Analysis Log

2026-06-28 14:55:57,928 [root] INFO: Date set to: 20260628T22:59:19, timeout set to: 15
2026-06-28 22:59:19,754 [root] DEBUG: Starting analyzer from: C:\7d7wfxi0
2026-06-28 22:59:19,756 [root] DEBUG: Storing results at: C:\cUJPOo
2026-06-28 22:59:19,756 [root] DEBUG: Pipe server name: \\.\PIPE\pcWTWbc
2026-06-28 22:59:19,756 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-28 22:59:19,756 [root] INFO: analysis running as an admin
2026-06-28 22:59:19,756 [root] INFO: analysis package specified: "doc"
2026-06-28 22:59:19,756 [root] DEBUG: importing analysis package module: "modules.packages.doc"...
2026-06-28 22:59:19,780 [root] DEBUG: imported analysis package "doc"
2026-06-28 22:59:19,780 [root] DEBUG: initializing analysis package "doc"...
2026-06-28 22:59:19,783 [lib.common.common] INFO: no wrapping
2026-06-28 22:59:19,807 [lib.core.compound] INFO: C:\Program Files\Microsoft Office\root\Templates created
2026-06-28 22:59:19,812 [root] DEBUG: New location of moved file: C:\Program Files\Microsoft Office\root\Templates\statistics.doc
2026-06-28 22:59:19,813 [root] INFO: Analyzer: Package modules.packages.doc does not specify a dll option
2026-06-28 22:59:19,813 [root] INFO: Analyzer: Package modules.packages.doc does not specify a dll_64 option
2026-06-28 22:59:19,813 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader option
2026-06-28 22:59:19,813 [root] INFO: Analyzer: Package modules.packages.doc does not specify a loader_64 option
2026-06-28 22:59:20,984 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-28 22:59:20,993 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-28 22:59:21,040 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-28 22:59:22,531 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-28 22:59:22,541 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-06-28 22:59:22,542 [lib.api.screenshot] ERROR: No module named 'PIL'
2026-06-28 22:59:22,543 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-06-28 22:59:22,547 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-28 22:59:22,548 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-28 22:59:22,548 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-28 22:59:22,549 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-28 22:59:22,550 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-28 22:59:22,592 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-28 22:59:22,592 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-28 22:59:22,593 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-28 22:59:22,594 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-28 22:59:22,594 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-28 22:59:22,594 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-28 22:59:23,124 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-28 22:59:23,125 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-28 22:59:23,128 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-28 22:59:23,129 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-28 22:59:23,129 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-28 22:59:23,133 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-28 22:59:23,133 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-28 22:59:23,137 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 3604)
2026-06-28 22:59:23,145 [modules.auxiliary.disguise] INFO: Disguising GUID to 842c770e-8d4c-479e-81ce-001439b61ed1
2026-06-28 22:59:23,145 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-28 22:59:23,146 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-28 22:59:23,146 [root] DEBUG: attempting to configure 'Human' from data
2026-06-28 22:59:23,147 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-28 22:59:23,147 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-28 22:59:23,148 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-28 22:59:23,148 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-06-28 22:59:23,148 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-06-28 22:59:23,149 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-06-28 22:59:23,149 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-06-28 22:59:23,160 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2026-06-28 22:59:23,160 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-06-28 22:59:23,161 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-28 22:59:23,161 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-28 22:59:23,162 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-28 22:59:23,162 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-28 22:59:23,165 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-28 22:59:23,165 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-28 22:59:29,208 [root] INFO: Restarting WMI Service
2026-06-28 22:59:31,501 [root] DEBUG: package modules.packages.doc does not support configure, ignoring
2026-06-28 22:59:31,503 [root] WARNING: configuration error for package modules.packages.doc: error importing data.packages.doc: No module named 'data.packages'
2026-06-28 22:59:31,507 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-28 22:59:31,511 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" with arguments ""C:\Program Files\Microsoft Office\root\Templates\statistics.doc" /q" with pid 4904
2026-06-28 22:59:31,807 [lib.api.process] INFO: Monitor config for process 4904: C:\7d7wfxi0\dll\4904.ini
2026-06-28 22:59:33,277 [lib.api.process] INFO: Potential dll side-loading detected in local directory: dbghelp.dll
2026-06-28 22:59:33,335 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\HDJsPr.dll, loader C:\7d7wfxi0\bin\UFjmJKFL.exe
2026-06-28 22:59:33,358 [root] DEBUG: Loader: Injecting process 4904 (thread 5044) with C:\7d7wfxi0\dll\HDJsPr.dll.
