CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log	MalScore
FILE	bat	2026-04-14 20:06:41	2026-04-14 20:09:44	183 seconds	Show Options	Show Log	1.5

procdump=1
amsidump=1

2025-12-02 01:28:52,781 [root] INFO: Date set to: 20260414T13:06:41, timeout set to: 150
2026-04-14 14:06:41,031 [root] DEBUG: Starting analyzer from: C:\tmp5j_l8fk0
2026-04-14 14:06:41,031 [root] DEBUG: Storing results at: C:\uOytARqSgS
2026-04-14 14:06:41,031 [root] DEBUG: Pipe server name: \\.\PIPE\GgBRsxpTOm
2026-04-14 14:06:41,031 [root] DEBUG: Python path: C:\olddocs
2026-04-14 14:06:41,031 [root] DEBUG: No analysis package specified, trying to detect it automagically
2026-04-14 14:06:41,031 [root] INFO: Automatically selected analysis package "bat"
2026-04-14 14:06:41,031 [root] DEBUG: Importing analysis package "bat"...
2026-04-14 14:06:41,031 [root] DEBUG: Initializing analysis package "bat"...
2026-04-14 14:06:41,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a DLL option
2026-04-14 14:06:41,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a DLL_64 option
2026-04-14 14:06:41,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a loader option
2026-04-14 14:06:41,031 [root] INFO: Analyzer: Package modules.packages.bat does not specify a loader_64 option
2026-04-14 14:06:41,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.browser"...
2026-04-14 14:06:41,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.curtain"...
2026-04-14 14:06:41,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.default_apps"...
2026-04-14 14:06:41,078 [root] DEBUG: Importing auxiliary module "modules.auxiliary.digisig"...
2026-04-14 14:06:41,093 [root] DEBUG: Importing auxiliary module "modules.auxiliary.disguise"...
2026-04-14 14:06:41,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.evtx"...
2026-04-14 14:06:41,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.fiddler"...
2026-04-14 14:06:41,109 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2026-04-14 14:06:41,125 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2026-04-14 14:06:41,140 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-04-14 14:06:41,234 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2026-04-14 14:06:41,234 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2026-04-14 14:06:41,234 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2026-04-14 14:06:41,234 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tlsdump"...
2026-04-14 14:06:41,234 [root] DEBUG: Importing auxiliary module "modules.auxiliary.usage"...
2026-04-14 14:06:41,249 [root] DEBUG: Initializing auxiliary module "Browser"...
2026-04-14 14:06:41,249 [root] DEBUG: Started auxiliary module Browser
2026-04-14 14:06:41,249 [root] DEBUG: Initializing auxiliary module "Curtain"...
2026-04-14 14:06:41,249 [root] DEBUG: Started auxiliary module Curtain
2026-04-14 14:06:41,249 [root] DEBUG: Initializing auxiliary module "DefaultApps"...
2026-04-14 14:06:41,296 [modules.auxiliary.default_apps] DEBUG: Getting current user SID using WinAPI
2026-04-14 14:06:41,296 [root] DEBUG: Started auxiliary module DefaultApps
2026-04-14 14:06:41,296 [root] DEBUG: Initializing auxiliary module "DigiSig"...
2026-04-14 14:06:41,296 [modules.auxiliary.digisig] INFO: signtool.exe was not found in bin/
2026-04-14 14:06:41,296 [modules.auxiliary.digisig] INFO: dummy
2026-04-14 14:06:41,296 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, unsupported analyzer package
2026-04-14 14:06:41,296 [root] DEBUG: Started auxiliary module DigiSig
2026-04-14 14:06:41,296 [root] DEBUG: Initializing auxiliary module "Disguise"...
2026-04-14 14:06:41,625 [modules.auxiliary.disguise] INFO: Setting NoRecentDocsHistory
2026-04-14 14:06:41,625 [root] WARNING: Cannot execute auxiliary module Disguise: [WinError 2] The system cannot find the file specified
2026-04-14 14:06:41,625 [root] DEBUG: Initializing auxiliary module "Evtx"...
2026-04-14 14:06:41,625 [modules.auxiliary.evtx] INFO: Loading audit policy C:\tmp5j_l8fk0\bin\auditpol.csv
2026-04-14 14:06:41,796 [modules.auxiliary.evtx] INFO: Wiping logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:06:42,625 [root] DEBUG: Started auxiliary module Evtx
2026-04-14 14:06:42,625 [root] DEBUG: Initializing auxiliary module "Fiddler"...
2026-04-14 14:06:42,625 [modules.auxiliary.fiddler] INFO: fiddler package: dummy
2026-04-14 14:06:42,625 [root] DEBUG: Started auxiliary module Fiddler
2026-04-14 14:06:42,625 [root] DEBUG: Initializing auxiliary module "Human"...
2026-04-14 14:06:42,640 [root] DEBUG: Started auxiliary module Human
2026-04-14 14:06:42,640 [root] DEBUG: Initializing auxiliary module "Screenshots"...
2026-04-14 14:06:42,640 [root] DEBUG: Started auxiliary module Screenshots
2026-04-14 14:06:42,640 [root] DEBUG: Initializing auxiliary module "Sysmon"...
2026-04-14 14:06:42,640 [modules.auxiliary.sysmon] INFO: Seeing if we need to update sysmon config
2026-04-14 14:06:42,640 [modules.auxiliary.sysmon] INFO: Found Sysmon Executable
2026-04-14 14:06:42,640 [modules.auxiliary.sysmon] INFO: Found Sysmon config
2026-04-14 14:06:42,640 [root] DEBUG: Started auxiliary module Sysmon
2026-04-14 14:06:42,640 [root] DEBUG: Initializing auxiliary module "TLSDumpMasterSecrets"...
2026-04-14 14:06:42,640 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 560
2026-04-14 14:06:42,640 [lib.api.process] INFO: Monitor config for process 560: C:\tmp5j_l8fk0\dll\560.ini
2026-04-14 14:06:42,640 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 14:06:42,640 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 14:06:42,640 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 14:06:42,640 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2026-04-14 14:06:42,640 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp5j_l8fk0\dll\HzSdFM.dll, loader C:\tmp5j_l8fk0\bin\xDPuqfJT.exe
2026-04-14 14:06:42,671 [root] DEBUG: Loader: Injecting process 560 with C:\tmp5j_l8fk0\dll\HzSdFM.dll.
2026-04-14 14:06:42,718 [root] DEBUG: 560: Python path set to 'C:\olddocs'.
2026-04-14 14:06:42,718 [root] DEBUG: 560: Disabling sleep skipping.
2026-04-14 14:06:42,718 [root] DEBUG: 560: Process dumps enabled.
2026-04-14 14:06:42,718 [root] DEBUG: 560: AMSI dumping enabled.
2026-04-14 14:06:42,718 [root] DEBUG: 560: TLS secret dump mode enabled.
2026-04-14 14:06:42,734 [root] DEBUG: 560: Monitor initialised: 64-bit capemon loaded in process 560 at 0x000007FEF6430000, thread 1004, image base 0x00000000FF390000, stack from 0x0000000000B12000-0x0000000000B20000
2026-04-14 14:06:42,734 [root] DEBUG: 560: Commandline: C:\Windows\system32\lsass.exe
2026-04-14 14:06:42,734 [root] DEBUG: 560: Hooked 5 out of 5 functions
2026-04-14 14:06:42,734 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-04-14 14:06:42,734 [root] DEBUG: Successfully injected DLL C:\tmp5j_l8fk0\dll\HzSdFM.dll.
2026-04-14 14:06:42,750 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 560
2026-04-14 14:06:42,750 [root] DEBUG: Started auxiliary module TLSDumpMasterSecrets
2026-04-14 14:06:42,750 [root] DEBUG: Initializing auxiliary module "Usage"...
2026-04-14 14:06:42,750 [root] DEBUG: Started auxiliary module Usage
2026-04-14 14:06:44,828 [modules.auxiliary.sysmon] INFO: Clearing existing sysmon logs
2026-04-14 14:06:45,484 [root] INFO: Restarting WMI Service
