025-07-14 04:04:40,843 [root] DEBUG: 2452: Dropped file limit defaulting to 100.
2025-07-14 04:04:40,859 [root] DEBUG: 2452: Disabling sleep skipping.
2025-07-14 04:04:40,859 [root] DEBUG: 2452: YaraInit: Compiled rules loaded from existing file C:\tmpd65zellw\data\yara\capemon.yac
2025-07-14 04:04:40,859 [root] DEBUG: 2452: YaraScan: Scanning 0x003A0000, size 0xbfb3a
2025-07-14 04:04:40,859 [root] DEBUG: 2452: Monitor initialised: 32-bit capemon loaded in process 2452 at 0x74010000, thread 2668, image base 0x3a0000, stack from 0x1b6000-0x1c0000
2025-07-14 04:04:40,875 [root] DEBUG: 2452: Commandline: calc.exe
2025-07-14 04:04:40,890 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2025-07-14 04:04:40,890 [root] DEBUG: 2452: set_hooks: Unable to hook GetCommandLineA
2025-07-14 04:04:40,890 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2025-07-14 04:04:40,890 [root] DEBUG: 2452: set_hooks: Unable to hook GetCommandLineW
2025-07-14 04:04:40,906 [root] DEBUG: 2452: Hooked 615 out of 617 functions
2025-07-14 04:04:40,906 [root] DEBUG: 2452: WoW64 detected: 64-bit ntdll base: 0x773f0000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7745b5f0, Wow64PrepareForException: 0x0
2025-07-14 04:04:40,906 [root] DEBUG: 2452: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x170000
2025-07-14 04:04:40,906 [root] INFO: Loaded monitor into process with pid 2452
2025-07-14 04:04:40,906 [root] DEBUG: 2452: caller_dispatch: Added region at 0x003A0000 to tracked regions list (ntdll::NtOpenKey returns to 0x003B3433, thread 2668).
2025-07-14 04:04:40,906 [root] DEBUG: 2452: YaraScan: Scanning 0x003A0000, size 0xbfb3a
2025-07-14 04:04:40,921 [root] DEBUG: 2452: ProcessImageBase: Main module image at 0x003A0000 unmodified (entropy change 0.000000e+00)
2025-07-14 04:04:40,921 [root] DEBUG: 2452: DLL loaded at 0x73D50000: C:\Windows\SysWOW64\WindowsCodecs (0x130000 bytes).
2025-07-14 04:04:40,937 [root] DEBUG: 2452: DLL loaded at 0x74570000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes).
2025-07-14 04:04:40,968 [root] DEBUG: 2452: DLL loaded at 0x76610000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2025-07-14 04:04:41,015 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:04:41,150 [root] DEBUG: 2452: DLL loaded at 0x74530000: C:\Windows\SysWOW64\oleacc (0x3c000 bytes).
2025-07-14 04:04:43,556 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:04:43,837 [lib.common.results] INFO: File 1752491083775390600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:04:43,853 [lib.common.results] INFO: File 1752491083775390600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:04:43,869 [lib.common.results] INFO: File 1752491083775390600.Application.evtx.gz size is 6800, Max size: 100000000
2025-07-14 04:04:43,884 [lib.common.results] INFO: File 1752491083775390600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:04:43,900 [lib.common.results] INFO: File 1752491083822265600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:04:43,916 [lib.common.results] INFO: File 1752491083837890600.Security.evtx.gz size is 8167, Max size: 100000000
2025-07-14 04:04:43,931 [lib.common.results] INFO: File 1752491083837890600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:04:43,947 [lib.common.results] INFO: File 1752491083837890600.System.evtx.gz size is 8776, Max size: 100000000
2025-07-14 04:04:43,947 [lib.common.results] INFO: File 1752491083884765600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:04:46,119 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491086.1191406.sysmon.evtx.gz to host
2025-07-14 04:04:46,119 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 8914, Max size: 100000000
2025-07-14 04:04:51,681 [lib.common.results] INFO: File c:\olddocs\1752491086666.saz size is 4607, Max size: 100000000
2025-07-14 04:04:51,697 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:04:58,978 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:04:59,228 [lib.common.results] INFO: File 1752491099181640600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:04:59,259 [lib.common.results] INFO: File 1752491099181640600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:04:59,275 [lib.common.results] INFO: File 1752491099181640600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:04:59,291 [lib.common.results] INFO: File 1752491099181640600.Application.evtx.gz size is 6722, Max size: 100000000
2025-07-14 04:04:59,306 [lib.common.results] INFO: File 1752491099228515600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:04:59,322 [lib.common.results] INFO: File 1752491099244140600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:04:59,337 [lib.common.results] INFO: File 1752491099244140600.Security.evtx.gz size is 8341, Max size: 100000000
2025-07-14 04:04:59,353 [lib.common.results] INFO: File 1752491099244140600.System.evtx.gz size is 8400, Max size: 100000000
2025-07-14 04:04:59,369 [lib.common.results] INFO: File 1752491099275390600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:05:01,134 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:05:06,228 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491106.2285156.sysmon.evtx.gz to host
2025-07-14 04:05:06,228 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 17661, Max size: 100000000
