Analysis

Category Package Started Completed Duration Options Log MalScore
FILE bat 2026-04-14 09:02:45 2026-04-14 09:05:50 185 seconds Show Options Show Log 1.5 
procdump=1
amsidump=1
2025-12-02 01:31:18,921 [root] INFO: Date set to: 20260414T02:02:44, timeout set to: 150
2026-04-14 03:02:44,031 [root] DEBUG: Starting analyzer from: C:\tmpn7j73yx1
2026-04-14 03:02:44,031 [root] DEBUG: Storing results at: C:\GFWtWvQmt
2026-04-14 03:02:44,031 [root] DEBUG: Pipe server name: \\.\PIPE\bbPOUidf
2026-04-14 03:02:44,031 [root] DEBUG: Python path: C:\olddocs
2026-04-14 03:02:44,031 [root] DEBUG: No analysis package specified, trying to detect it automagically
2026-04-14 03:02:44,031 [root] INFO: Automatically selected analysis package "bat"
2026-04-14 03:02:44,031 [root] DEBUG: Importing analysis package "bat"...
2026-04-14 03:02:44,046 [root] DEBUG: Initializing analysis package "bat"...
2026-04-14 03:02:44,046 [root] INFO: Analyzer: Package modules.packages.bat does not specify a DLL option
2026-04-14 03:02:44,046 [root] INFO: Analyzer: Package modules.packages.bat does not specify a DLL_64 option
2026-04-14 03:02:44,046 [root] INFO: Analyzer: Package modules.packages.bat does not specify a loader option
2026-04-14 03:02:44,046 [root] INFO: Analyzer: Package modules.packages.bat does not specify a loader_64 option
2026-04-14 03:02:44,093 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2026-04-14 03:02:44,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2026-04-14 03:02:44,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.default_apps"...
2026-04-14 03:02:44,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2026-04-14 03:02:44,140 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2026-04-14 03:02:44,156 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2026-04-14 03:02:44,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.fiddler"...
2026-04-14 03:02:44,171 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2026-04-14 03:02:44,187 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2026-04-14 03:02:44,187 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-14 03:02:44,296 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-14 03:02:44,296 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-14 03:02:44,296 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2026-04-14 03:02:44,312 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2026-04-14 03:02:44,312 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2026-04-14 03:02:44,328 [root] DEBUG: Initializing auxiliary module "Browser"...
2026-04-14 03:02:44,328 [root] DEBUG: Started auxiliary module Browser
2026-04-14 03:02:44,328 [root] DEBUG: Initializing auxiliary module "Curtain"...
2026-04-14 03:02:44,328 [root] DEBUG: Started auxiliary module Curtain
2026-04-14 03:02:44,328 [root] DEBUG: Initializing auxiliary module "DefaultApps"...
2026-04-14 03:02:44,375 [modules.auxiliary.default_apps] DEBUG: Getting current user SID using WinAPI
2026-04-14 03:02:44,375 [root] DEBUG: Started auxiliary module DefaultApps
2026-04-14 03:02:44,375 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2026-04-14 03:02:44,375 [modules.auxiliary.digisig] INFO: signtool.exe was not found in bin/
2026-04-14 03:02:44,375 [modules.auxiliary.digisig] INFO: dummy
2026-04-14 03:02:44,375 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, unsupported analyzer package
2026-04-14 03:02:44,375 [root] DEBUG: Started auxiliary module DigiSig
2026-04-14 03:02:44,375 [root] DEBUG: Initializing auxiliary module "Disguise"...
2026-04-14 03:02:44,687 [modules.auxiliary.disguise] INFO: Setting NoRecentDocsHistory
2026-04-14 03:02:44,687 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 2] The system cannot find the file specified
2026-04-14 03:02:44,687 [root] DEBUG: Initializing auxiliary module "Evtx"...
2026-04-14 03:02:44,687 [modules.auxiliary.evtx] INFO: Loading audit policy C:\tmpn7j73yx1\bin\auditpol.csv
2026-04-14 03:02:44,906 [modules.auxiliary.evtx] INFO: Wiping logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:02:45,734 [root] DEBUG: Started auxiliary module Evtx
2026-04-14 03:02:45,734 [root] DEBUG: Initializing auxiliary module "Fiddler"...
2026-04-14 03:02:45,734 [modules.auxiliary.fiddler] INFO: fiddler package: dummy
2026-04-14 03:02:45,734 [root] DEBUG: Started auxiliary module Fiddler
2026-04-14 03:02:45,734 [root] DEBUG: Initializing auxiliary module "Human"...
2026-04-14 03:02:45,734 [root] DEBUG: Started auxiliary module Human
2026-04-14 03:02:45,734 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2026-04-14 03:02:45,734 [root] DEBUG: Started auxiliary module Screenshots
2026-04-14 03:02:45,734 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2026-04-14 03:02:45,750 [root] DEBUG: Started auxiliary module Sysmon
2026-04-14 03:02:45,750 [modules.auxiliary.sysmon] INFO: Seeing if we need to update sysmon config
2026-04-14 03:02:45,750 [modules.auxiliary.sysmon] INFO: Found Sysmon Executable
2026-04-14 03:02:45,750 [modules.auxiliary.sysmon] INFO: Found Sysmon config
2026-04-14 03:02:45,750 [root] DEBUG: Initializing auxiliary module "TLSDumpMasterSecrets"...
2026-04-14 03:02:45,750 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 560
2026-04-14 03:02:45,750 [lib.api.process] INFO: Monitor config for process 560: C:\tmpn7j73yx1\dll\560.ini
2026-04-14 03:02:47,875 [modules.auxiliary.sysmon] INFO: Clearing existing sysmon logs
2026-04-14 03:02:48,765 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 03:02:48,765 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 03:02:48,765 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 03:02:48,765 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-14 03:02:48,765 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpn7j73yx1\dll\PulDrFMb.dll, loader C:\tmpn7j73yx1\bin\ETTFtjEk.exe
2026-04-14 03:02:48,796 [root] DEBUG: Loader: Injecting process 560 with C:\tmpn7j73yx1\dll\PulDrFMb.dll.
2026-04-14 03:02:48,875 [root] DEBUG: 560: Python path set to 'C:\olddocs'.
2026-04-14 03:02:48,875 [root] DEBUG: 560: Disabling sleep skipping.
2026-04-14 03:02:48,875 [root] DEBUG: 560: Process dumps enabled.
2026-04-14 03:02:48,875 [root] DEBUG: 560: AMSI dumping enabled.
2026-04-14 03:02:48,875 [root] DEBUG: 560: TLS secret dump mode enabled.
2026-04-14 03:02:48,921 [root] DEBUG: 560: Monitor initialised: 64-bit capemon loaded in process 560 at 0x000007FEEDC00000, thread 1276, image base 0x00000000FF510000, stack from 0x0000000001C83000-0x0000000001C90000
2026-04-14 03:02:48,921 [root] DEBUG: 560: Commandline: C:\Windows\system32\lsass.exe
2026-04-14 03:02:48,937 [root] DEBUG: 560: Hooked 5 out of 5 functions
2026-04-14 03:02:48,937 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-14 03:02:48,937 [root] DEBUG: Successfully injected DLL C:\tmpn7j73yx1\dll\PulDrFMb.dll.
2026-04-14 03:02:48,937 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 560
2026-04-14 03:02:48,937 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2026-04-14 03:02:48,937 [root] DEBUG: Initializing auxiliary module "Usage"...
2026-04-14 03:02:48,937 [root] DEBUG: Started auxiliary module Usage
2026-04-14 03:02:51,656 [root] INFO: Restarting WMI Service
2026-04-14 03:02:55,734 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"" with pid 932