2026-04-14 14:06:49,562 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"" with pid 2608
2026-04-14 14:06:49,562 [lib.api.process] INFO: Monitor config for process 2608: C:\tmp5j_l8fk0\dll\2608.ini
2026-04-14 14:06:49,578 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 14:06:49,578 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 14:06:49,578 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 14:06:49,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp5j_l8fk0\dll\KuscWa.dll, loader C:\tmp5j_l8fk0\bin\HoIpHJn.exe
2026-04-14 14:06:49,593 [root] DEBUG: Loader: Injecting process 2608 (thread 3040) with C:\tmp5j_l8fk0\dll\KuscWa.dll.
2026-04-14 14:06:49,593 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-14 14:06:49,593 [root] DEBUG: Successfully injected DLL C:\tmp5j_l8fk0\dll\KuscWa.dll.
2026-04-14 14:06:49,609 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2608
2026-04-14 14:06:51,609 [lib.api.process] INFO: Successfully resumed process with pid 2608
2026-04-14 14:06:51,656 [root] DEBUG: 2608: Python path set to 'C:\olddocs'.
2026-04-14 14:06:51,656 [root] DEBUG: 2608: Disabling sleep skipping.
2026-04-14 14:06:51,656 [root] DEBUG: 2608: Process dumps enabled.
2026-04-14 14:06:51,656 [root] DEBUG: 2608: AMSI dumping enabled.
2026-04-14 14:06:51,656 [root] DEBUG: 2608: Dropped file limit defaulting to 100.
2026-04-14 14:06:51,671 [root] DEBUG: 2608: YaraInit: Compiled 45 rule files
2026-04-14 14:06:51,671 [root] DEBUG: 2608: YaraInit: Compiled rules saved to file C:\tmp5j_l8fk0\data\yara\capemon.yac
2026-04-14 14:06:51,687 [root] DEBUG: 2608: YaraScan: Scanning 0x49FE0000, size 0x4bb2e
2026-04-14 14:06:51,687 [root] DEBUG: 2608: Monitor initialised: 32-bit capemon loaded in process 2608 at 0x74700000, thread 3040, image base 0x49fe0000, stack from 0x1b3000-0x2b0000
2026-04-14 14:06:51,687 [root] DEBUG: 2608: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
2026-04-14 14:06:51,718 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-14 14:06:51,718 [root] DEBUG: 2608: set_hooks: Unable to hook GetCommandLineA
2026-04-14 14:06:51,718 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-14 14:06:51,718 [root] DEBUG: 2608: set_hooks: Unable to hook GetCommandLineW
2026-04-14 14:06:51,734 [root] DEBUG: 2608: Hooked 625 out of 627 functions
2026-04-14 14:06:51,734 [root] DEBUG: 2608: RestoreHeaders: Restored original import table.
2026-04-14 14:06:51,750 [root] INFO: Loaded monitor into process with pid 2608
2026-04-14 14:06:51,750 [root] DEBUG: 2608: caller_dispatch: Added region at 0x49FE0000 to tracked regions list (ntdll::NtOpenThread returns to 0x49FE732B, thread 3040).
2026-04-14 14:06:51,750 [root] DEBUG: 2608: YaraScan: Scanning 0x49FE0000, size 0x4bb2e
2026-04-14 14:06:51,750 [root] DEBUG: 2608: ProcessImageBase: Main module image at 0x49FE0000 unmodified (entropy change 0.000000e+00)
2026-04-14 14:06:51,765 [root] DEBUG: 2608: CreateProcessHandler: Injection info set for new process 1800: C:\Windows\system32\cmd.exe, ImageBase: 0x49FE0000
2026-04-14 14:06:51,765 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1800
2026-04-14 14:06:51,765 [lib.api.process] INFO: Monitor config for process 1800: C:\tmp5j_l8fk0\dll\1800.ini
2026-04-14 14:06:51,765 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 14:06:51,765 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 14:06:51,765 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 14:06:51,781 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp5j_l8fk0\dll\KuscWa.dll, loader C:\tmp5j_l8fk0\bin\HoIpHJn.exe
2026-04-14 14:06:51,796 [root] DEBUG: Loader: Injecting process 1800 (thread 2808) with C:\tmp5j_l8fk0\dll\KuscWa.dll.
2026-04-14 14:06:51,796 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-14 14:06:51,796 [root] DEBUG: Successfully injected DLL C:\tmp5j_l8fk0\dll\KuscWa.dll.
2026-04-14 14:06:51,796 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1800
2026-04-14 14:06:51,796 [root] DEBUG: 2608: DLL loaded at 0x73AC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2026-04-14 14:06:51,812 [root] WARNING: Received request to inject process with pid 1800, skipped alredy in inject list
2026-04-14 14:06:51,812 [root] WARNING: Received request to inject process with pid 1800, skipped alredy in inject list
2026-04-14 14:06:51,859 [root] DEBUG: 1800: Python path set to 'C:\olddocs'.
2026-04-14 14:06:51,859 [root] DEBUG: 1800: Disabling sleep skipping.
2026-04-14 14:06:51,859 [root] DEBUG: 1800: Process dumps enabled.
2026-04-14 14:06:51,859 [root] DEBUG: 1800: AMSI dumping enabled.
2026-04-14 14:06:51,859 [root] DEBUG: 1800: Dropped file limit defaulting to 100.
2026-04-14 14:06:51,859 [root] DEBUG: 1800: YaraInit: Compiled rules loaded from existing file C:\tmp5j_l8fk0\data\yara\capemon.yac
2026-04-14 14:06:51,859 [root] DEBUG: 1800: YaraScan: Scanning 0x49FE0000, size 0x4bb2e
2026-04-14 14:06:51,859 [root] DEBUG: 1800: Monitor initialised: 32-bit capemon loaded in process 1800 at 0x74700000, thread 2808, image base 0x49fe0000, stack from 0x2e3000-0x3e0000
2026-04-14 14:06:51,859 [root] DEBUG: 1800: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
2026-04-14 14:06:51,890 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-14 14:06:51,890 [root] DEBUG: 1800: set_hooks: Unable to hook GetCommandLineA
2026-04-14 14:06:51,890 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-14 14:06:51,890 [root] DEBUG: 1800: set_hooks: Unable to hook GetCommandLineW
2026-04-14 14:06:51,890 [root] DEBUG: 1800: Hooked 625 out of 627 functions
2026-04-14 14:06:51,906 [root] DEBUG: 1800: RestoreHeaders: Restored original import table.
2026-04-14 14:06:51,906 [root] INFO: Loaded monitor into process with pid 1800
2026-04-14 14:06:51,906 [root] DEBUG: 1800: caller_dispatch: Added region at 0x49FE0000 to tracked regions list (ntdll::NtOpenThread returns to 0x49FE732B, thread 2808).
2026-04-14 14:06:51,906 [root] DEBUG: 1800: YaraScan: Scanning 0x49FE0000, size 0x4bb2e
2026-04-14 14:06:51,906 [root] DEBUG: 1800: ProcessImageBase: Main module image at 0x49FE0000 unmodified (entropy change 0.000000e+00)
2026-04-14 14:06:51,968 [root] DEBUG: 1800: CreateProcessHandler: Injection info set for new process 3008: C:\Windows\system32\calc.exe, ImageBase: 0x00550000
2026-04-14 14:06:51,984 [root] INFO: Announced 32-bit process name: calc.exe pid: 3008
2026-04-14 14:06:51,984 [lib.api.process] INFO: Monitor config for process 3008: C:\tmp5j_l8fk0\dll\3008.ini
2026-04-14 14:06:51,984 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2026-04-14 14:06:51,984 [lib.api.process] INFO: Option 'amsidump' with value '1' sent to monitor
2026-04-14 14:06:51,984 [lib.api.process] INFO: Option 'disable_hook_content' with value '4' sent to monitor
2026-04-14 14:06:51,984 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp5j_l8fk0\dll\KuscWa.dll, loader C:\tmp5j_l8fk0\bin\HoIpHJn.exe
2026-04-14 14:06:52,000 [root] DEBUG: Loader: Injecting process 3008 (thread 1372) with C:\tmp5j_l8fk0\dll\KuscWa.dll.
2026-04-14 14:06:52,000 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-04-14 14:06:52,000 [root] DEBUG: Successfully injected DLL C:\tmp5j_l8fk0\dll\KuscWa.dll.
2026-04-14 14:06:52,000 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2026-04-14 14:06:52,000 [root] DEBUG: 1800: DLL loaded at 0x73AC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2026-04-14 14:06:52,015 [root] WARNING: Received request to inject process with pid 3008, skipped alredy in inject list