2026-06-28 22:59:33,360 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-28 22:59:33,361 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\HDJsPr.dll.
2026-06-28 22:59:33,363 [lib.api.process] INFO: Injected into 64-bit <Process 4904 WINWORD.EXE>
2026-06-28 22:59:35,380 [lib.api.process] INFO: Successfully resumed process with pid 4904
2026-06-28 22:59:35,401 [root] DEBUG: 4904: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 22:59:35,402 [root] DEBUG: 4904: Disabling sleep skipping.
2026-06-28 22:59:35,405 [root] DEBUG: 4904: Dropped file limit defaulting to 100.
2026-06-28 22:59:35,407 [root] DEBUG: 4904: Microsoft Office settings enabled.
2026-06-28 22:59:35,467 [root] DEBUG: 4904: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 22:59:35,468 [root] DEBUG: 4904: Monitor initialised: 64-bit capemon loaded in process 4904 at 0x00007FF986580000, thread 5044, image base 0x00007FF651960000, stack from 0x000000F490EF1000-0x000000F490F00000
2026-06-28 22:59:35,469 [root] DEBUG: 4904: Commandline: "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" "C:\Program Files\Microsoft Office\root\Templates\statistics.doc" /q
2026-06-28 22:59:35,517 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-28 22:59:35,518 [root] DEBUG: 4904: set_hooks: Unable to hook LockResource
2026-06-28 22:59:35,531 [root] DEBUG: 4904: Hooked 428 out of 429 functions
2026-06-28 22:59:35,629 [root] DEBUG: 4904: Syscall hook installed, syscall logging level 1
2026-06-28 22:59:35,631 [root] DEBUG: 4904: RestoreHeaders: Restored original import table.
2026-06-28 22:59:35,632 [root] INFO: Loaded monitor into process with pid 4904
2026-06-28 22:59:35,668 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A6A00000: C:\Windows\SYSTEM32\dxgi (0xf4000 bytes).
2026-06-28 22:59:35,670 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A43A0000: C:\Windows\SYSTEM32\d3d11 (0x264000 bytes).
2026-06-28 22:59:35,671 [root] DEBUG: 4904: DLL loaded at 0x00007FF990180000: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1288_none_91a663c8cc864906\gdiplus (0x1a9000 bytes).
2026-06-28 22:59:35,673 [root] DEBUG: 4904: DLL loaded at 0x00007FF997D30000: C:\Windows\SYSTEM32\VCRUNTIME140_1 (0xc000 bytes).
2026-06-28 22:59:35,678 [root] DEBUG: 4904: DLL loaded at 0x00007FF991230000: C:\Windows\SYSTEM32\MSVCP140 (0x9d000 bytes).
2026-06-28 22:59:35,679 [root] DEBUG: 4904: DLL loaded at 0x00007FF9816A0000: C:\Program Files\Microsoft Office\Office16\oart (0x116c000 bytes).
2026-06-28 22:59:35,680 [root] DEBUG: 4904: DLL loaded at 0x00007FF982810000: C:\Program Files\Microsoft Office\Office16\wwlib (0x239f000 bytes).
2026-06-28 22:59:35,711 [root] DEBUG: 4904: DLL loaded at 0x00007FF9860E0000: C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client (0x304000 bytes).
2026-06-28 22:59:35,728 [root] DEBUG: 4904: DLL loaded at 0x00007FF985C60000: C:\Program Files\Common Files\Microsoft Shared\Office16\mso30win32client (0x478000 bytes).
2026-06-28 22:59:35,742 [root] DEBUG: 4904: DLL loaded at 0x00007FF980DB0000: C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client (0x8eb000 bytes).
2026-06-28 22:59:35,756 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A4300000: C:\Windows\SYSTEM32\MSIMG32 (0x7000 bytes).
2026-06-28 22:59:35,757 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A6C60000: C:\Windows\SYSTEM32\sppc (0x25000 bytes).
2026-06-28 22:59:35,759 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A6C90000: C:\Windows\SYSTEM32\SLC (0x29000 bytes).
2026-06-28 22:59:35,760 [root] DEBUG: 4904: DLL loaded at 0x00007FF977870000: C:\Program Files\Common Files\Microsoft Shared\Office16\mso99Lwin32client (0x7cc000 bytes).