2026-04-14 03:02:55,734 [lib.api.process] INFO: Monitor config for process 932: C:\tmpn7j73yx1\dll\932.ini
2026-04-14 03:02:55,750 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 03:02:55,750 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 03:02:55,750 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 03:02:55,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpn7j73yx1\dll\HSOZToo.dll, loader C:\tmpn7j73yx1\bin\ERrqOVd.exe
2026-04-14 03:02:55,765 [root] DEBUG: Loader: Injecting process 932 (thread 2968) with C:\tmpn7j73yx1\dll\HSOZToo.dll.
2026-04-14 03:02:55,765 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-14 03:02:55,765 [root] DEBUG: Successfully injected DLL C:\tmpn7j73yx1\dll\HSOZToo.dll.
2026-04-14 03:02:55,765 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 932
2026-04-14 03:02:57,765 [lib.api.process] INFO: Successfully resumed process with pid 932
2026-04-14 03:02:57,812 [root] DEBUG: 932: Python path set to 'C:\olddocs'.
2026-04-14 03:02:57,812 [root] DEBUG: 932: Disabling sleep skipping.
2026-04-14 03:02:57,812 [root] DEBUG: 932: Process dumps enabled.
2026-04-14 03:02:57,812 [root] DEBUG: 932: AMSI dumping enabled.
2026-04-14 03:02:57,812 [root] DEBUG: 932: Dropped file limit defaulting to 100.
2026-04-14 03:02:57,828 [root] DEBUG: 932: YaraInit: Compiled 45 rule files
2026-04-14 03:02:57,828 [root] DEBUG: 932: YaraInit: Compiled rules saved to file C:\tmpn7j73yx1\data\yara\capemon.yac
2026-04-14 03:02:57,843 [root] DEBUG: 932: YaraScan: Scanning 0x4A0E0000, size 0x4bb2e
2026-04-14 03:02:57,843 [root] DEBUG: 932: Monitor initialised: 32-bit capemon loaded in process 932 at 0x73dc0000, thread 2968, image base 0x4a0e0000, stack from 0x2d3000-0x3d0000
2026-04-14 03:02:57,843 [root] DEBUG: 932: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
2026-04-14 03:02:57,859 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-14 03:02:57,859 [root] DEBUG: 932: set_hooks: Unable to hook GetCommandLineA
2026-04-14 03:02:57,859 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-14 03:02:57,859 [root] DEBUG: 932: set_hooks: Unable to hook GetCommandLineW
2026-04-14 03:02:57,875 [root] DEBUG: 932: Hooked 625 out of 627 functions
2026-04-14 03:02:57,875 [root] DEBUG: 932: RestoreHeaders: Restored original import table.
2026-04-14 03:02:57,875 [root] INFO: Loaded monitor into process with pid 932
2026-04-14 03:02:57,890 [root] DEBUG: 932: caller_dispatch: Added region at 0x4A0E0000 to tracked regions list (ntdll::NtOpenThread returns to 0x4A0E732B, thread 2968).
2026-04-14 03:02:57,890 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:02:57,890 [root] DEBUG: 932: YaraScan: Scanning 0x4A0E0000, size 0x4bb2e
2026-04-14 03:02:57,890 [root] DEBUG: 932: ProcessImageBase: Main module image at 0x4A0E0000 unmodified (entropy change 0.000000e+00)
2026-04-14 03:02:57,906 [root] DEBUG: 932: CreateProcessHandler: Injection info set for new process 2720: C:\Windows\system32\cmd.exe, ImageBase: 0x4A0E0000
2026-04-14 03:02:57,906 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2720
2026-04-14 03:02:57,906 [lib.api.process] INFO: Monitor config for process 2720: C:\tmpn7j73yx1\dll\2720.ini
2026-04-14 03:02:57,906 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 03:02:57,906 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 03:02:57,906 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 03:02:57,906 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpn7j73yx1\dll\HSOZToo.dll, loader C:\tmpn7j73yx1\bin\ERrqOVd.exe
2026-04-14 03:02:57,906 [root] DEBUG: Loader: Injecting process 2720 (thread 2772) with C:\tmpn7j73yx1\dll\HSOZToo.dll.
2026-04-14 03:02:57,921 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-14 03:02:57,921 [root] DEBUG: Successfully injected DLL C:\tmpn7j73yx1\dll\HSOZToo.dll.
2026-04-14 03:02:57,921 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2720
2026-04-14 03:02:57,921 [root] DEBUG: 932: DLL loaded at 0x733F0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2026-04-14 03:02:57,921 [root] WARNING: Received request to inject process with pid 2720, skipped alredy in inject list
2026-04-14 03:02:57,921 [root] WARNING: Received request to inject process with pid 2720, skipped alredy in inject list
2026-04-14 03:02:57,953 [root] DEBUG: 2720: Python path set to 'C:\olddocs'.
2026-04-14 03:02:57,953 [root] DEBUG: 2720: Disabling sleep skipping.
2026-04-14 03:02:57,953 [root] DEBUG: 2720: Process dumps enabled.
2026-04-14 03:02:57,968 [root] DEBUG: 2720: AMSI dumping enabled.
2026-04-14 03:02:57,968 [root] DEBUG: 2720: Dropped file limit defaulting to 100.
2026-04-14 03:02:57,968 [root] DEBUG: 2720: YaraInit: Compiled rules loaded from existing file C:\tmpn7j73yx1\data\yara\capemon.yac
2026-04-14 03:02:57,968 [root] DEBUG: 2720: YaraScan: Scanning 0x4A0E0000, size 0x4bb2e
2026-04-14 03:02:57,968 [root] DEBUG: 2720: Monitor initialised: 32-bit capemon loaded in process 2720 at 0x73dc0000, thread 2772, image base 0x4a0e0000, stack from 0xc3000-0x1c0000
2026-04-14 03:02:57,968 [root] DEBUG: 2720: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
2026-04-14 03:02:57,984 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-14 03:02:57,984 [root] DEBUG: 2720: set_hooks: Unable to hook GetCommandLineA
2026-04-14 03:02:57,984 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-14 03:02:57,984 [root] DEBUG: 2720: set_hooks: Unable to hook GetCommandLineW
2026-04-14 03:02:58,000 [root] DEBUG: 2720: Hooked 625 out of 627 functions
2026-04-14 03:02:58,000 [root] DEBUG: 2720: RestoreHeaders: Restored original import table.
2026-04-14 03:02:58,000 [root] INFO: Loaded monitor into process with pid 2720
2026-04-14 03:02:58,000 [root] DEBUG: 2720: caller_dispatch: Added region at 0x4A0E0000 to tracked regions list (ntdll::NtOpenThread returns to 0x4A0E732B, thread 2772).
2026-04-14 03:02:58,000 [root] DEBUG: 2720: YaraScan: Scanning 0x4A0E0000, size 0x4bb2e
2026-04-14 03:02:58,015 [root] DEBUG: 2720: ProcessImageBase: Main module image at 0x4A0E0000 unmodified (entropy change 0.000000e+00)
2026-04-14 03:02:58,109 [root] DEBUG: 2720: CreateProcessHandler: Injection info set for new process 2768: C:\Windows\system32\calc.exe, ImageBase: 0x00F10000
2026-04-14 03:02:58,125 [root] INFO: Announced 32-bit process name: calc.exe pid: 2768
2026-04-14 03:02:58,125 [lib.api.process] INFO: Monitor config for process 2768: C:\tmpn7j73yx1\dll\2768.ini
2026-04-14 03:02:58,125 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 03:02:58,125 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 03:02:58,125 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 03:02:58,125 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpn7j73yx1\dll\HSOZToo.dll, loader C:\tmpn7j73yx1\bin\ERrqOVd.exe
2026-04-14 03:02:58,171 [root] DEBUG: Loader: Injecting process 2768 (thread 2572) with C:\tmpn7j73yx1\dll\HSOZToo.dll.
2026-04-14 03:02:58,171 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-14 03:02:58,187 [root] DEBUG: Successfully injected DLL C:\tmpn7j73yx1\dll\HSOZToo.dll.
2026-04-14 03:02:58,203 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2768