2026-04-14 14:06:52,031 [root] DEBUG: 3008: Python path set to 'C:\olddocs'.
2026-04-14 14:06:52,046 [root] DEBUG: 3008: Process dumps enabled.
2026-04-14 14:06:52,046 [root] DEBUG: 3008: AMSI dumping enabled.
2026-04-14 14:06:52,046 [root] DEBUG: 3008: Dropped file limit defaulting to 100.
2026-04-14 14:06:52,046 [root] DEBUG: 3008: Disabling sleep skipping.
2026-04-14 14:06:52,046 [root] DEBUG: 3008: YaraInit: Compiled rules loaded from existing file C:\tmp5j_l8fk0\data\yara\capemon.yac
2026-04-14 14:06:52,046 [root] DEBUG: 3008: YaraScan: Scanning 0x00550000, size 0xbfb3a
2026-04-14 14:06:52,062 [root] DEBUG: 3008: Monitor initialised: 32-bit capemon loaded in process 3008 at 0x74700000, thread 1372, image base 0x550000, stack from 0x2c5000-0x2d0000
2026-04-14 14:06:52,062 [root] DEBUG: 3008: Commandline: calc.exe
2026-04-14 14:06:52,078 [root] WARNING: b'Unable to place hook on GetCommandLineA'
2026-04-14 14:06:52,078 [root] DEBUG: 3008: set_hooks: Unable to hook GetCommandLineA
2026-04-14 14:06:52,078 [root] WARNING: b'Unable to place hook on GetCommandLineW'
2026-04-14 14:06:52,078 [root] DEBUG: 3008: set_hooks: Unable to hook GetCommandLineW
2026-04-14 14:06:52,093 [root] DEBUG: 3008: Hooked 625 out of 627 functions
2026-04-14 14:06:52,109 [root] DEBUG: 3008: RestoreHeaders: Restored original import table.
2026-04-14 14:06:52,109 [root] INFO: Loaded monitor into process with pid 3008
2026-04-14 14:06:52,109 [root] DEBUG: 3008: caller_dispatch: Added region at 0x00550000 to tracked regions list (ntdll::NtClose returns to 0x00563433, thread 1372).
2026-04-14 14:06:52,109 [root] DEBUG: 3008: YaraScan: Scanning 0x00550000, size 0xbfb3a
2026-04-14 14:06:52,125 [root] DEBUG: 3008: ProcessImageBase: Main module image at 0x00550000 unmodified (entropy change 0.000000e+00)
2026-04-14 14:06:52,125 [root] DEBUG: 3008: DLL loaded at 0x74440000: C:\Windows\SysWOW64\WindowsCodecs (0x130000 bytes).
2026-04-14 14:06:52,156 [root] DEBUG: 3008: DLL loaded at 0x74DE0000: C:\Windows\SysWOW64\dwmapi (0x13000 bytes).
2026-04-14 14:06:52,187 [root] DEBUG: 3008: DLL loaded at 0x77150000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2026-04-14 14:06:52,353 [root] DEBUG: 3008: DLL loaded at 0x74D10000: C:\Windows\SysWOW64\oleacc (0x3c000 bytes).
2026-04-14 14:06:55,150 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:06:57,634 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:06:57,900 [lib.common.results] INFO: File 1776200817837890600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:06:57,916 [lib.common.results] INFO: File 1776200817837890600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:06:57,916 [lib.common.results] INFO: File 1776200817837890600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:06:57,916 [lib.common.results] INFO: File 1776200817837890600.Application.evtx.gz size is 6952, Max size: 100000000
2026-04-14 14:06:57,978 [lib.common.results] INFO: File 1776200817900390600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:06:57,978 [lib.common.results] INFO: File 1776200817916015600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:06:57,978 [lib.common.results] INFO: File 1776200817916015600.System.evtx.gz size is 8474, Max size: 100000000
2026-04-14 14:06:57,994 [lib.common.results] INFO: File 1776200817900390600.Security.evtx.gz size is 15695, Max size: 100000000
2026-04-14 14:06:58,025 [lib.common.results] INFO: File 1776200817978515600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:07:00,244 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200820.2441406.sysmon.evtx.gz to host
2026-04-14 14:07:00,244 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 14341, Max size: 100000000
2026-04-14 14:07:05,744 [lib.common.results] INFO: File c:\olddocs\1776200820744.saz size is 4611, Max size: 100000000
2026-04-14 14:07:05,759 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:07:13,056 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:07:13,291 [lib.common.results] INFO: File 1776200833244140600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:07:13,306 [lib.common.results] INFO: File 1776200833244140600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:07:13,306 [lib.common.results] INFO: File 1776200833244140600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:07:13,306 [lib.common.results] INFO: File 1776200833244140600.Application.evtx.gz size is 6882, Max size: 100000000
2026-04-14 14:07:13,353 [lib.common.results] INFO: File 1776200833291015600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:13,353 [lib.common.results] INFO: File 1776200833291015600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:13,353 [lib.common.results] INFO: File 1776200833291015600.Security.evtx.gz size is 8013, Max size: 100000000
2026-04-14 14:07:13,353 [lib.common.results] INFO: File 1776200833291015600.System.evtx.gz size is 8486, Max size: 100000000
2026-04-14 14:07:13,400 [lib.common.results] INFO: File 1776200833353515600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:07:15,259 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:07:20,322 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200840.3222656.sysmon.evtx.gz to host
2026-04-14 14:07:20,322 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5981, Max size: 100000000
2026-04-14 14:07:25,837 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:07:28,431 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:07:28,666 [lib.common.results] INFO: File 1776200848619140600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:07:28,666 [lib.common.results] INFO: File 1776200848619140600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:07:28,681 [lib.common.results] INFO: File 1776200848619140600.Application.evtx.gz size is 6882, Max size: 100000000
2026-04-14 14:07:28,681 [lib.common.results] INFO: File 1776200848619140600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:07:28,712 [lib.common.results] INFO: File 1776200848666015600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:28,728 [lib.common.results] INFO: File 1776200848666015600.Security.evtx.gz size is 7901, Max size: 100000000
2026-04-14 14:07:28,728 [lib.common.results] INFO: File 1776200848666015600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:28,728 [lib.common.results] INFO: File 1776200848681640600.System.evtx.gz size is 8090, Max size: 100000000
2026-04-14 14:07:28,759 [lib.common.results] INFO: File 1776200848712890600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:07:35,337 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:07:40,416 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200860.4160156.sysmon.evtx.gz to host
2026-04-14 14:07:40,416 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 6071, Max size: 100000000
2026-04-14 14:07:43,791 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:07:44,009 [lib.common.results] INFO: File 1776200863947265600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:07:44,009 [lib.common.results] INFO: File 1776200863947265600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:07:44,025 [lib.common.results] INFO: File 1776200863947265600.Application.evtx.gz size is 6882, Max size: 100000000