2026-06-28 22:59:35,779 [root] DEBUG: 4904: DLL loaded at 0x00007FF976590000: C:\Program Files\Common Files\Microsoft Shared\Office16\mso (0x12dc000 bytes).
2026-06-28 22:59:35,805 [root] DEBUG: 4904: DLL loaded at 0x00007FF990830000: C:\Windows\SYSTEM32\msi (0x32d000 bytes).
2026-06-28 22:59:35,813 [root] DEBUG: 4904: DLL loaded at 0x00007FF994050000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\Comctl32 (0x29a000 bytes).
2026-06-28 22:59:35,827 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-28 22:59:35,828 [root] DEBUG: 4904: DLL loaded at 0x00007FF98F380000: C:\Windows\SYSTEM32\srpapi (0x2c000 bytes).
2026-06-28 22:59:35,913 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A4610000: C:\Windows\SYSTEM32\d2d1 (0x5c0000 bytes).
2026-06-28 22:59:35,923 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-28 22:59:35,928 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A9A10000: C:\Windows\System32\MSCTF (0x115000 bytes).
2026-06-28 22:59:35,932 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A3310000: C:\Windows\SYSTEM32\WTSAPI32 (0x14000 bytes).
2026-06-28 22:59:35,936 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7F00000: C:\Windows\SYSTEM32\WINSTA (0x5a000 bytes).
2026-06-28 22:59:35,950 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A5C40000: C:\Windows\SYSTEM32\resourcepolicyclient (0x14000 bytes).
2026-06-28 22:59:35,977 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-28 22:59:35,985 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Local\Temp\{13133966-6FAB-4439-AE26-C46E42738232} - OProcSessId.dat
2026-06-28 22:59:36,382 [root] DEBUG: 4904: DLL loaded at 0x00007FF989750000: C:\Program Files\Common Files\Microsoft Shared\OFFICE16\MSPTLS (0x170000 bytes).
2026-06-28 22:59:36,399 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7A90000: C:\Windows\SYSTEM32\Wldp (0x2c000 bytes).
2026-06-28 22:59:36,401 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-28 22:59:36,406 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\SHCORE (0xad000 bytes).
2026-06-28 22:59:36,411 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A8050000: C:\Windows\SYSTEM32\profapi (0x1f000 bytes).
2026-06-28 22:59:36,569 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A4220000: C:\Windows\SYSTEM32\d3d10_1core (0xd000 bytes).
2026-06-28 22:59:36,572 [root] DEBUG: 4904: DLL loaded at 0x00007FF99E3C0000: C:\Windows\SYSTEM32\d3d10_1 (0x31000 bytes).
2026-06-28 22:59:36,580 [root] DEBUG: 4904: DLL loaded at 0x00007FF999CF0000: C:\Windows\SYSTEM32\D3D10Warp (0x6f6000 bytes).
2026-06-28 22:59:36,613 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A8110000: C:\Windows\System32\cfgmgr32 (0x4e000 bytes).
2026-06-28 22:59:36,615 [root] DEBUG: 4904: DLL loaded at 0x00007FF99DF90000: C:\Windows\SYSTEM32\dxcore (0x3b000 bytes).
2026-06-28 22:59:36,634 [root] DEBUG: 4904: DLL loaded at 0x00007FF99A5A0000: C:\Windows\SYSTEM32\DWrite (0x283000 bytes).
2026-06-28 22:59:37,973 [root] DEBUG: 4904: DLL loaded at 0x00007FF99CF00000: C:\Windows\SYSTEM32\WindowsCodecs (0x1b4000 bytes).
2026-06-28 22:59:38,055 [root] DEBUG: 4904: DLL loaded at 0x00007FF99E260000: C:\Windows\SYSTEM32\netapi32 (0x18000 bytes).
2026-06-28 22:59:38,058 [root] DEBUG: 4904: DLL loaded at 0x00007FF99DFE0000: C:\Windows\SYSTEM32\mscoree (0x65000 bytes).
2026-06-28 22:59:38,067 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7200000: C:\Windows\SYSTEM32\msvcp110_win (0x8a000 bytes).
2026-06-28 22:59:38,073 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A79E0000: C:\Windows\SYSTEM32\cryptsp (0x18000 bytes).
2026-06-28 22:59:38,075 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A14B0000: C:\Windows\SYSTEM32\DSREG (0x13f000 bytes).