2026-04-14 03:02:58,203 [root] DEBUG: 2720: DLL loaded at 0x733F0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2026-04-14 03:02:58,218 [root] WARNING: Received request to inject process with pid 2768, skipped alredy in inject list
2026-04-14 03:02:58,249 [root] DEBUG: 2768: Python path set to 'C:\olddocs'.
2026-04-14 03:02:58,249 [root] DEBUG: 2768: Process dumps enabled.
2026-04-14 03:02:58,249 [root] DEBUG: 2768: AMSI dumping enabled.
2026-04-14 03:02:58,249 [root] DEBUG: 2768: Dropped file limit defaulting to 100.
2026-04-14 03:02:58,249 [root] DEBUG: 2768: Disabling sleep skipping.
2026-04-14 03:02:58,249 [root] DEBUG: 2768: YaraInit: Compiled rules loaded from existing file C:\tmpn7j73yx1\data\yara\capemon.yac
2026-04-14 03:02:58,249 [root] DEBUG: 2768: YaraScan: Scanning 0x00F10000, size 0xbfb3a
2026-04-14 03:02:58,265 [root] DEBUG: 2768: Monitor initialised: 32-bit capemon loaded in process 2768 at 0x73dc0000, thread 2572, image base 0xf10000, stack from 0x95000-0xa0000
2026-04-14 03:02:58,265 [root] DEBUG: 2768: Commandline: calc.exe
2026-04-14 03:02:58,281 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-14 03:02:58,281 [root] DEBUG: 2768: set_hooks: Unable to hook GetCommandLineA
2026-04-14 03:02:58,281 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-14 03:02:58,296 [root] DEBUG: 2768: set_hooks: Unable to hook GetCommandLineW
2026-04-14 03:02:58,296 [root] DEBUG: 2768: Hooked 625 out of 627 functions
2026-04-14 03:02:58,312 [root] DEBUG: 2768: RestoreHeaders: Restored original import table.
2026-04-14 03:02:58,312 [root] INFO: Loaded monitor into process with pid 2768
2026-04-14 03:02:58,312 [root] DEBUG: 2768: caller_dispatch: Added region at 0x00F10000 to tracked regions list (ntdll::NtClose returns to 0x00F23433, thread 2572).
2026-04-14 03:02:58,312 [root] DEBUG: 2768: YaraScan: Scanning 0x00F10000, size 0xbfb3a
2026-04-14 03:02:58,328 [root] DEBUG: 2768: ProcessImageBase: Main module image at 0x00F10000 unmodified (entropy change 0.000000e+00)
2026-04-14 03:02:58,328 [root] DEBUG: 2768: DLL loaded at 0x72940000: C:\Windows\SysWOW64\WindowsCodecs (0x130000 bytes).
2026-04-14 03:02:58,359 [root] DEBUG: 2768: DLL loaded at 0x74320000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes).
2026-04-14 03:02:58,406 [root] DEBUG: 2768: DLL loaded at 0x752D0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2026-04-14 03:02:58,587 [root] DEBUG: 2768: DLL loaded at 0x742E0000: C:\Windows\SysWOW64\oleacc (0x3c000 bytes).
2026-04-14 03:03:00,744 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:03:01,009 [lib.common.results] INFO: File 1776160980931640600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:01,025 [lib.common.results] INFO: File 1776160980947265600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:01,025 [lib.common.results] INFO: File 1776160980947265600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:03:01,025 [lib.common.results] INFO: File 1776160980931640600.Application.evtx.gz size is 6956, Max size: 100000000
2026-04-14 03:03:01,072 [lib.common.results] INFO: File 1776160981009765600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:03:01,087 [lib.common.results] INFO: File 1776160981009765600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:03:01,087 [lib.common.results] INFO: File 1776160981009765600.Security.evtx.gz size is 7809, Max size: 100000000
2026-04-14 03:03:01,087 [lib.common.results] INFO: File 1776160981009765600.System.evtx.gz size is 8703, Max size: 100000000
2026-04-14 03:03:01,103 [lib.common.results] INFO: File 1776160981072265600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:03:02,962 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776160982.9628904.sysmon.evtx.gz to host
2026-04-14 03:03:02,962 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 9125, Max size: 100000000
2026-04-14 03:03:08,853 [lib.common.results] INFO: File c:\olddocs\1776160983853.saz size is 4602, Max size: 100000000
2026-04-14 03:03:08,869 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:03:16,134 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:03:16,369 [lib.common.results] INFO: File 1776160996306640600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:16,369 [lib.common.results] INFO: File 1776160996306640600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:16,384 [lib.common.results] INFO: File 1776160996306640600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:03:16,384 [lib.common.results] INFO: File 1776160996306640600.Application.evtx.gz size is 6890, Max size: 100000000
2026-04-14 03:03:16,431 [lib.common.results] INFO: File 1776160996369140600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:03:16,431 [lib.common.results] INFO: File 1776160996384765600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:03:16,447 [lib.common.results] INFO: File 1776160996369140600.Security.evtx.gz size is 8024, Max size: 100000000
2026-04-14 03:03:16,447 [lib.common.results] INFO: File 1776160996384765600.System.evtx.gz size is 8082, Max size: 100000000
2026-04-14 03:03:16,462 [lib.common.results] INFO: File 1776160996431640600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:03:17,994 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:03:23,087 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161003.0878906.sysmon.evtx.gz to host
2026-04-14 03:03:23,087 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 17758, Max size: 100000000
2026-04-14 03:03:28,962 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:03:31,494 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:03:31,728 [lib.common.results] INFO: File 1776161011681640600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:31,728 [lib.common.results] INFO: File 1776161011681640600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:31,744 [lib.common.results] INFO: File 1776161011681640600.Application.evtx.gz size is 6890, Max size: 100000000
2026-04-14 03:03:31,744 [lib.common.results] INFO: File 1776161011681640600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:03:31,791 [lib.common.results] INFO: File 1776161011728515600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:03:31,791 [lib.common.results] INFO: File 1776161011744140600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:03:31,791 [lib.common.results] INFO: File 1776161011728515600.Security.evtx.gz size is 7819, Max size: 100000000
2026-04-14 03:03:31,806 [lib.common.results] INFO: File 1776161011744140600.System.evtx.gz size is 8092, Max size: 100000000
2026-04-14 03:03:31,822 [lib.common.results] INFO: File 1776161011791015600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:03:38,103 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:03:43,166 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161023.1660154.sysmon.evtx.gz to host
2026-04-14 03:03:43,166 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5562, Max size: 100000000
2026-04-14 03:03:46,853 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:03:47,056 [lib.common.results] INFO: File 1776161027009765600.Application.evtx.gz size is 6890, Max size: 100000000