2026-04-14 14:07:44,025 [lib.common.results] INFO: File 1776200863947265600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:07:44,041 [lib.common.results] INFO: File 1776200864009765600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:44,056 [lib.common.results] INFO: File 1776200864009765600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:44,056 [lib.common.results] INFO: File 1776200864009765600.Security.evtx.gz size is 7934, Max size: 100000000
2026-04-14 14:07:44,072 [lib.common.results] INFO: File 1776200864009765600.System.evtx.gz size is 8139, Max size: 100000000
2026-04-14 14:07:44,103 [lib.common.results] INFO: File 1776200864041015600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:07:45,916 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:07:55,431 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:07:59,119 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:07:59,337 [lib.common.results] INFO: File 1776200879291015600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:07:59,353 [lib.common.results] INFO: File 1776200879291015600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:07:59,353 [lib.common.results] INFO: File 1776200879291015600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:07:59,353 [lib.common.results] INFO: File 1776200879291015600.Application.evtx.gz size is 6964, Max size: 100000000
2026-04-14 14:07:59,416 [lib.common.results] INFO: File 1776200879353515600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:59,416 [lib.common.results] INFO: File 1776200879337890600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:07:59,416 [lib.common.results] INFO: File 1776200879337890600.Security.evtx.gz size is 7999, Max size: 100000000
2026-04-14 14:07:59,431 [lib.common.results] INFO: File 1776200879353515600.System.evtx.gz size is 8134, Max size: 100000000
2026-04-14 14:07:59,462 [lib.common.results] INFO: File 1776200879416015600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:08:00,509 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200880.5097656.sysmon.evtx.gz to host
2026-04-14 14:08:00,509 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 6116, Max size: 100000000
2026-04-14 14:08:05,994 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:08:14,494 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:08:14,712 [lib.common.results] INFO: File 1776200894666015600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:08:14,712 [lib.common.results] INFO: File 1776200894666015600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:08:14,712 [lib.common.results] INFO: File 1776200894666015600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:08:14,728 [lib.common.results] INFO: File 1776200894666015600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:08:14,775 [lib.common.results] INFO: File 1776200894712890600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:08:14,775 [lib.common.results] INFO: File 1776200894712890600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:08:14,775 [lib.common.results] INFO: File 1776200894728515600.System.evtx.gz size is 8109, Max size: 100000000
2026-04-14 14:08:14,775 [lib.common.results] INFO: File 1776200894712890600.Security.evtx.gz size is 7863, Max size: 100000000
2026-04-14 14:08:14,822 [lib.common.results] INFO: File 1776200894775390600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:08:15,541 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:08:20,619 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200900.6191406.sysmon.evtx.gz to host
2026-04-14 14:08:20,619 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5695, Max size: 100000000
2026-04-14 14:08:26,087 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:08:29,853 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:08:30,072 [lib.common.results] INFO: File 1776200910025390600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:08:30,072 [lib.common.results] INFO: File 1776200910025390600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:08:30,072 [lib.common.results] INFO: File 1776200910025390600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:08:30,087 [lib.common.results] INFO: File 1776200910025390600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:08:30,119 [lib.common.results] INFO: File 1776200910072265600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:08:30,134 [lib.common.results] INFO: File 1776200910072265600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:08:30,150 [lib.common.results] INFO: File 1776200910072265600.Security.evtx.gz size is 7974, Max size: 100000000
2026-04-14 14:08:30,150 [lib.common.results] INFO: File 1776200910087890600.System.evtx.gz size is 8127, Max size: 100000000
2026-04-14 14:08:30,166 [lib.common.results] INFO: File 1776200910119140600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:08:35,634 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:08:40,697 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200920.6972656.sysmon.evtx.gz to host
2026-04-14 14:08:40,697 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5781, Max size: 100000000
2026-04-14 14:08:45,212 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:08:45,431 [lib.common.results] INFO: File 1776200925384765600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:08:45,431 [lib.common.results] INFO: File 1776200925384765600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:08:45,431 [lib.common.results] INFO: File 1776200925384765600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:08:45,447 [lib.common.results] INFO: File 1776200925369140600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:08:45,462 [lib.common.results] INFO: File 1776200925431640600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:08:45,494 [lib.common.results] INFO: File 1776200925431640600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:08:45,494 [lib.common.results] INFO: File 1776200925431640600.System.evtx.gz size is 8139, Max size: 100000000
2026-04-14 14:08:45,509 [lib.common.results] INFO: File 1776200925431640600.Security.evtx.gz size is 8056, Max size: 100000000
2026-04-14 14:08:45,525 [lib.common.results] INFO: File 1776200925462890600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:08:46,150 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:08:55,728 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:09:00,556 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:09:00,775 [lib.common.results] INFO: File 1776200940728515600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:09:00,791 [lib.common.results] INFO: File 1776200940728515600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:09:00,791 [lib.common.results] INFO: File 1776200940728515600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:09:00,791 [lib.common.results] INFO: File 1776200940728515600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:09:00,806 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200940.8066406.sysmon.evtx.gz to host
2026-04-14 14:09:00,806 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5989, Max size: 100000000
2026-04-14 14:09:00,853 [lib.common.results] INFO: File 1776200940775390600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:00,853 [lib.common.results] INFO: File 1776200940775390600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:00,853 [lib.common.results] INFO: File 1776200940775390600.Security.evtx.gz size is 7861, Max size: 100000000