2025-07-14 04:05:11,791 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:05:14,400 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:05:14,603 [lib.common.results] INFO: File 1752491114572265600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:05:14,619 [lib.common.results] INFO: File 1752491114572265600.Application.evtx.gz size is 6722, Max size: 100000000
2025-07-14 04:05:14,650 [lib.common.results] INFO: File 1752491114603515600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:05:14,666 [lib.common.results] INFO: File 1752491114603515600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:05:14,681 [lib.common.results] INFO: File 1752491114603515600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:05:14,697 [lib.common.results] INFO: File 1752491114619140600.Security.evtx.gz size is 8247, Max size: 100000000
2025-07-14 04:05:14,712 [lib.common.results] INFO: File 1752491114650390600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:05:14,728 [lib.common.results] INFO: File 1752491114650390600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:05:14,744 [lib.common.results] INFO: File 1752491114650390600.System.evtx.gz size is 8330, Max size: 100000000
2025-07-14 04:05:21,244 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:05:26,306 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491126.3066406.sysmon.evtx.gz to host
2025-07-14 04:05:26,306 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5593, Max size: 100000000
2025-07-14 04:05:29,775 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:05:30,009 [lib.common.results] INFO: File 1752491129962890600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:05:30,025 [lib.common.results] INFO: File 1752491129962890600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:05:30,025 [lib.common.results] INFO: File 1752491129962890600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:05:30,041 [lib.common.results] INFO: File 1752491129962890600.Application.evtx.gz size is 6722, Max size: 100000000
2025-07-14 04:05:30,072 [lib.common.results] INFO: File 1752491130009765600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:05:30,087 [lib.common.results] INFO: File 1752491130025390600.Security.evtx.gz size is 8276, Max size: 100000000
2025-07-14 04:05:30,103 [lib.common.results] INFO: File 1752491130025390600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:05:30,119 [lib.common.results] INFO: File 1752491130025390600.System.evtx.gz size is 8297, Max size: 100000000
2025-07-14 04:05:30,134 [lib.common.results] INFO: File 1752491130072265600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:05:31,869 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:05:41,322 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:05:45,150 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:05:45,369 [lib.common.results] INFO: File 1752491145306640600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:05:45,384 [lib.common.results] INFO: File 1752491145306640600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:05:45,400 [lib.common.results] INFO: File 1752491145306640600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:05:45,416 [lib.common.results] INFO: File 1752491145306640600.Application.evtx.gz size is 6986, Max size: 100000000
2025-07-14 04:05:45,431 [lib.common.results] INFO: File 1752491145353515600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:05:45,431 [lib.common.results] INFO: File 1752491145369140600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:05:45,431 [lib.common.results] INFO: File 1752491145369140600.System.evtx.gz size is 8337, Max size: 100000000
2025-07-14 04:05:45,447 [lib.common.results] INFO: File 1752491145369140600.Security.evtx.gz size is 8123, Max size: 100000000
2025-07-14 04:05:45,494 [lib.common.results] INFO: File 1752491145416015600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:05:46,400 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491146.4003906.sysmon.evtx.gz to host
2025-07-14 04:05:46,400 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5635, Max size: 100000000
2025-07-14 04:05:51,947 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:06:00,525 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:06:00,775 [lib.common.results] INFO: File 1752491160712890600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:06:00,791 [lib.common.results] INFO: File 1752491160712890600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:06:00,806 [lib.common.results] INFO: File 1752491160712890600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:06:00,822 [lib.common.results] INFO: File 1752491160712890600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:06:00,837 [lib.common.results] INFO: File 1752491160775390600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:06:00,853 [lib.common.results] INFO: File 1752491160775390600.Security.evtx.gz size is 8146, Max size: 100000000
2025-07-14 04:06:00,869 [lib.common.results] INFO: File 1752491160775390600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:06:00,884 [lib.common.results] INFO: File 1752491160775390600.System.evtx.gz size is 8312, Max size: 100000000
2025-07-14 04:06:00,900 [lib.common.results] INFO: File 1752491160837890600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:06:01,416 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:06:06,478 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491166.4785156.sysmon.evtx.gz to host
2025-07-14 04:06:06,478 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5449, Max size: 100000000