2026-04-14 03:03:47,056 [lib.common.results] INFO: File 1776161027009765600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:47,072 [lib.common.results] INFO: File 1776161027025390600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:03:47,087 [lib.common.results] INFO: File 1776161027041015600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:03:47,103 [lib.common.results] INFO: File 1776161027056640600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:03:47,103 [lib.common.results] INFO: File 1776161027056640600.Security.evtx.gz size is 8060, Max size: 100000000
2026-04-14 03:03:47,119 [lib.common.results] INFO: File 1776161027072265600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:03:47,150 [lib.common.results] INFO: File 1776161027087890600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:03:47,166 [lib.common.results] INFO: File 1776161027087890600.System.evtx.gz size is 8121, Max size: 100000000
2026-04-14 03:03:49,041 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:03:58,181 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:04:02,212 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:04:02,431 [lib.common.results] INFO: File 1776161042384765600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:02,447 [lib.common.results] INFO: File 1776161042384765600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:02,447 [lib.common.results] INFO: File 1776161042384765600.Application.evtx.gz size is 6955, Max size: 100000000
2026-04-14 03:04:02,447 [lib.common.results] INFO: File 1776161042384765600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:04:02,478 [lib.common.results] INFO: File 1776161042431640600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:04:02,494 [lib.common.results] INFO: File 1776161042447265600.Security.evtx.gz size is 8018, Max size: 100000000
2026-04-14 03:04:02,494 [lib.common.results] INFO: File 1776161042447265600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:04:02,494 [lib.common.results] INFO: File 1776161042447265600.System.evtx.gz size is 8085, Max size: 100000000
2026-04-14 03:04:02,525 [lib.common.results] INFO: File 1776161042478515600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:04:03,259 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161043.2597654.sysmon.evtx.gz to host
2026-04-14 03:04:03,259 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5682, Max size: 100000000
2026-04-14 03:04:09,119 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:04:17,556 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:04:17,775 [lib.common.results] INFO: File 1776161057728515600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:17,791 [lib.common.results] INFO: File 1776161057728515600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:17,791 [lib.common.results] INFO: File 1776161057728515600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:04:17,791 [lib.common.results] INFO: File 1776161057728515600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:04:17,822 [lib.common.results] INFO: File 1776161057775390600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:04:17,837 [lib.common.results] INFO: File 1776161057775390600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:04:17,837 [lib.common.results] INFO: File 1776161057775390600.System.evtx.gz size is 8082, Max size: 100000000
2026-04-14 03:04:17,837 [lib.common.results] INFO: File 1776161057775390600.Security.evtx.gz size is 7695, Max size: 100000000
2026-04-14 03:04:17,869 [lib.common.results] INFO: File 1776161057822265600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:04:18,275 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:04:23,322 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161063.3222656.sysmon.evtx.gz to host
2026-04-14 03:04:23,322 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5490, Max size: 100000000
2026-04-14 03:04:29,212 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:04:32,900 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:04:33,103 [lib.common.results] INFO: File 1776161073056640600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:33,103 [lib.common.results] INFO: File 1776161073056640600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:33,103 [lib.common.results] INFO: File 1776161073056640600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:04:33,134 [lib.common.results] INFO: File 1776161073056640600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:04:33,150 [lib.common.results] INFO: File 1776161073103515600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:04:33,150 [lib.common.results] INFO: File 1776161073103515600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:04:33,150 [lib.common.results] INFO: File 1776161073103515600.Security.evtx.gz size is 7928, Max size: 100000000
2026-04-14 03:04:33,181 [lib.common.results] INFO: File 1776161073134765600.System.evtx.gz size is 8100, Max size: 100000000
2026-04-14 03:04:33,197 [lib.common.results] INFO: File 1776161073134765600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:04:38,337 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:04:43,400 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161083.4003906.sysmon.evtx.gz to host
2026-04-14 03:04:43,416 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5428, Max size: 100000000
2026-04-14 03:04:48,228 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:04:48,416 [lib.common.results] INFO: File 1776161088384765600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:48,431 [lib.common.results] INFO: File 1776161088384765600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:04:48,431 [lib.common.results] INFO: File 1776161088384765600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:04:48,431 [lib.common.results] INFO: File 1776161088384765600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:04:48,478 [lib.common.results] INFO: File 1776161088416015600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:04:48,478 [lib.common.results] INFO: File 1776161088431640600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:04:48,478 [lib.common.results] INFO: File 1776161088431640600.System.evtx.gz size is 8087, Max size: 100000000
2026-04-14 03:04:48,494 [lib.common.results] INFO: File 1776161088431640600.Security.evtx.gz size is 7901, Max size: 100000000
2026-04-14 03:04:48,525 [lib.common.results] INFO: File 1776161088478515600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:04:49,291 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:04:58,431 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:05:03,509 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161103.5097656.sysmon.evtx.gz to host
2026-04-14 03:05:03,509 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5885, Max size: 100000000
2026-04-14 03:05:03,541 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:05:03,744 [lib.common.results] INFO: File 1776161103697265600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:05:03,759 [lib.common.results] INFO: File 1776161103697265600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:03,759 [lib.common.results] INFO: File 1776161103697265600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:03,775 [lib.common.results] INFO: File 1776161103712890600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:05:03,791 [lib.common.results] INFO: File 1776161103744140600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:05:03,806 [lib.common.results] INFO: File 1776161103759765600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:05:03,822 [lib.common.results] INFO: File 1776161103759765600.Security.evtx.gz size is 7736, Max size: 100000000