2026-04-14 14:09:00,853 [lib.common.results] INFO: File 1776200940791015600.System.evtx.gz size is 8147, Max size: 100000000
2026-04-14 14:09:00,884 [lib.common.results] INFO: File 1776200940853515600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:09:06,228 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:09:15,806 [modules.auxiliary.sysmon] INFO: Dumping sysmon logs
2026-04-14 14:09:15,916 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:09:16,119 [lib.common.results] INFO: File 1776200956072265600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:09:16,119 [lib.common.results] INFO: File 1776200956072265600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:09:16,134 [lib.common.results] INFO: File 1776200956087890600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:09:16,134 [lib.common.results] INFO: File 1776200956072265600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:09:16,181 [lib.common.results] INFO: File 1776200956134765600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:16,181 [lib.common.results] INFO: File 1776200956119140600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:16,181 [lib.common.results] INFO: File 1776200956119140600.Security.evtx.gz size is 8116, Max size: 100000000
2026-04-14 14:09:16,181 [lib.common.results] INFO: File 1776200956134765600.System.evtx.gz size is 8149, Max size: 100000000
2026-04-14 14:09:16,228 [lib.common.results] INFO: File 1776200956166015600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:09:20,884 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200960.8847656.sysmon.evtx.gz to host
2026-04-14 14:09:20,884 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5814, Max size: 100000000
2026-04-14 14:09:22,619 [root] INFO: Analysis timeout hit, terminating analysis
2026-04-14 14:09:22,619 [lib.api.process] INFO: Terminate event set for process 2608
2026-04-14 14:09:22,619 [root] DEBUG: 2608: Terminate Event: Attempting to dump process 2608
2026-04-14 14:09:22,619 [root] DEBUG: 2608: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-14 14:09:22,619 [lib.api.process] INFO: Termination confirmed for process 2608
2026-04-14 14:09:22,634 [root] DEBUG: 2608: Terminate Event: monitor shutdown complete for process 2608
2026-04-14 14:09:22,634 [root] INFO: Terminate event set for process 2608
2026-04-14 14:09:22,634 [lib.api.process] INFO: Terminate event set for process 1800
2026-04-14 14:09:22,634 [root] DEBUG: 1800: Terminate Event: Attempting to dump process 1800
2026-04-14 14:09:22,634 [root] DEBUG: 1800: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-14 14:09:22,634 [lib.api.process] INFO: Termination confirmed for process 1800
2026-04-14 14:09:22,634 [root] INFO: Terminate event set for process 1800
2026-04-14 14:09:22,634 [root] DEBUG: 1800: Terminate Event: monitor shutdown complete for process 1800
2026-04-14 14:09:22,634 [lib.api.process] INFO: Terminate event set for process 3008
2026-04-14 14:09:22,634 [root] DEBUG: 3008: Terminate Event: Attempting to dump process 3008
2026-04-14 14:09:22,634 [root] DEBUG: 3008: DoProcessDump: Skipping process dump as code is identical on disk.
2026-04-14 14:09:22,650 [lib.api.process] INFO: Termination confirmed for process 3008
2026-04-14 14:09:22,650 [root] INFO: Terminate event set for process 3008
2026-04-14 14:09:22,650 [root] INFO: Created shutdown mutex
2026-04-14 14:09:22,650 [root] DEBUG: 3008: Terminate Event: monitor shutdown complete for process 3008
2026-04-14 14:09:23,650 [root] INFO: Shutting down package
2026-04-14 14:09:23,650 [root] INFO: Stopping auxiliary modules
2026-04-14 14:09:23,650 [modules.auxiliary.curtain] ERROR: Curtain - Error collecting PowerShell events - [WinError 6] The handle is invalid
2026-04-14 14:09:23,650 [lib.common.results] INFO: File C:\curtain.log size is 0, Max size: 100000000
2026-04-14 14:09:23,666 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:09:23,884 [lib.common.results] INFO: File 1776200963822265600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:09:23,884 [lib.common.results] INFO: File 1776200963822265600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:09:23,884 [lib.common.results] INFO: File 1776200963837890600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:09:23,900 [lib.common.results] INFO: File 1776200963853515600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:09:23,931 [lib.common.results] INFO: File 1776200963884765600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:23,947 [lib.common.results] INFO: File 1776200963884765600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:23,947 [lib.common.results] INFO: File 1776200963884765600.Security.evtx.gz size is 8089, Max size: 100000000
2026-04-14 14:09:23,962 [lib.common.results] INFO: File 1776200963900390600.System.evtx.gz size is 8138, Max size: 100000000
2026-04-14 14:09:23,994 [lib.common.results] INFO: File 1776200963931640600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:09:26,306 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:09:29,103 [modules.auxiliary.fiddler] ERROR: Saz log file not found in guest machine
2026-04-14 14:09:29,103 [modules.auxiliary.sysmon] INFO: Doing final sysmon log dump
2026-04-14 14:09:31,259 [modules.auxiliary.evtx] INFO: Collecting logs: Application, HardwareEvents, Internet Explorer, Key Management Service, OAlerts, Security, Setup, System, Windows PowerShell
2026-04-14 14:09:31,462 [lib.common.results] INFO: File 1776200971431640600.InternetExplorer.evtx.gz size is 252, Max size: 100000000
2026-04-14 14:09:31,478 [lib.common.results] INFO: File 1776200971416015600.HardwareEvents.evtx.gz size is 251, Max size: 100000000
2026-04-14 14:09:31,478 [lib.common.results] INFO: File 1776200971416015600.KeyManagementService.evtx.gz size is 2174, Max size: 100000000
2026-04-14 14:09:31,478 [lib.common.results] INFO: File 1776200971416015600.Application.evtx.gz size is 6897, Max size: 100000000
2026-04-14 14:09:31,541 [lib.common.results] INFO: File 1776200971462890600.OAlerts.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:31,556 [lib.common.results] INFO: File 1776200971478515600.Setup.evtx.gz size is 246, Max size: 100000000
2026-04-14 14:09:31,572 [lib.common.results] INFO: File 1776200971478515600.Security.evtx.gz size is 8073, Max size: 100000000
2026-04-14 14:09:31,572 [lib.common.results] INFO: File 1776200971478515600.System.evtx.gz size is 8140, Max size: 100000000
2026-04-14 14:09:31,587 [lib.common.results] INFO: File 1776200971541015600.WindowsPowerShell.evtx.gz size is 7990, Max size: 100000000
2026-04-14 14:09:34,181 [modules.auxiliary.sysmon] INFO: Uploading sysmon/1776200974.1816406.sysmon.evtx.gz to host
2026-04-14 14:09:34,181 [lib.common.results] INFO: File C:\Sysmon.evtx.gz size is 5526, Max size: 100000000
2026-04-14 14:09:34,197 [root] INFO: Finishing auxiliary modules
2026-04-14 14:09:34,197 [root] INFO: Shutting down pipe server and dumping dropped files
2026-04-14 14:09:34,197 [root] WARNING: Folder at path "C:\uOytARqSgS\debugger" does not exist, skipping
2026-04-14 14:09:34,197 [root] WARNING: Folder at path "C:\uOytARqSgS\tlsdump" does not exist, skipping
2026-04-14 14:09:34,197 [root] INFO: Analysis completed