2026-06-28 22:59:38,078 [root] DEBUG: 4904: DLL loaded at 0x00007FF988780000: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei (0xaa000 bytes).
2026-06-28 22:59:38,108 [root] DEBUG: 4904: DLL loaded at 0x00007FF985690000: C:\Program Files\Common Files\Microsoft Shared\Office16\riched20 (0x223000 bytes).
2026-06-28 22:59:38,127 [root] DEBUG: 4904: DLL loaded at 0x00007FF997F60000: C:\Windows\SYSTEM32\Secur32 (0xc000 bytes).
2026-06-28 22:59:38,148 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-28 22:59:38,158 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A3B20000: C:\Windows\System32\netprofm (0x3e000 bytes).
2026-06-28 22:59:38,185 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A18A0000: C:\Windows\System32\npmproxy (0x10000 bytes).
2026-06-28 22:59:38,205 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A74E0000: C:\Windows\SYSTEM32\IPHLPAPI (0x3b000 bytes).
2026-06-28 22:59:38,209 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A9D20000: C:\Windows\System32\NSI (0x8000 bytes).
2026-06-28 22:59:38,286 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A5F20000: C:\Windows\SYSTEM32\dwmapi (0x2f000 bytes).
2026-06-28 22:59:38,321 [root] DEBUG: 4904: DLL loaded at 0x00007FF997130000: C:\Windows\SYSTEM32\WINSPOOL.DRV (0x95000 bytes).
2026-06-28 22:59:38,340 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A32B0000: C:\Windows\SYSTEM32\dhcpcsvc6 (0x17000 bytes).
2026-06-28 22:59:38,343 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A3290000: C:\Windows\SYSTEM32\dhcpcsvc (0x1d000 bytes).
2026-06-28 22:59:38,347 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7520000: C:\Windows\SYSTEM32\DNSAPI (0xcc000 bytes).
2026-06-28 22:59:38,391 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7E50000: C:\Windows\SYSTEM32\sxs (0xa2000 bytes).
2026-06-28 22:59:38,412 [root] DEBUG: 4904: DLL loaded at 0x00007FF9AA490000: C:\Windows\System32\coml2 (0x79000 bytes).
2026-06-28 22:59:38,476 [root] DEBUG: 4904: DLL loaded at 0x00007FF99DE10000: C:\Windows\SYSTEM32\webservices (0x153000 bytes).
2026-06-28 22:59:38,502 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A9BE0000: C:\Windows\System32\Normaliz (0x8000 bytes).
2026-06-28 22:59:38,510 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A1C10000: C:\Windows\SYSTEM32\WINHTTP (0x108000 bytes).
2026-06-28 22:59:38,522 [root] DEBUG: 4904: DLL loaded at 0x00007FF994900000: C:\Windows\system32\OnDemandConnRouteHelper (0x17000 bytes).
2026-06-28 22:59:38,540 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7E40000: C:\Windows\SYSTEM32\DPAPI (0xa000 bytes).
2026-06-28 22:59:38,552 [root] DEBUG: 4904: DLL loaded at 0x00007FF99F680000: C:\Windows\SYSTEM32\iertutil (0x2b0000 bytes).
2026-06-28 22:59:38,553 [root] DEBUG: 4904: DLL loaded at 0x00007FF99F650000: C:\Windows\SYSTEM32\srvcli (0x28000 bytes).
2026-06-28 22:59:38,554 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A75F0000: C:\Windows\SYSTEM32\netutils (0xc000 bytes).
2026-06-28 22:59:38,559 [root] DEBUG: 4904: DLL loaded at 0x00007FF99F930000: C:\Windows\SYSTEM32\urlmon (0x1eb000 bytes).
2026-06-28 22:59:38,632 [root] DEBUG: 4904: DLL loaded at 0x00007FF998780000: C:\Windows\SYSTEM32\WININET (0x4d0000 bytes).
2026-06-28 22:59:38,693 [root] DEBUG: 4904: DLL loaded at 0x00007FF994900000: C:\Windows\SYSTEM32\ondemandconnroutehelper (0x17000 bytes).
2026-06-28 22:59:38,728 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A77F0000: C:\Windows\system32\mswsock (0x6a000 bytes).
2026-06-28 22:59:38,737 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A01A0000: C:\Windows\SYSTEM32\webio (0x99000 bytes).