2025-07-14 04:06:12,041 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:06:15,931 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:06:16,150 [lib.common.results] INFO: File 1752491176103515600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:06:16,166 [lib.common.results] INFO: File 1752491176103515600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:06:16,181 [lib.common.results] INFO: File 1752491176103515600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:06:16,197 [lib.common.results] INFO: File 1752491176103515600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:06:16,212 [lib.common.results] INFO: File 1752491176150390600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:06:16,212 [lib.common.results] INFO: File 1752491176166015600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:06:16,228 [lib.common.results] INFO: File 1752491176150390600.Security.evtx.gz size is 8250, Max size: 100000000
2025-07-14 04:06:16,244 [lib.common.results] INFO: File 1752491176166015600.System.evtx.gz size is 8302, Max size: 100000000
2025-07-14 04:06:16,259 [lib.common.results] INFO: File 1752491176212890600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:06:21,494 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:06:26,556 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491186.5566406.sysmon.evtx.gz to host
2025-07-14 04:06:26,556 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5540, Max size: 100000000
2025-07-14 04:06:31,291 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:06:31,525 [lib.common.results] INFO: File 1752491191462890600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:06:31,541 [lib.common.results] INFO: File 1752491191462890600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:06:31,556 [lib.common.results] INFO: File 1752491191462890600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:06:31,572 [lib.common.results] INFO: File 1752491191478515600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:06:31,587 [lib.common.results] INFO: File 1752491191509765600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:06:31,603 [lib.common.results] INFO: File 1752491191525390600.Security.evtx.gz size is 8186, Max size: 100000000
2025-07-14 04:06:31,619 [lib.common.results] INFO: File 1752491191525390600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:06:31,634 [lib.common.results] INFO: File 1752491191541015600.System.evtx.gz size is 8341, Max size: 100000000
2025-07-14 04:06:31,650 [lib.common.results] INFO: File 1752491191572265600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:06:32,119 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:06:41,572 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:06:46,650 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491206.6503906.sysmon.evtx.gz to host
2025-07-14 04:06:46,650 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5800, Max size: 100000000
2025-07-14 04:06:46,681 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:06:46,900 [lib.common.results] INFO: File 1752491206853515600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:06:46,916 [lib.common.results] INFO: File 1752491206853515600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:06:46,931 [lib.common.results] INFO: File 1752491206853515600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:06:46,947 [lib.common.results] INFO: File 1752491206853515600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:06:46,962 [lib.common.results] INFO: File 1752491206900390600.Security.evtx.gz size is 8377, Max size: 100000000
2025-07-14 04:06:46,978 [lib.common.results] INFO: File 1752491206916015600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:06:46,978 [lib.common.results] INFO: File 1752491206900390600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:06:46,994 [lib.common.results] INFO: File 1752491206916015600.System.evtx.gz size is 8325, Max size: 100000000
2025-07-14 04:06:47,009 [lib.common.results] INFO: File 1752491206962890600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:06:52,212 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:07:01,666 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:07:02,056 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:07:02,275 [lib.common.results] INFO: File 1752491222228515600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:07:02,306 [lib.common.results] INFO: File 1752491222228515600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:07:02,322 [lib.common.results] INFO: File 1752491222228515600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:07:02,322 [lib.common.results] INFO: File 1752491222228515600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:07:02,337 [lib.common.results] INFO: File 1752491222275390600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:07:02,353 [lib.common.results] INFO: File 1752491222291015600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:07:02,353 [lib.common.results] INFO: File 1752491222275390600.Security.evtx.gz size is 8259, Max size: 100000000
2025-07-14 04:07:02,353 [lib.common.results] INFO: File 1752491222291015600.System.evtx.gz size is 8311, Max size: 100000000
2025-07-14 04:07:02,369 [lib.common.results] INFO: File 1752491222322265600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:07:06,744 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491226.7441406.sysmon.evtx.gz to host
2025-07-14 04:07:06,744 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5505, Max size: 100000000