2026-04-14 03:05:03,822 [lib.common.results] INFO: File 1776161103775390600.System.evtx.gz size is 8118, Max size: 100000000
2026-04-14 03:05:03,837 [lib.common.results] INFO: File 1776161103791015600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:05:09,353 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:05:18,525 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:05:18,869 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:05:19,072 [lib.common.results] INFO: File 1776161119025390600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:19,072 [lib.common.results] INFO: File 1776161119025390600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:19,072 [lib.common.results] INFO: File 1776161119025390600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:05:19,087 [lib.common.results] INFO: File 1776161119025390600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:05:19,119 [lib.common.results] INFO: File 1776161119056640600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:05:19,134 [lib.common.results] INFO: File 1776161119072265600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:05:19,134 [lib.common.results] INFO: File 1776161119072265600.Security.evtx.gz size is 8116, Max size: 100000000
2026-04-14 03:05:19,134 [lib.common.results] INFO: File 1776161119087890600.System.evtx.gz size is 8121, Max size: 100000000
2026-04-14 03:05:19,150 [lib.common.results] INFO: File 1776161119119140600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:05:23,587 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161123.5878906.sysmon.evtx.gz to host
2026-04-14 03:05:23,587 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5684, Max size: 100000000
2026-04-14 03:05:28,775 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-14 03:05:28,775 [lib.api.process] INFO: Terminate event set for process 932
2026-04-14 03:05:28,775 [root] DEBUG: 932: Terminate Event: Attempting to dump process 932
2026-04-14 03:05:28,775 [root] DEBUG: 932: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-14 03:05:28,775 [lib.api.process] INFO: Termination confirmed for process 932
2026-04-14 03:05:28,791 [root] INFO: Terminate event set for process 932
2026-04-14 03:05:28,791 [root] DEBUG: 932: Terminate Event: monitor shutdown complete for process 932
2026-04-14 03:05:28,791 [lib.api.process] INFO: Terminate event set for process 2720
2026-04-14 03:05:28,791 [root] DEBUG: 2720: Terminate Event: Attempting to dump process 2720
2026-04-14 03:05:28,791 [root] DEBUG: 2720: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-14 03:05:28,791 [lib.api.process] INFO: Termination confirmed for process 2720
2026-04-14 03:05:28,791 [root] DEBUG: 2720: Terminate Event: monitor shutdown complete for process 2720
2026-04-14 03:05:28,791 [root] INFO: Terminate event set for process 2720
2026-04-14 03:05:28,791 [lib.api.process] INFO: Terminate event set for process 2768
2026-04-14 03:05:28,791 [root] DEBUG: 2768: Terminate Event: Attempting to dump process 2768
2026-04-14 03:05:28,791 [root] DEBUG: 2768: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-14 03:05:28,806 [lib.api.process] INFO: Termination confirmed for process 2768
2026-04-14 03:05:28,806 [root] INFO: Terminate event set for process 2768
2026-04-14 03:05:28,806 [root] DEBUG: 2768: Terminate Event: monitor shutdown complete for process 2768
2026-04-14 03:05:28,806 [root] INFO: Created shutdown mutex
2026-04-14 03:05:29,431 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:05:29,806 [root] INFO: Shutting down package
2026-04-14 03:05:29,806 [root] INFO: Stopping auxiliary modules
2026-04-14 03:05:29,806 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [WinError 6] The handle is invalid
2026-04-14 03:05:29,806 [lib.common.results] INFO: File C:\curtain.log size is 0, Max size: 100000000
2026-04-14 03:05:29,822 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:05:30,025 [lib.common.results] INFO: File 1776161129978515600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:30,025 [lib.common.results] INFO: File 1776161129978515600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:30,041 [lib.common.results] INFO: File 1776161129994140600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:05:30,041 [lib.common.results] INFO: File 1776161129978515600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:05:30,072 [lib.common.results] INFO: File 1776161130025390600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:05:30,087 [lib.common.results] INFO: File 1776161130041015600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:05:30,103 [lib.common.results] INFO: File 1776161130025390600.Security.evtx.gz size is 8044, Max size: 100000000
2026-04-14 03:05:30,119 [lib.common.results] INFO: File 1776161130041015600.System.evtx.gz size is 8114, Max size: 100000000
2026-04-14 03:05:30,134 [lib.common.results] INFO: File 1776161130072265600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:05:34,181 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 03:05:34,416 [lib.common.results] INFO: File 1776161134353515600.InternetExplorer.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:34,416 [lib.common.results] INFO: File 1776161134353515600.HardwareEvents.evtx.gz size is 250, Max size: 100000000
2026-04-14 03:05:34,416 [lib.common.results] INFO: File 1776161134353515600.Application.evtx.gz size is 6887, Max size: 100000000
2026-04-14 03:05:34,416 [lib.common.results] INFO: File 1776161134353515600.KeyManagementService.evtx.gz size is 4650, Max size: 100000000
2026-04-14 03:05:34,478 [lib.common.results] INFO: File 1776161134400390600.OAlerts.evtx.gz size is 244, Max size: 100000000
2026-04-14 03:05:34,478 [lib.common.results] INFO: File 1776161134416015600.Setup.evtx.gz size is 241, Max size: 100000000
2026-04-14 03:05:34,478 [lib.common.results] INFO: File 1776161134400390600.Security.evtx.gz size is 7897, Max size: 100000000
2026-04-14 03:05:34,478 [lib.common.results] INFO: File 1776161134416015600.System.evtx.gz size is 8111, Max size: 100000000
2026-04-14 03:05:34,509 [lib.common.results] INFO: File 1776161134462890600.WindowsPowerShell.evtx.gz size is 2101, Max size: 100000000
2026-04-14 03:05:35,244 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 03:05:35,244 [modules.auxiliary.sysmon] INFO: Doing final sysmon log dump
2026-04-14 03:05:38,603 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 03:05:40,291 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776161140.2910156.sysmon.evtx.gz to host
2026-04-14 03:05:40,291 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5121, Max size: 100000000
2026-04-14 03:05:40,306 [root] INFO: Finishing auxiliary modules
2026-04-14 03:05:40,306 [root] INFO: Shutting down pipe server and dumping dropped files
2026-04-14 03:05:40,306 [root] WARNING: Folder at path "C:\GFWtWvQmt\debugger" does not exist, skipping
2026-04-14 03:05:40,306 [root] WARNING: Folder at path "C:\GFWtWvQmt\tlsdump" does not exist, skipping
2026-04-14 03:05:40,306 [root] INFO: Analysis completed