2026-06-28 22:59:38,742 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A3330000: C:\Windows\SYSTEM32\WINNSI (0xb000 bytes).
2026-06-28 22:59:38,779 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A1660000: C:\Windows\System32\rasadhlp (0xa000 bytes).
2026-06-28 22:59:39,639 [root] DEBUG: 4904: api-cap: RegOpenKeyExW hook disabled due to count: 5000
2026-06-28 22:59:40,129 [root] DEBUG: 4904: api-cap: NtQueryKey hook disabled due to count: 5000
2026-06-28 22:59:40,307 [root] DEBUG: 4904: api-cap: NtOpenKeyEx hook disabled due to count: 5000
2026-06-28 22:59:40,695 [root] DEBUG: 4904: api-cap: RegCloseKey hook disabled due to count: 5000
2026-06-28 22:59:40,741 [root] DEBUG: 4904: api-cap: RegEnumKeyExW hook disabled due to count: 5000
2026-06-28 22:59:41,515 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A8000000: C:\Windows\SYSTEM32\POWRPROF (0x4b000 bytes).
2026-06-28 22:59:41,530 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7F60000: C:\Windows\SYSTEM32\UMPDC (0x12000 bytes).
2026-06-28 22:59:41,619 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\propsys (0xf6000 bytes).
2026-06-28 22:59:41,675 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\Templates\Normal.dotm
2026-06-28 22:59:41,686 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
2026-06-28 22:59:41,722 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A2820000: C:\Windows\SYSTEM32\XmlLite (0x36000 bytes).
2026-06-28 22:59:41,730 [root] DEBUG: 4904: DLL loaded at 0x00007FF990130000: C:\Windows\system32\mlang (0x42000 bytes).
2026-06-28 22:59:41,799 [root] DEBUG: 4904: DLL loaded at 0x00007FF994E80000: C:\Windows\System32\msxml6 (0x25f000 bytes).
2026-06-28 22:59:41,871 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A10F0000: C:\Windows\System32\twinapi.appcore (0x201000 bytes).
2026-06-28 22:59:41,883 [root] DEBUG: 4904: DLL loaded at 0x00007FF996E80000: C:\Windows\system32\twinapi (0xa8000 bytes).
2026-06-28 22:59:41,935 [root] DEBUG: 4904: DLL loaded at 0x00007FF975A90000: C:\Program Files\Microsoft Office\Office16\chart (0xaf9000 bytes).
2026-06-28 22:59:41,987 [root] DEBUG: 4904: DLL loaded at 0x00007FF998F00000: C:\Windows\SYSTEM32\TextShaping (0xac000 bytes).
2026-06-28 22:59:42,043 [root] DEBUG: 4904: DLL loaded at 0x00007FF99A830000: C:\Windows\SYSTEM32\Cabinet (0x29000 bytes).
2026-06-28 22:59:42,092 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A6E00000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-06-28 22:59:42,093 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A57F0000: C:\Windows\System32\CoreMessaging (0xf2000 bytes).
2026-06-28 22:59:42,095 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\SYSTEM32\wintypes (0x154000 bytes).
2026-06-28 22:59:42,096 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A5490000: C:\Windows\System32\CoreUIComponents (0x35e000 bytes).
2026-06-28 22:59:42,097 [root] DEBUG: 4904: DLL loaded at 0x00007FF99BC00000: C:\Windows\SYSTEM32\textinputframework (0xf9000 bytes).
2026-06-28 22:59:42,379 [root] DEBUG: 4904: DLL loaded at 0x00007FF980880000: C:\Program Files\Microsoft Office\Office16\GKWord (0x52b000 bytes).
2026-06-28 22:59:42,582 [root] DEBUG: 4904: DLL loaded at 0x00007FF99E3A0000: C:\Windows\SYSTEM32\usp10 (0x19000 bytes).
2026-06-28 22:59:42,617 [root] DEBUG: 4904: DLL loaded at 0x00007FF98EF90000: C:\Windows\SYSTEM32\UIAutomationCore (0x2f5000 bytes).
2026-06-28 22:59:42,640 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A4BD0000: C:\Windows\system32\dcomp (0x1e5000 bytes).
2026-06-28 22:59:42,641 [root] DEBUG: 4904: DLL loaded at 0x00007FF9928C0000: C:\Windows\system32\dataexchange (0x3e000 bytes).