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win7office2k3flash2800137TWN3H102	win7office2k3flash2800137TWN3H102	KVM	2026-04-14 20:06:41	2026-04-14 20:09:44	internet

File Details

File Name	opencalc.bat
File Size	9 bytes
File Type	ASCII text
MD5	c61463921d79e07e461fd0e731f72619
SHA1	4c70ac1680d2c4bdb145d5be5dad5230b20805f2
SHA256	7fdf626e0603f5bc2375a7bbc92c94a21088841c0a03cf3c5f12aa9c680ce4e6
SHA512	1a0ada808250064beaafad6095f6d12b0a26ddeb0aff616205986dc4db7c4e72686701945bfb948a141a5f6db0d0e6cec29cd2fddc59ba07a9279a93a7e3541e
SHA3-384	b61a7654e9f55c8d3f21ad0e18325fb9d987f7baece23caa7b5803b1ed18cc0603d1cc5a57f344355e3e08a0950fcd36
CRC32	8D648BCF
Ssdeep	3:FGLAdK:FbK
	File Text
	calc.exe
	2584 2572 2562

Strings

calc.exe

Reports

JSON

EVTX

Mitre ATT&CK

Defense Evasion	Privilege Escalation
T1055 - Process Injection Signature - sigma	T1055 - Process Injection Signature - sigma

Statistics (10.72)

Processing ( 10.49 seconds )

7.35 Suricata
2.471 Zircolite
0.26 BehaviorAnalysis
0.11 NetworkAnalysis
0.084 Deduplicate
0.074 ZfileRep
0.05 CAPE
0.05 Fiddler
0.02 TargetInfo
0.012 AnalysisInfo
0.007 Static
0.001 Debug
0.001 Strings

Signatures ( 0.10 seconds )

0.056 sigma
0.015 antiav_detectreg
0.005 infostealer_ftp
0.005 territorial_disputes_sigs
0.003 infostealer_im
0.002 guloader_apis
0.002 masslogger_artifacts
0.002 antianalysis_detectreg
0.002 ransomware_files
0.001 persistence_autorun
0.001 stealth_timeout
0.001 antianalysis_detectfile
0.001 antiav_detectfile
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 infostealer_bitcoin
0.001 infostealer_mail
0.001 ransomware_extensions

Reporting ( 0.13 seconds )