Machine

Name Label Manager Started On Shutdown On Route
win7office2k3flash2800137TWN3H105 win7office2k3flash2800137TWN3H105 KVM 2026-04-14 09:02:45 2026-04-14 09:05:50 internet

File Details

File Name opencalc.bat
File Size 9 bytes
File Type ASCII text
MD5 c61463921d79e07e461fd0e731f72619
SHA1 4c70ac1680d2c4bdb145d5be5dad5230b20805f2
SHA256 7fdf626e0603f5bc2375a7bbc92c94a21088841c0a03cf3c5f12aa9c680ce4e6
SHA512 1a0ada808250064beaafad6095f6d12b0a26ddeb0aff616205986dc4db7c4e72686701945bfb948a141a5f6db0d0e6cec29cd2fddc59ba07a9279a93a7e3541e
SHA3-384 b61a7654e9f55c8d3f21ad0e18325fb9d987f7baece23caa7b5803b1ed18cc0603d1cc5a57f344355e3e08a0950fcd36
CRC32 8D648BCF
Ssdeep 3:FGLAdK:FbK
File 
                                    
                                
calc.exe
calc.exe
Defense Evasion Privilege Escalation
  • T1055 - Process Injection
    • Signature - sigma
  • T1055 - Process Injection
    • Signature - sigma

    Processing ( 10.68 seconds )

    • 7.337 Suricata
    • 2.484 Zircolite
    • 0.285 BehaviorAnalysis
    • 0.136 Deduplicate
    • 0.131 NetworkAnalysis
    • 0.113 ZfileRep
    • 0.062 Fiddler
    • 0.056 CAPE
    • 0.041 AnalysisInfo
    • 0.02 TargetInfo
    • 0.007 Static
    • 0.002 Debug
    • 0.002 Strings

    Signatures ( 0.26 seconds )

    • 0.21 sigma
    • 0.015 antiav_detectreg
    • 0.005 infostealer_ftp
    • 0.005 territorial_disputes_sigs
    • 0.003 infostealer_im
    • 0.003 ransomware_files
    • 0.002 guloader_apis
    • 0.002 masslogger_artifacts
    • 0.002 antianalysis_detectreg
    • 0.001 persistence_autorun
    • 0.001 antianalysis_detectfile
    • 0.001 antiav_detectfile
    • 0.001 antivm_vbox_keys
    • 0.001 antivm_vmware_keys
    • 0.001 geodo_banking_trojan
    • 0.001 infostealer_bitcoin
    • 0.001 infostealer_mail
    • 0.001 masquerade_process_name
    • 0.001 ransomware_extensions

    Reporting ( 0.93 seconds )