2025-07-14 04:07:10,494 [root] INFO: Analysis timeout hit, terminating analysis
2025-07-14 04:07:10,494 [lib.api.process] INFO: Terminate event set for process 2164
2025-07-14 04:07:10,494 [root] DEBUG: 2164: Terminate Event: Attempting to dump process 2164
2025-07-14 04:07:10,494 [root] DEBUG: 2164: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 04:07:10,494 [lib.api.process] INFO: Termination confirmed for process 2164
2025-07-14 04:07:10,509 [root] INFO: Terminate event set for process 2164
2025-07-14 04:07:10,509 [root] DEBUG: 2164: Terminate Event: monitor shutdown complete for process 2164
2025-07-14 04:07:10,509 [lib.api.process] INFO: Terminate event set for process 2828
2025-07-14 04:07:10,509 [root] DEBUG: 2828: Terminate Event: Attempting to dump process 2828
2025-07-14 04:07:10,509 [root] DEBUG: 2828: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 04:07:10,509 [lib.api.process] INFO: Termination confirmed for process 2828
2025-07-14 04:07:10,509 [root] INFO: Terminate event set for process 2828
2025-07-14 04:07:10,509 [root] DEBUG: 2828: Terminate Event: monitor shutdown complete for process 2828
2025-07-14 04:07:10,509 [lib.api.process] INFO: Terminate event set for process 2452
2025-07-14 04:07:10,509 [root] DEBUG: 2452: Terminate Event: Attempting to dump process 2452
2025-07-14 04:07:10,509 [root] DEBUG: 2452: DoProcessDump: Skipping process dump as code is identical on disk.
2025-07-14 04:07:10,525 [lib.api.process] INFO: Termination confirmed for process 2452
2025-07-14 04:07:10,525 [root] INFO: Terminate event set for process 2452
2025-07-14 04:07:10,525 [root] DEBUG: 2452: Terminate Event: monitor shutdown complete for process 2452
2025-07-14 04:07:10,525 [root] INFO: Created shutdown mutex
2025-07-14 04:07:11,525 [root] INFO: Shutting down package
2025-07-14 04:07:11,525 [root] INFO: Stopping auxiliary modules
2025-07-14 04:07:11,525 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [WinError 6] The handle is invalid
2025-07-14 04:07:11,525 [lib.common.results] INFO: File C:\curtain.log size is 0, Max size: 100000000
2025-07-14 04:07:11,541 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:07:11,759 [lib.common.results] INFO: File 1752491231712890600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:07:11,791 [lib.common.results] INFO: File 1752491231712890600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:07:11,791 [lib.common.results] INFO: File 1752491231712890600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:07:11,806 [lib.common.results] INFO: File 1752491231744140600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:07:11,822 [lib.common.results] INFO: File 1752491231759765600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:07:11,837 [lib.common.results] INFO: File 1752491231775390600.Security.evtx.gz size is 8333, Max size: 100000000
2025-07-14 04:07:11,837 [lib.common.results] INFO: File 1752491231775390600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:07:11,853 [lib.common.results] INFO: File 1752491231791015600.System.evtx.gz size is 8330, Max size: 100000000
2025-07-14 04:07:11,869 [lib.common.results] INFO: File 1752491231822265600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:07:12,306 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:07:16,978 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2025-07-14 04:07:16,978 [modules.auxiliary.sysmon] INFO: Doing final sysmon log dump
2025-07-14 04:07:17,400 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2025-07-14 04:07:17,619 [lib.common.results] INFO: File 1752491237572265600.HardwareEvents.evtx.gz size is 359, Max size: 100000000
2025-07-14 04:07:17,619 [lib.common.results] INFO: File 1752491237572265600.InternetExplorer.evtx.gz size is 251, Max size: 100000000
2025-07-14 04:07:17,634 [lib.common.results] INFO: File 1752491237572265600.Application.evtx.gz size is 6920, Max size: 100000000
2025-07-14 04:07:17,650 [lib.common.results] INFO: File 1752491237572265600.KeyManagementService.evtx.gz size is 8383, Max size: 100000000
2025-07-14 04:07:17,666 [lib.common.results] INFO: File 1752491237619140600.OAlerts.evtx.gz size is 243, Max size: 100000000
2025-07-14 04:07:17,681 [lib.common.results] INFO: File 1752491237619140600.Security.evtx.gz size is 8274, Max size: 100000000
2025-07-14 04:07:17,697 [lib.common.results] INFO: File 1752491237634765600.Setup.evtx.gz size is 240, Max size: 100000000
2025-07-14 04:07:17,712 [lib.common.results] INFO: File 1752491237634765600.System.evtx.gz size is 8330, Max size: 100000000
2025-07-14 04:07:17,728 [lib.common.results] INFO: File 1752491237666015600.WindowsPowerShell.evtx.gz size is 4663, Max size: 100000000
2025-07-14 04:07:21,759 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2025-07-14 04:07:22,041 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1752491242.0410156.sysmon.evtx.gz to host
2025-07-14 04:07:22,041 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5126, Max size: 100000000
2025-07-14 04:07:22,056 [root] INFO: Finishing auxiliary modules
2025-07-14 04:07:22,056 [root] INFO: Shutting down pipe server and dumping dropped files
2025-07-14 04:07:22,056 [root] WARNING: Folder at path "C:\mEBmNK\debugger" does not exist, skipping
2025-07-14 04:07:22,056 [root] WARNING: Folder at path "C:\mEBmNK\tlsdump" does not exist, skipping
2025-07-14 04:07:22,056 [root] INFO: Analysis completed