2026-06-28 22:59:42,936 [root] DEBUG: 4904: DLL loaded at 0x00007FF9984F0000: C:\Windows\SYSTEM32\LINKINFO (0xd000 bytes).
2026-06-28 22:59:42,945 [root] DEBUG: 4904: DLL loaded at 0x00007FF991710000: C:\Windows\SYSTEM32\ntshrui (0x7d000 bytes).
2026-06-28 22:59:42,952 [root] DEBUG: 4904: DLL loaded at 0x00007FF993730000: C:\Windows\SYSTEM32\edputil (0x24000 bytes).
2026-06-28 22:59:42,958 [root] DEBUG: 4904: DLL loaded at 0x00007FF995D10000: C:\Windows\SYSTEM32\cscapi (0x12000 bytes).
2026-06-28 22:59:43,067 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\Office\Recent\statistics.doc.LNK
2026-06-28 22:59:43,093 [root] INFO: Announced 64-bit process name: explorer.exe pid: 2892
2026-06-28 22:59:43,094 [lib.api.process] INFO: Monitor config for process 2892: C:\7d7wfxi0\dll\2892.ini
2026-06-28 22:59:43,102 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\HDJsPr.dll, loader C:\7d7wfxi0\bin\UFjmJKFL.exe
2026-06-28 22:59:43,105 [root] DEBUG: 4904: api-cap: NtClose hook disabled due to count: 5000
2026-06-28 22:59:43,173 [root] DEBUG: Loader: Injecting process 2892 with C:\7d7wfxi0\dll\HDJsPr.dll.
2026-06-28 22:59:43,187 [root] DEBUG: 2892: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 22:59:43,188 [root] DEBUG: 2892: Disabling sleep skipping.
2026-06-28 22:59:43,189 [root] DEBUG: 2892: Dropped file limit defaulting to 100.
2026-06-28 22:59:43,204 [root] DEBUG: 2892: YaraInit: Compiled 44 rule files
2026-06-28 22:59:43,225 [root] DEBUG: 2892: YaraInit: Compiled rules saved to file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-28 22:59:43,248 [root] DEBUG: 4904: DLL loaded at 0x00007FF99E080000: C:\Windows\System32\Bcp47Langs (0x5c000 bytes).
2026-06-28 22:59:43,250 [root] DEBUG: 2892: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 22:59:43,251 [root] DEBUG: 4904: DLL loaded at 0x00007FF99C270000: C:\Windows\System32\bcp47mrm (0x2d000 bytes).
2026-06-28 22:59:43,252 [root] DEBUG: 2892: YaraScan: Scanning 0x00007FF66FFC0000, size 0x49c0a4
2026-06-28 22:59:43,253 [root] DEBUG: 4904: DLL loaded at 0x00007FF99A3F0000: C:\Windows\System32\Windows.Globalization (0x1a6000 bytes).
2026-06-28 22:59:43,264 [root] DEBUG: 4904: DLL loaded at 0x00007FF998CE0000: C:\Windows\SYSTEM32\globinputhost (0x25000 bytes).
2026-06-28 22:59:43,433 [root] DEBUG: 2892: Monitor initialised: 64-bit capemon loaded in process 2892 at 0x00007FF986580000, thread 3812, image base 0x00007FF66FFC0000, stack from 0x00000000083D1000-0x00000000083E0000
2026-06-28 22:59:43,437 [root] DEBUG: 2892: Commandline: C:\Windows\Explorer.EXE
2026-06-28 22:59:43,488 [root] DEBUG: 2892: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-28 22:59:43,557 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-28 22:59:43,558 [root] DEBUG: 2892: set_hooks: Unable to hook LockResource
2026-06-28 22:59:43,774 [root] DEBUG: 2892: Hooked 630 out of 631 functions
2026-06-28 22:59:43,830 [root] DEBUG: 2892: Syscall hook installed, syscall logging level 1
2026-06-28 22:59:43,851 [root] INFO: Loaded monitor into process with pid 2892
2026-06-28 22:59:43,859 [root] DEBUG: 2892: caller_dispatch: Added region at 0x00007FF66FFC0000 to tracked regions list (user32::GetSystemMetrics returns to 0x00007FF67002EB15, thread 1304).
2026-06-28 22:59:43,860 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-06-28 22:59:43,861 [root] DEBUG: 2892: YaraScan: Scanning 0x00007FF66FFC0000, size 0x49c0a4
2026-06-28 22:59:43,864 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\HDJsPr.dll.