    • 0.779 MITRE_TTPS
    • 0.135 TMPFSCLEAN
    • 0.012 JsonDump

    Signatures

    Dynamic (imported) function loading detected
    DynamicLoader: kernel32.dll/SetThreadUILanguage
    DynamicLoader: kernel32.dll/CopyFileExW
    DynamicLoader: kernel32.dll/IsDebuggerPresent
    DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
    DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
    DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
    DynamicLoader: ADVAPI32.dll/SaferCloseLevel
    DynamicLoader: kernel32.dll/SortGetHandle
    DynamicLoader: kernel32.dll/SortCloseHandle
    DynamicLoader: LPK.dll/LpkEditControl
    DynamicLoader: WindowsCodecs.dll/WICCreateImagingFactory_Proxy
    DynamicLoader: UxTheme.dll/ThemeInitApiHook
    DynamicLoader: USER32.dll/IsProcessDPIAware
    DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
    DynamicLoader: GDI32.dll/GetLayout
    DynamicLoader: GDI32.dll/GdiRealizationInfo
    DynamicLoader: GDI32.dll/FontIsLinked
    DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
    DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
    DynamicLoader: GDI32.dll/GetTextFaceAliasW
    DynamicLoader: ADVAPI32.dll/RegEnumValueW
    DynamicLoader: ADVAPI32.dll/RegCloseKey
    DynamicLoader: ADVAPI32.dll/RegQueryValueExW
    DynamicLoader: GDI32.dll/GetFontAssocStatus
    DynamicLoader: ADVAPI32.dll/RegQueryValueExA
    DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
    DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
    DynamicLoader: USER32.dll/GetWindowInfo
    DynamicLoader: USER32.dll/GetAncestor
    DynamicLoader: USER32.dll/GetMonitorInfoA
    DynamicLoader: USER32.dll/EnumDisplayMonitors
    DynamicLoader: USER32.dll/EnumDisplayDevicesA
    DynamicLoader: GDI32.dll/ExtTextOutW
    DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
    DynamicLoader: COMCTL32.dll/RegisterClassNameW
    DynamicLoader: UxTheme.dll/OpenThemeData
    DynamicLoader: UxTheme.dll/IsThemePartDefined
    DynamicLoader: UxTheme.dll/GetThemeFont
    DynamicLoader: UxTheme.dll/GetThemeColor
    DynamicLoader: UxTheme.dll/GetThemeBool
    DynamicLoader: IMM32.DLL/ImmIsIME
    DynamicLoader: UxTheme.dll/EnableThemeDialogTexture
    DynamicLoader: CRYPTBASE.dll/SystemFunction036
    DynamicLoader: WINMM.dll/timeGetTime
    DynamicLoader: WINMM.dll/timeSetEvent
    DynamicLoader: WINMM.dll/timeKillEvent
    DynamicLoader: ole32.dll/CoInitializeEx
    DynamicLoader: ole32.dll/CoUninitialize
    DynamicLoader: ole32.dll/CoRegisterInitializeSpy
    DynamicLoader: ole32.dll/CoRevokeInitializeSpy
    DynamicLoader: OLEAUT32.dll/#2
    DynamicLoader: OLEAUT32.dll/#10
    DynamicLoader: OLEAUT32.dll/#6
    DynamicLoader: UxTheme.dll/BufferedPaintInit
    DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation
    DynamicLoader: UxTheme.dll/BeginBufferedAnimation
    DynamicLoader: UxTheme.dll/IsThemeBackgroundPartiallyTransparent
    DynamicLoader: UxTheme.dll/DrawThemeParentBackground
    DynamicLoader: UxTheme.dll/DrawThemeBackground
    DynamicLoader: UxTheme.dll/GetThemeBackgroundContentRect
    DynamicLoader: UxTheme.dll/EndBufferedAnimation
    DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
    DynamicLoader: UxTheme.dll/DrawThemeText
    DynamicLoader: UxTheme.dll/BufferedPaintStopAllAnimations
    DynamicLoader: OLEAUT32.dll/#9
    Network activity detected but not expressed in API logs
    Sigma Alerts
    id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
    title: Uncommon Process Access Rights For Target Image
    description: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
    matches: [{'row_id': 724, 'Provider_Name': 'Microsoft-Windows-Sysmon', 'Guid': '5770385F-C22A-43E0-BF4C-06F5698FFBD9', 'EventID': 10, 'Version': 3, 'Level': 4, 'Task': 10, 'Opcode': 0, 'Keywords': '0x8000000000000000', 'SystemTime': '2026-04-14T10:02:58.109375Z', 'EventRecordID': 1946661, 'ProcessID': 1348, 'ThreadID': 1744, 'Channel': 'Microsoft-Windows-Sysmon/Operational', 'Computer': 'UwAtdiYBN', 'OriginalLogfile': '1776161003.0878906.sysmon.evtx-2XR02PRI.json', 'UserID': 'S-1-5-18', 'RuleName': '-', 'UtcTime': '2026-04-14 10:02:58.109', 'SourceProcessGUID': '34022EC5-10D1-69DE-1C03-000000007600', 'SourceProcessId': 2720, 'SourceThreadId': 2772, 'SourceImage': 'C:\\Windows\\SysWOW64\\cmd.exe', 'TargetProcessGUID': '34022EC5-10D2-69DE-2103-000000007600', 'TargetProcessId': 2768, 'TargetImage': 'C:\\Windows\\SysWOW64\\calc.exe', 'GrantedAccess': '0x1fffff', 'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+6a35a|C:\\Windows\\SYSTEM32\\wow64.dll+ba4f|C:\\Windows\\SYSTEM32\\wow64.dll+2161f|C:\\Windows\\SYSTEM32\\wow64.dll+d18f|C:\\Windows\\SYSTEM32\\wow64cpu.dll+2776|C:\\Windows\\SYSTEM32\\wow64.dll+d286|C:\\Windows\\SYSTEM32\\wow64.dll+c69e|C:\\Windows\\SYSTEM32\\ntdll.dll+343c3|C:\\Windows\\SYSTEM32\\ntdll.dll+99780|C:\\Windows\\SYSTEM32\\ntdll.dll+4371e|C:\\Windows\\SysWOW64\\ntdll.dll+2095e(wow64)|UNKNOWN(0000000073DFE670)|C:\\Windows\\syswow64\\kernel32.dll+2439c(wow64)|UNKNOWN(0000000073E09619)|C:\\Windows\\syswow64\\kernel32.dll+11069(wow64)|C:\\Windows\\SysWOW64\\cmd.exe+3f94|C:\\Windows\\SysWOW64\\cmd.exe+3cb5|C:\\Windows\\SysWOW64\\cmd.exe+3d48|C:\\Windows\\SysWOW64\\cmd.exe+15c5|C:\\Windows\\SysWOW64\\cmd.exe+22c0|C:\\Windows\\SysWOW64\\cmd.exe+4d0e|C:\\Windows\\SysWOW64\\cmd.exe+5718|C:\\Windows\\SysWOW64\\cmd.exe+6b85|C:\\Windows\\SysWOW64\\cmd.exe+3d48', 'SourceUser': 'UWATDIYBN\\QFRodriguez', 'TargetUser': 'UWATDIYBN\\QFRodriguez'}, {'row_id': 730, 'Provider_Name': 'Microsoft-Windows-Sysmon', 'Guid': '5770385F-C22A-43E0-BF4C-06F5698FFBD9', 'EventID': 10, 'Version': 3, 'Level': 4, 'Task': 10, 'Opcode': 0, 'Keywords': '0x8000000000000000', 'SystemTime': '2026-04-14T10:02:58.171875Z', 'EventRecordID': 1946667, 'ProcessID': 1348, 'ThreadID': 1744, 'Channel': 'Microsoft-Windows-Sysmon/Operational', 'Computer': 'UwAtdiYBN', 'OriginalLogfile': '1776161003.0878906.sysmon.evtx-2XR02PRI.json', 'UserID': 'S-1-5-18', 'RuleName': '-', 'UtcTime': '2026-04-14 10:02:58.171', 'SourceProcessGUID': '34022EC5-10D2-69DE-2203-000000007600', 'SourceProcessId': 2124, 'SourceThreadId': 668, 'SourceImage': 'C:\\tmpn7j73yx1\\bin\\ERrqOVd.exe', 'TargetProcessGUID': '34022EC5-10D2-69DE-2103-000000007600', 'TargetProcessId': 2768, 'TargetImage': 'C:\\Windows\\SysWOW64\\calc.exe', 'GrantedAccess': '0x1fffff', 'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+69aea|C:\\Windows\\SYSTEM32\\wow64.dll+14ec8|C:\\Windows\\SYSTEM32\\wow64.dll+d18f|C:\\Windows\\SYSTEM32\\wow64cpu.dll+2776|C:\\Windows\\SYSTEM32\\wow64.dll+d286|C:\\Windows\\SYSTEM32\\wow64.dll+c69e|C:\\Windows\\SYSTEM32\\ntdll.dll+343c3|C:\\Windows\\SYSTEM32\\ntdll.dll+99780|C:\\Windows\\SYSTEM32\\ntdll.dll+4371e|C:\\Windows\\SysWOW64\\ntdll.dll+1fc62(wow64)|C:\\Windows\\syswow64\\KERNELBASE.dll+f369(wow64)|C:\\tmpn7j73yx1\\bin\\ERrqOVd.exe+2d8e|C:\\tmpn7j73yx1\\bin\\ERrqOVd.exe+3831|C:\\tmpn7j73yx1\\bin\\ERrqOVd.exe+44d5|C:\\Windows\\syswow64\\kernel32.dll+1344d(wow64)|C:\\Windows\\SysWOW64\\ntdll.dll+39802(wow64)|C:\\Windows\\SysWOW64\\ntdll.dll+397d5(wow64)', 'SourceUser': 'UWATDIYBN\\QFRodriguez', 'TargetUser': 'UWATDIYBN\\QFRodriguez'}]

    Screenshots

    Hosts

    Direct IP Country Name
    Y 8.8.8.8 [VT] United States

    DNS

    No domains contacted.