Machine

Name Label Manager Started On Shutdown On Route
win7office2k3flash2800137TWN3H104 win7office2k3flash2800137TWN3H104 KVM 2025-07-14 11:04:28 2025-07-14 11:07:32 internet

File Details

File Name opencalc.bat
File Size 9 bytes
File Type ASCII text
MD5 c61463921d79e07e461fd0e731f72619
SHA1 4c70ac1680d2c4bdb145d5be5dad5230b20805f2
SHA256 7fdf626e0603f5bc2375a7bbc92c94a21088841c0a03cf3c5f12aa9c680ce4e6
SHA512 1a0ada808250064beaafad6095f6d12b0a26ddeb0aff616205986dc4db7c4e72686701945bfb948a141a5f6db0d0e6cec29cd2fddc59ba07a9279a93a7e3541e
SHA3-384 b61a7654e9f55c8d3f21ad0e18325fb9d987f7baece23caa7b5803b1ed18cc0603d1cc5a57f344355e3e08a0950fcd36
CRC32 8D648BCF
Ssdeep 3:FGLAdK:FbK
File 
                                    
                                
calc.exe
calc.exe

Processing ( 10.86 seconds )

  • 7.347 Suricata
  • 2.74 Zircolite
  • 0.298 BehaviorAnalysis
  • 0.192 Deduplicate
  • 0.136 NetworkAnalysis
  • 0.056 Fiddler
  • 0.045 CAPE
  • 0.022 TargetInfo
  • 0.016 AnalysisInfo
  • 0.007 Static
  • 0.002 Debug
  • 0.001 Strings

Signatures ( 0.04 seconds )

  • 0.014 antiav_detectreg
  • 0.005 infostealer_ftp
  • 0.005 territorial_disputes_sigs
  • 0.003 infostealer_im
  • 0.002 guloader_apis
  • 0.002 masslogger_artifacts
  • 0.002 ransomware_files
  • 0.002 sigma
  • 0.001 persistence_autorun
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antiav_detectfile
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_mail
  • 0.001 ransomware_extensions

Reporting ( 0.01 seconds )