0.111 TMPFSCLEAN
0.012 JsonDump
0.003 MITRE_TTPS

Signatures

Dynamic (imported) function loading detected

DynamicLoader: kernel32.dll/SetThreadUILanguage

DynamicLoader: kernel32.dll/CopyFileExW

DynamicLoader: kernel32.dll/IsDebuggerPresent

DynamicLoader: kernel32.dll/SetConsoleInputExeNameW

DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel

DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel

DynamicLoader: ADVAPI32.dll/SaferCloseLevel

DynamicLoader: kernel32.dll/SortGetHandle

DynamicLoader: kernel32.dll/SortCloseHandle

DynamicLoader: LPK.dll/LpkEditControl

DynamicLoader: WindowsCodecs.dll/WICCreateImagingFactory_Proxy

DynamicLoader: UxTheme.dll/ThemeInitApiHook

DynamicLoader: USER32.dll/IsProcessDPIAware

DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled

DynamicLoader: GDI32.dll/GetLayout

DynamicLoader: GDI32.dll/GdiRealizationInfo

DynamicLoader: GDI32.dll/FontIsLinked

DynamicLoader: ADVAPI32.dll/RegOpenKeyExW

DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW

DynamicLoader: GDI32.dll/GetTextFaceAliasW

DynamicLoader: ADVAPI32.dll/RegEnumValueW

DynamicLoader: ADVAPI32.dll/RegCloseKey

DynamicLoader: ADVAPI32.dll/RegQueryValueExW

DynamicLoader: GDI32.dll/GetFontAssocStatus

DynamicLoader: ADVAPI32.dll/RegQueryValueExA

DynamicLoader: ADVAPI32.dll/RegEnumKeyExW

DynamicLoader: kernel32.dll/IsProcessorFeaturePresent

DynamicLoader: USER32.dll/GetWindowInfo

DynamicLoader: USER32.dll/GetAncestor

DynamicLoader: USER32.dll/GetMonitorInfoA

DynamicLoader: USER32.dll/EnumDisplayMonitors

DynamicLoader: USER32.dll/EnumDisplayDevicesA

DynamicLoader: GDI32.dll/ExtTextOutW

DynamicLoader: GDI32.dll/GdiIsMetaPrintDC

DynamicLoader: COMCTL32.dll/RegisterClassNameW

DynamicLoader: UxTheme.dll/OpenThemeData

DynamicLoader: UxTheme.dll/IsThemePartDefined

DynamicLoader: UxTheme.dll/GetThemeFont

DynamicLoader: UxTheme.dll/GetThemeColor

DynamicLoader: UxTheme.dll/GetThemeBool

DynamicLoader: IMM32.DLL/ImmIsIME

DynamicLoader: UxTheme.dll/EnableThemeDialogTexture

DynamicLoader: CRYPTBASE.dll/SystemFunction036

DynamicLoader: WINMM.dll/timeGetTime

DynamicLoader: WINMM.dll/timeSetEvent

DynamicLoader: WINMM.dll/timeKillEvent

DynamicLoader: ole32.dll/CoInitializeEx

DynamicLoader: ole32.dll/CoUninitialize

DynamicLoader: ole32.dll/CoRegisterInitializeSpy

DynamicLoader: ole32.dll/CoRevokeInitializeSpy

DynamicLoader: OLEAUT32.dll/#2

DynamicLoader: OLEAUT32.dll/#10

DynamicLoader: OLEAUT32.dll/#6

DynamicLoader: UxTheme.dll/BufferedPaintInit

DynamicLoader: UxTheme.dll/BufferedPaintRenderAnimation

DynamicLoader: UxTheme.dll/BeginBufferedAnimation

DynamicLoader: UxTheme.dll/IsThemeBackgroundPartiallyTransparent

DynamicLoader: UxTheme.dll/DrawThemeParentBackground

DynamicLoader: UxTheme.dll/DrawThemeBackground

DynamicLoader: UxTheme.dll/GetThemeBackgroundContentRect

DynamicLoader: UxTheme.dll/EndBufferedAnimation

DynamicLoader: GDI32.dll/GetTextExtentExPointWPri

DynamicLoader: UxTheme.dll/DrawThemeText

DynamicLoader: UxTheme.dll/BufferedPaintStopAllAnimations

DynamicLoader: OLEAUT32.dll/#9

Network activity detected but not expressed in API logs

Sigma Alerts

id: a24e5861-c6ca-4fde-a93c-ba9256feddf0

title: Uncommon Process Access Rights For Target Image

description: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

matches: [{'row_id': 433, 'Provider_Name': 'Microsoft-Windows-Sysmon', 'Guid': '5770385F-C22A-43E0-BF4C-06F5698FFBD9', 'EventID': 10, 'Version': 3, 'Level': 4, 'Task': 10, 'Opcode': 0, 'Keywords': '0x8000000000000000', 'SystemTime': '2026-04-14T21:06:51.984375Z', 'EventRecordID': 1946285, 'ProcessID': 1316, 'ThreadID': 1768, 'Channel': 'Microsoft-Windows-Sysmon/Operational', 'Computer': 'PO-147364', 'OriginalLogfile': '1776200820.2441406.sysmon.evtx-7PRFQ4FS.json', 'UserID': 'S-1-5-18', 'RuleName': '-', 'UtcTime': '2026-04-14 21:06:51.968', 'SourceProcessGUID': '34022EC5-AC6B-69DE-1B03-000000007600', 'SourceProcessId': 1800, 'SourceThreadId': 2808, 'SourceImage': 'C:\\Windows\\SysWOW64\\cmd.exe', 'TargetProcessGUID': '34022EC5-AC6B-69DE-1E03-000000007600', 'TargetProcessId': 3008, 'TargetImage': 'C:\\Windows\\SysWOW64\\calc.exe', 'GrantedAccess': '0x1fffff', 'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+6a35a|C:\\Windows\\SYSTEM32\\wow64.dll+ba4f|C:\\Windows\\SYSTEM32\\wow64.dll+2161f|C:\\Windows\\SYSTEM32\\wow64.dll+d18f|C:\\Windows\\SYSTEM32\\wow64cpu.dll+2776|C:\\Windows\\SYSTEM32\\wow64.dll+d286|C:\\Windows\\SYSTEM32\\wow64.dll+c69e|C:\\Windows\\SYSTEM32\\ntdll.dll+343c3|C:\\Windows\\SYSTEM32\\ntdll.dll+99780|C:\\Windows\\SYSTEM32\\ntdll.dll+4371e|C:\\Windows\\SysWOW64\\ntdll.dll+2095e(wow64)|UNKNOWN(000000007473E670)|C:\\Windows\\syswow64\\kernel32.dll+2439c(wow64)|UNKNOWN(0000000074749619)|C:\\Windows\\syswow64\\kernel32.dll+11069(wow64)|C:\\Windows\\SysWOW64\\cmd.exe+3f94|C:\\Windows\\SysWOW64\\cmd.exe+3cb5|C:\\Windows\\SysWOW64\\cmd.exe+3d48|C:\\Windows\\SysWOW64\\cmd.exe+15c5|C:\\Windows\\SysWOW64\\cmd.exe+22c0|C:\\Windows\\SysWOW64\\cmd.exe+4d0e|C:\\Windows\\SysWOW64\\cmd.exe+5718|C:\\Windows\\SysWOW64\\cmd.exe+6b85|C:\\Windows\\SysWOW64\\cmd.exe+3d48', 'SourceUser': 'PO-147364\\QhHgMAErNas', 