2026-06-28 22:59:43,866 [root] DEBUG: 2892: api-rate-cap: LdrpCallInitRoutine hook disabled due to rate
2026-06-28 22:59:43,876 [lib.api.process] INFO: Injected into 64-bit <Process 2892 explorer.exe>
2026-06-28 22:59:43,918 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\Office\Recent\statistics.doc.LNK to files\2dcd40429e5ff3a0ed9b814637840b0d6bdfeea0dfde92e87de1396395afb844; Size is 1281; Max size: 100000000
2026-06-28 22:59:43,945 [root] DEBUG: 2892: ProcessImageBase: Main module image at 0x00007FF66FFC0000 unmodified (entropy change 0.000000e+00)
2026-06-28 22:59:44,122 [root] DEBUG: 2892: OpenProcessHandler: Injection info created for process 4904, handle 0x15e0: C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
2026-06-28 22:59:45,596 [root] DEBUG: 4904: DLL loaded at 0x00007FF9896F0000: C:\Program Files\Microsoft Office\Office16\msproof7 (0x54000 bytes).
2026-06-28 22:59:46,240 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2026-06-28 22:59:46,241 [root] INFO: Added new file to list with pid 2892 and path C:\Users\Rajesh\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
2026-06-28 22:59:46,249 [root] DEBUG: 2892: OpenProcessHandler: Injection info created for process 2232, handle 0x23a4: Error obtaining target process name
2026-06-28 22:59:46,254 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2026-06-28 22:59:46,261 [root] DEBUG: 2892: OpenProcessHandler: Injection info created for process 2132, handle 0x2534: Error obtaining target process name
2026-06-28 22:59:46,262 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2026-06-28 22:59:46,263 [root] DEBUG: 2892: OpenProcessHandler: Injection info created for process 2996, handle 0x272c: Error obtaining target process name
2026-06-28 22:59:46,659 [root] DEBUG: 4904: api-cap: NtQueryPerformanceCounter hook disabled due to count: 5000
2026-06-28 22:59:47,436 [root] DEBUG: 4904: DLL loaded at 0x00007FF989C00000: C:\Program Files\Microsoft Office\Office16\PROOF\msspell7 (0xcd000 bytes).
2026-06-28 22:59:47,471 [root] DEBUG: 4904: DLL loaded at 0x00007FF988AB0000: C:\Program Files\Microsoft Office\OFFICE16\mscss7en (0x96000 bytes).
2026-06-28 22:59:47,478 [root] DEBUG: 4904: DLL loaded at 0x00007FF986470000: C:\Program Files\Microsoft Office\OFFICE16\PROOF\1033\MSGR8EN (0x8d000 bytes).
2026-06-28 22:59:47,510 [root] DEBUG: 4904: DLL loaded at 0x00007FF985BC0000: C:\Program Files\Microsoft Office\OFFICE16\css7Data0009 (0x9a000 bytes).
2026-06-28 22:59:50,579 [root] INFO: Analysis timeout hit, terminating analysis
2026-06-28 22:59:50,583 [lib.api.process] INFO: Terminate event set for process 4904
2026-06-28 22:59:50,584 [root] DEBUG: 4904: Terminate Event: Attempting to dump process 4904
2026-06-28 22:59:50,588 [root] DEBUG: 4904: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-28 22:59:50,613 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
2026-06-28 22:59:50,614 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
2026-06-28 22:59:50,617 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\Office\Recent\statistics.doc.LNK
2026-06-28 22:59:50,618 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Roaming\Microsoft\Office\Recent\index.dat
2026-06-28 22:59:50,619 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{FF4C1F55-385F-4A72-A5EE-5CD83EECD250}.tmp
2026-06-28 22:59:50,620 [root] INFO: Added new file to list with pid 4904 and path C:\Program Files\Microsoft Office\root\Templates\statistics.doc
2026-06-28 22:59:50,621 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Local\Microsoft\Office\Word16.customUI
2026-06-28 22:59:50,623 [root] INFO: Added new file to list with pid 4904 and path C:\Users\Rajesh\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9649483F-6222-42D2-A87D-99A61463BED6}.tmp
2026-06-28 22:59:50,625 [root] DEBUG: 4904: Terminate Event: Shutdown complete for process 4904 but failed to inform analyzer.