  • 0.01 JsonDump

Signatures

Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: WindowsCodecs.dll/WICCreateImagingFactory_Proxy
DynamicLoader: UxTheme.dll/ThemeInitApiHook
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: UxTheme.dll/OpenThemeData
DynamicLoader: UxTheme.dll/IsThemePartDefined
DynamicLoader: UxTheme.dll/GetThemeFont
DynamicLoader: UxTheme.dll/GetThemeColor
DynamicLoader: UxTheme.dll/GetThemeBool
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: WINMM.dll/timeGetTime
DynamicLoader: WINMM.dll/timeSetEvent
DynamicLoader: WINMM.dll/timeKillEvent
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/#2
DynamicLoader: OLEAUT32.dll/#10
DynamicLoader: OLEAUT32.dll/#6
DynamicLoader: UxTheme.dll/BufferedPaintInit
DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
DynamicLoader: UxTheme.dll/BeginBufferedAnimation
DynamicLoader: UxTheme.dll/IsThemeBackgroundPartiallyTransparent
DynamicLoader: UxTheme.dll/DrawThemeParentBackground
DynamicLoader: UxTheme.dll/DrawThemeBackground
DynamicLoader: UxTheme.dll/GetThemeBackgroundContentRect
DynamicLoader: UxTheme.dll/EndBufferedAnimation
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: UxTheme.dll/DrawThemeText
DynamicLoader: UxTheme.dll/BufferedPaintStopAllAnimations
DynamicLoader: OLEAUT32.dll/#9
Sigma Alerts
title: Uncommon Process Access Rights For Target Image
id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
description: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
sigmafile:
sigma: ["SELECT * FROM logs WHERE Channel='Microsoft-Windows-Sysmon/Operational' AND (EventID=10 AND ((TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calculator.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\') AND GrantedAccess='0x1FFFFF'))"]
rule_level: low
tags: ['attack.defense-evasion', 'attack.privilege-escalation', 'attack.t1055.011']
count: 2
matches: [{'row_id': 737, 'Provider_Name': 'Microsoft-Windows-Sysmon', 'Guid': '5770385F-C22A-43E0-BF4C-06F5698FFBD9', 'EventID': 10, 'Version': 3, 'Level': 4, 'Task': 10, 'Opcode': 0, 'Keywords': '0x8000000000000000', 'SystemTime': '2025-07-14T11:04:40.781250Z', 'EventRecordID': 1921992, 'ProcessID': 1328, 'ThreadID': 1740, 'Channel': 'Microsoft-Windows-Sysmon/Operational', 'Computer': 'VmwFnXfbY', 'UserID': 'S-1-5-18', 'OriginalLogfile': '1752491106.2285156.sysmon.evtx-F3OJGSYZ.json', 'RuleName': '-', 'UtcTime': '2025-07-14 11:04:40.781', 'SourceProcessGUID': '34022EC5-E448-6874-1D03-000000007500', 'SourceProcessId': 2828, 'SourceThreadId': 1488, 'SourceImage': 'C:\\Windows\\SysWOW64\\cmd.exe', 'TargetProcessGUID': '34022EC5-E448-6874-2003-000000007500', 'TargetProcessId': 2452, 'TargetImage': 'C:\\Windows\\SysWOW64\\calc.exe', 