    Summary

    C:\Users\pgabriel\AppData\Local\Temp
    C:\Users
    C:\Users\pgabriel
    C:\Users\pgabriel\AppData
    C:\Users\pgabriel\AppData\Local
    C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat
    C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat\
    C:\Users\pgabriel\AppData\Local\Temp\
    C:\Users\pgabriel\AppData\Local\
    C:\Users\pgabriel\AppData\
    C:\Users\pgabriel\
    C:\Users\
    \??\MountPointManager
    C:\Users\pgabriel\AppData\Local\Temp\calc.exe
    C:\Users\pgabriel\AppData\Local\Temp\calc.exe.*
    C:\Program Files (x86)\Common Files\Oracle\Java\javapath\calc.exe
    C:\Program Files (x86)\Common Files\Oracle\Java\javapath\calc.exe.*
    C:\Windows\System32\calc.exe
    C:\Windows\Globalization\Sorting\sortdefault.nls
    C:\Windows\SysWOW64\en-US\calc.exe.mui
    C:\Windows\Fonts\staticcache.dat
    C:\Windows\System32\rpcss.dll
    C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat
    C:\Windows\Globalization\Sorting\sortdefault.nls
    C:\Windows\SysWOW64\en-US\calc.exe.mui
    C:\Windows\Fonts\staticcache.dat
    DisableUserModeCallbackFilter
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
    HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
    HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\\GP\
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
    HKEY_CLASSES_ROOT\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
    HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
    HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
    HKEY_CURRENT_USER\Software\Microsoft\Calc
    HKEY_CURRENT_USER\Software\Microsoft\Calc\layout
    HKEY_CURRENT_USER\Software\Microsoft\Calc\UseSep
    HKEY_CURRENT_USER\Software\Microsoft\Calc\ShowHistory
    HKEY_CURRENT_USER\Software\Microsoft\Calc\UnitConv
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Templates
    HKEY_CURRENT_USER\Software\Microsoft\Calc\DateTime
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
    HKEY_CURRENT_USER
    HKEY_CURRENT_USER\Control Panel\International
    HKEY_CURRENT_USER\Control Panel\International\sDecimal
    HKEY_CURRENT_USER\Control Panel\International\sThousand
    HKEY_CURRENT_USER\Control Panel\International\sGrouping
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Width
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Height
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\calc.exe
    HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI Symbol
    DisableUserModeCallbackFilter
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
    HKEY_CURRENT_USER\Software\Microsoft\Calc\layout
    HKEY_CURRENT_USER\Software\Microsoft\Calc\UseSep
    HKEY_CURRENT_USER\Software\Microsoft\Calc\ShowHistory
    HKEY_CURRENT_USER\Software\Microsoft\Calc\UnitConv
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Templates
    HKEY_CURRENT_USER\Software\Microsoft\Calc\DateTime
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
    HKEY_CURRENT_USER\Control Panel\International\sDecimal
    HKEY_CURRENT_USER\Control Panel\International\sThousand
    HKEY_CURRENT_USER\Control Panel\International\sGrouping
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Width
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Height
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    HKEY_CURRENT_USER\Software\Microsoft\Calc
    HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
    kernel32.dll.SetThreadUILanguage
    kernel32.dll.CopyFileExW
    kernel32.dll.IsDebuggerPresent
    kernel32.dll.SetConsoleInputExeNameW
    advapi32.dll.SaferIdentifyLevel
    advapi32.dll.SaferComputeTokenFromLevel
    advapi32.dll.SaferCloseLevel
    kernel32.dll.SortGetHandle
    kernel32.dll.SortCloseHandle
    lpk.dll.LpkEditControl
    windowscodecs.dll.WICCreateImagingFactory_Proxy
    uxtheme.dll.ThemeInitApiHook
    user32.dll.IsProcessDPIAware
    dwmapi.dll.DwmIsCompositionEnabled
    gdi32.dll.GetLayout
    gdi32.dll.GdiRealizationInfo
    gdi32.dll.FontIsLinked
    advapi32.dll.RegOpenKeyExW
    advapi32.dll.RegQueryInfoKeyW
    gdi32.dll.GetTextFaceAliasW
    advapi32.dll.RegEnumValueW
    advapi32.dll.RegCloseKey
    advapi32.dll.RegQueryValueExW
    gdi32.dll.GetFontAssocStatus
    advapi32.dll.RegQueryValueExA
    advapi32.dll.RegEnumKeyExW
    kernel32.dll.IsProcessorFeaturePresent
    user32.dll.GetWindowInfo
    user32.dll.GetAncestor
    user32.dll.GetMonitorInfoA
    user32.dll.EnumDisplayMonitors
    user32.dll.EnumDisplayDevicesA
    gdi32.dll.ExtTextOutW
    gdi32.dll.GdiIsMetaPrintDC
    comctl32.dll.RegisterClassNameW
    uxtheme.dll.OpenThemeData
    uxtheme.dll.IsThemePartDefined
    uxtheme.dll.GetThemeFont
    uxtheme.dll.GetThemeColor
    uxtheme.dll.GetThemeBool
    imm32.dll.ImmIsIME
    uxtheme.dll.EnableThemeDialogTexture
    cryptbase.dll.SystemFunction036
    winmm.dll.timeGetTime
    winmm.dll.timeSetEvent
    winmm.dll.timeKillEvent
    ole32.dll.CoInitializeEx
    ole32.dll.CoUninitialize
    ole32.dll.CoRegisterInitializeSpy
    ole32.dll.CoRevokeInitializeSpy
    oleaut32.dll.#2
    oleaut32.dll.#10
    oleaut32.dll.#6
    uxtheme.dll.BufferedPaintInit
    uxtheme.dll.BufferedPaintRenderAnimation
    uxtheme.dll.BeginBufferedAnimation
    uxtheme.dll.IsThemeBackgroundPartiallyTransparent
    uxtheme.dll.DrawThemeParentBackground
    uxtheme.dll.DrawThemeBackground
    uxtheme.dll.GetThemeBackgroundContentRect
    uxtheme.dll.EndBufferedAnimation
    gdi32.dll.GetTextExtentExPointWPri
    uxtheme.dll.DrawThemeText
    uxtheme.dll.BufferedPaintStopAllAnimations
    oleaut32.dll.#9
    C:\Windows\system32\cmd.exe /K "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
    calc.exe
    No static analysis available.
    Sorry! No behavior.

    Hosts

    No hosts contacted.

    TCP

    No TCP connections recorded.

    UDP

    No UDP connections recorded.

    DNS

    No domains contacted.

    HTTP Requests

    No HTTP(s) requests performed.

    SMTP traffic

    No SMTP traffic performed.

    IRC traffic

    No IRC requests performed.

    ICMP traffic

    No ICMP traffic performed.

    CIF Results

    No CIF Results

    Suricata Alerts

    No Suricata Alerts

    Suricata TLS

    No Suricata TLS

    Suricata HTTP

    No Suricata HTTP

    Sorry! No Suricata Extracted files.
    Sorry! No dropped files.
    Sorry! No process dumps.