'TargetUser': 'PO-147364\\QhHgMAErNas'}, {'row_id': 439, 'Provider_Name': 'Microsoft-Windows-Sysmon', 'Guid': '5770385F-C22A-43E0-BF4C-06F5698FFBD9', 'EventID': 10, 'Version': 3, 'Level': 4, 'Task': 10, 'Opcode': 0, 'Keywords': '0x8000000000000000', 'SystemTime': '2026-04-14T21:06:52.000000Z', 'EventRecordID': 1946291, 'ProcessID': 1316, 'ThreadID': 1768, 'Channel': 'Microsoft-Windows-Sysmon/Operational', 'Computer': 'PO-147364', 'OriginalLogfile': '1776200820.2441406.sysmon.evtx-7PRFQ4FS.json', 'UserID': 'S-1-5-18', 'RuleName': '-', 'UtcTime': '2026-04-14 21:06:52.000', 'SourceProcessGUID': '34022EC5-AC6B-69DE-1F03-000000007600', 'SourceProcessId': 616, 'SourceThreadId': 1196, 'SourceImage': 'C:\\tmp5j_l8fk0\\bin\\HoIpHJn.exe', 'TargetProcessGUID': '34022EC5-AC6B-69DE-1E03-000000007600', 'TargetProcessId': 3008, 'TargetImage': 'C:\\Windows\\SysWOW64\\calc.exe', 'GrantedAccess': '0x1fffff', 'CallTrace': 'C:\\Windows\\SYSTEM32\\ntdll.dll+69aea|C:\\Windows\\SYSTEM32\\wow64.dll+14ec8|C:\\Windows\\SYSTEM32\\wow64.dll+d18f|C:\\Windows\\SYSTEM32\\wow64cpu.dll+2776|C:\\Windows\\SYSTEM32\\wow64.dll+d286|C:\\Windows\\SYSTEM32\\wow64.dll+c69e|C:\\Windows\\SYSTEM32\\ntdll.dll+343c3|C:\\Windows\\SYSTEM32\\ntdll.dll+99780|C:\\Windows\\SYSTEM32\\ntdll.dll+4371e|C:\\Windows\\SysWOW64\\ntdll.dll+1fc62(wow64)|C:\\Windows\\syswow64\\KERNELBASE.dll+f369(wow64)|C:\\tmp5j_l8fk0\\bin\\HoIpHJn.exe+2d8e|C:\\tmp5j_l8fk0\\bin\\HoIpHJn.exe+3831|C:\\tmp5j_l8fk0\\bin\\HoIpHJn.exe+44d5|C:\\Windows\\syswow64\\kernel32.dll+1344d(wow64)|C:\\Windows\\SysWOW64\\ntdll.dll+39802(wow64)|C:\\Windows\\SysWOW64\\ntdll.dll+397d5(wow64)', 'SourceUser': 'PO-147364\\QhHgMAErNas', 'TargetUser': 'PO-147364\\QhHgMAErNas'}]

Screenshots

Hosts

Direct	IP	Country Name
Y	8.8.8.8 [VT]	United States

DNS

No domains contacted.

Summary

C:\Users\pgabriel\AppData\Local\Temp
C:\Users
C:\Users\pgabriel
C:\Users\pgabriel\AppData
C:\Users\pgabriel\AppData\Local
C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat
C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat\
C:\Users\pgabriel\AppData\Local\Temp\
C:\Users\pgabriel\AppData\Local\
C:\Users\pgabriel\AppData\
C:\Users\pgabriel\
C:\Users\
\??\MountPointManager
C:\Users\pgabriel\AppData\Local\Temp\calc.exe
C:\Users\pgabriel\AppData\Local\Temp\calc.exe.*
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\calc.exe
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\calc.exe.*
C:\Windows\System32\calc.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\calc.exe.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\rpcss.dll

C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SysWOW64\en-US\calc.exe.mui
C:\Windows\Fonts\staticcache.dat

DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Srp\\GP\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CLASSES_ROOT\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Calc
HKEY_CURRENT_USER\Software\Microsoft\Calc\layout
HKEY_CURRENT_USER\Software\Microsoft\Calc\UseSep
HKEY_CURRENT_USER\Software\Microsoft\Calc\ShowHistory
HKEY_CURRENT_USER\Software\Microsoft\Calc\UnitConv
HKEY_CURRENT_USER\Software\Microsoft\Calc\Templates
HKEY_CURRENT_USER\Software\Microsoft\Calc\DateTime
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Width
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Height
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\calc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI Symbol

DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Calc\layout
HKEY_CURRENT_USER\Software\Microsoft\Calc\UseSep
HKEY_CURRENT_USER\Software\Microsoft\Calc\ShowHistory
HKEY_CURRENT_USER\Software\Microsoft\Calc\UnitConv
HKEY_CURRENT_USER\Software\Microsoft\Calc\Templates
HKEY_CURRENT_USER\Software\Microsoft\Calc\DateTime
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Width
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Min_Height
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

HKEY_CURRENT_USER\Software\Microsoft\Calc
HKEY_CURRENT_USER\Software\Microsoft\Calc\Window_Placement

kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
lpk.dll.LpkEditControl
windowscodecs.dll.WICCreateImagingFactory_Proxy
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
uxtheme.dll.IsThemePartDefined
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeBool
imm32.dll.ImmIsIME
uxtheme.dll.EnableThemeDialogTexture
cryptbase.dll.SystemFunction036
winmm.dll.timeGetTime
winmm.dll.timeSetEvent
winmm.dll.timeKillEvent
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#2
oleaut32.dll.#10
oleaut32.dll.#6
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BufferedPaintRenderAnimation
uxtheme.dll.BeginBufferedAnimation
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.DrawThemeBackground
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.EndBufferedAnimation
gdi32.dll.GetTextExtentExPointWPri
uxtheme.dll.DrawThemeText
uxtheme.dll.BufferedPaintStopAllAnimations
oleaut32.dll.#9

C:\Windows\system32\cmd.exe /K "C:\Users\pgabriel\AppData\Local\Temp\opencalc.bat"
calc.exe

Static Analysis

No static analysis available.

Sorry! No behavior.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.