'GrantedAccess': '0x1fffff', 'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+6a35a|C:\\Windows\\SYSTEM32\\wow64.dll+ba4f|C:\\Windows\\SYSTEM32\\wow64.dll+2161f|C:\\Windows\\SYSTEM32\\wow64.dll+d18f|C:\\Windows\\SYSTEM32\\wow64cpu.dll+2776|C:\\Windows\\SYSTEM32\\wow64.dll+d286|C:\\Windows\\SYSTEM32\\wow64.dll+c69e|C:\\Windows\\SYSTEM32\\ntdll.dll+343c3|C:\\Windows\\SYSTEM32\\ntdll.dll+99780|C:\\Windows\\SYSTEM32\\ntdll.dll+4371e|C:\\Windows\\SysWOW64\\ntdll.dll+2095e(wow64)|UNKNOWN(000000007404DAF2)|C:\\Windows\\syswow64\\kernel32.dll+2439c(wow64)|UNKNOWN(00000000740585E9)|C:\\Windows\\syswow64\\kernel32.dll+11069(wow64)|C:\\Windows\\SysWOW64\\cmd.exe+3f94|C:\\Windows\\SysWOW64\\cmd.exe+3cb5|C:\\Windows\\SysWOW64\\cmd.exe+3d48|C:\\Windows\\SysWOW64\\cmd.exe+15c5|C:\\Windows\\SysWOW64\\cmd.exe+22c0|C:\\Windows\\SysWOW64\\cmd.exe+4d0e|C:\\Windows\\SysWOW64\\cmd.exe+5718|C:\\Windows\\SysWOW64\\cmd.exe+6b85|C:\\Windows\\SysWOW64\\cmd.exe+3d48', 'SourceUser': 'VMWFNXFBY\\IHjfCWtkxUu', 'TargetUser': 'VMWFNXFBY\\IHjfCWtkxUu'}, {'row_id': 743, 'Provider_Name': 'Microsoft-Windows-Sysmon', 'Guid': '5770385F-C22A-43E0-BF4C-06F5698FFBD9', 'EventID': 10, 'Version': 3, 'Level': 4, 'Task': 10, 'Opcode': 0, 'Keywords': '0x8000000000000000', 'SystemTime': '2025-07-14T11:04:40.812500Z', 'EventRecordID': 1921998, 'ProcessID': 1328, 'ThreadID': 1740, 'Channel': 'Microsoft-Windows-Sysmon/Operational', 'Computer': 'VmwFnXfbY', 'UserID': 'S-1-5-18', 'OriginalLogfile': '1752491106.2285156.sysmon.evtx-F3OJGSYZ.json', 'RuleName': '-', 'UtcTime': '2025-07-14 11:04:40.812', 'SourceProcessGUID': '34022EC5-E448-6874-2103-000000007500', 'SourceProcessId': 1460, 'SourceThreadId': 2716, 'SourceImage': 'C:\\tmpd65zellw\\bin\\utcKfUI.exe', 'TargetProcessGUID': '34022EC5-E448-6874-2003-000000007500', 'TargetProcessId': 2452, 'TargetImage': 'C:\\Windows\\SysWOW64\\calc.exe', 'GrantedAccess': '0x1fffff', 'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+69aea|C:\\Windows\\SYSTEM32\\wow64.dll+14ec8|C:\\Windows\\SYSTEM32\\wow64.dll+d18f|C:\\Windows\\SYSTEM32\\wow64cpu.dll+2776|C:\\Windows\\SYSTEM32\\wow64.dll+d286|C:\\Windows\\SYSTEM32\\wow64.dll+c69e|C:\\Windows\\SYSTEM32\\ntdll.dll+343c3|C:\\Windows\\SYSTEM32\\ntdll.dll+99780|C:\\Windows\\SYSTEM32\\ntdll.dll+4371e|C:\\Windows\\SysWOW64\\ntdll.dll+1fc62(wow64)|C:\\Windows\\syswow64\\KERNELBASE.dll+f369(wow64)|C:\\tmpd65zellw\\bin\\utcKfUI.exe+2d8e|C:\\tmpd65zellw\\bin\\utcKfUI.exe+3831|C:\\tmpd65zellw\\bin\\utcKfUI.exe+44d5|C:\\Windows\\syswow64\\kernel32.dll+1344d(wow64)|C:\\Windows\\SysWOW64\\ntdll.dll+39802(wow64)|C:\\Windows\\SysWOW64\\ntdll.dll+397d5(wow64)', 'SourceUser': 'VMWFNXFBY\\IHjfCWtkxUu', 'TargetUser': 'VMWFNXFBY\\IHjfCWtkxUu'}]
Network activity detected but not expressed in API logs

Screenshots

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States

DNS

No domains contacted.

Summary

C:\Users\pgabriel\AppData\Local\Temp
C:\Users
C:\Users\pgabriel
C:\Users\pgabriel\AppData
C:\Users\pgabriel\AppData\Local
C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat
C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat\
C:\Users\pgabriel\AppData\Local\Temp\
C:\Users\pgabriel\AppData\Local\
C:\Users\pgabriel\AppData\
C:\Users\pgabriel\
C:\Users\
\??\MountPointManager
C:\Users\pgabriel\AppData\Local\Temp\calc.exe
C:\Users\pgabriel\AppData\Local\Temp\calc.exe.*
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\calc.exe
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\calc.exe.*
C:\Windows\System32\calc.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\rpcss.dll
C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CLASSES_ROOT\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Calc
HKEY_CURRENT_USER\Software\Microsoft\Calc\layout
HKEY_CURRENT_USER\Software\Microsoft\Calc\UseSep
HKEY_CURRENT_USER\Software\Microsoft\Calc\ShowHistory
HKEY_CURRENT_USER\Software\Microsoft\Calc\Templates
HKEY_CURRENT_USER\Software\Microsoft\Calc\DateTime
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Width
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Height
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\calc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI Symbol
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Calc\layout
HKEY_CURRENT_USER\Software\Microsoft\Calc\UseSep
HKEY_CURRENT_USER\Software\Microsoft\Calc\ShowHistory
HKEY_CURRENT_USER\Software\Microsoft\Calc\Templates
HKEY_CURRENT_USER\Software\Microsoft\Calc\DateTime
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Width
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Height
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\Calc
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
lpk.dll.LpkEditControl
windowscodecs.dll.WICCreateImagingFactory_Proxy
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
uxtheme.dll.IsThemePartDefined
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeBool
imm32.dll.ImmIsIME
uxtheme.dll.EnableThemeDialogTexture
cryptbase.dll.SystemFunction036
winmm.dll.timeGetTime
winmm.dll.timeSetEvent
winmm.dll.timeKillEvent
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#2
oleaut32.dll.#10
oleaut32.dll.#6
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BufferedPaintRenderAnimation
uxtheme.dll.BeginBufferedAnimation
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.DrawThemeBackground
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.EndBufferedAnimation
gdi32.dll.GetTextExtentExPointWPri
uxtheme.dll.DrawThemeText
uxtheme.dll.BufferedPaintStopAllAnimations
oleaut32.dll.#9
C:\Windows\system32\cmd.exe /K "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
calc.exe
No static analysis available.
Sorry! No behavior.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.