2026-06-28 22:59:50,887 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml to files\c88a0b907419a70c27ab7c1f8e5fb54441a4d9c3567e4c928fa7b2091194aecf; Size is 7; Max size: 100000000
2026-06-28 22:59:50,911 [root] DEBUG: 4904: api-rate-cap: ReadProcessMemory hook disabled due to rate
2026-06-28 22:59:50,917 [root] DEBUG: 4904: api-rate-cap: NtReadVirtualMemory hook disabled due to rate
2026-06-28 22:59:50,923 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A79E0000: C:\Windows\SYSTEM32\CRYPTSP (0x18000 bytes).
2026-06-28 22:59:50,926 [root] DEBUG: 4904: DLL loaded at 0x00007FF9A7170000: C:\Windows\system32\rsaenh (0x34000 bytes).
2026-06-28 22:59:51,366 [root] DEBUG: 4904: api-cap: RegOpenKeyExW hook disabled due to count: 5000
2026-06-28 22:59:55,597 [lib.api.process] INFO: Termination confirmed for process 4904
2026-06-28 22:59:55,598 [root] INFO: Terminate event set for process 4904
2026-06-28 22:59:55,600 [lib.api.process] INFO: Terminate event set for process 2892
2026-06-28 22:59:55,602 [root] DEBUG: 2892: Terminate Event: Attempting to dump process 2892
2026-06-28 22:59:55,645 [root] DEBUG: 2892: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-28 22:59:55,746 [root] DEBUG: 2892: Terminate Event: Shutdown complete for process 2892 but failed to inform analyzer.
2026-06-28 23:00:00,605 [lib.api.process] INFO: Termination confirmed for process 2892
2026-06-28 23:00:00,606 [root] INFO: Terminate event set for process 2892
2026-06-28 23:00:00,607 [root] INFO: Created shutdown mutex
2026-06-28 23:00:01,627 [root] INFO: Shutting down package
2026-06-28 23:00:01,628 [root] INFO: Stopping auxiliary modules
2026-06-28 23:00:01,628 [root] INFO: Stopping auxiliary module: Browser
2026-06-28 23:00:01,629 [root] INFO: Stopping auxiliary module: Human
2026-06-28 23:00:03,626 [root] DEBUG: 2892: api-cap: GetSystemMetrics hook disabled due to count: 5000
2026-06-28 23:00:05,899 [root] INFO: Stopping auxiliary module: Screenshots
2026-06-28 23:00:05,900 [root] INFO: Finishing auxiliary modules
2026-06-28 23:00:05,901 [root] INFO: Shutting down pipe server and dumping dropped files
2026-06-28 23:00:05,905 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\Templates\Normal.dotm to files\9bc8dd51624a40769c112579bbd23940c14dcc51ac025f3b2af3b17bd8744f4b; Size is 17999; Max size: 100000000
2026-06-28 23:00:05,917 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\Templates\~$Normal.dotm to files\dbba3a2fed5fc3ae3aa85f7665aed12227e8bf08b8f85f71bc0caa8c10838e7e; Size is 162; Max size: 100000000
2026-06-28 23:00:05,934 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat to files\66948682ff712d76dff7fd8015e17d8dd6eb8648f840b9ac793e7ce6c2b8bf45; Size is 1022; Max size: 100000000
2026-06-28 23:00:05,951 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex to files\b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209; Size is 2; Max size: 100000000
2026-06-28 23:00:05,956 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC to files\70207627bd6325a13873112a3091551abf48dc5ea5f12903f11132514f633c6a; Size is 18; Max size: 100000000
2026-06-28 23:00:05,963 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\Office\Recent\statistics.doc.LNK to files\2dcd40429e5ff3a0ed9b814637840b0d6bdfeea0dfde92e87de1396395afb844; Size is 1281; Max size: 100000000
2026-06-28 23:00:05,966 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Roaming\Microsoft\Office\Recent\index.dat to files\2590d67f4598a1ac65b917d0afb19686a17fbf30195dc4cf4c35e3f8fd4d9f26; Size is 194; Max size: 100000000
2026-06-28 23:00:05,972 [lib.common.results] INFO: Uploading file C:\Program Files\Microsoft Office\root\Templates\statistics.doc to files\fbc181dccbcd8ee3f7ca87b5aa94d4c537475f9f6576b94132d4abcb191e02df; Size is 26112; Max size: 100000000
2026-06-28 23:00:05,978 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Local\Microsoft\Office\Word16.customUI to files\7652d386ecc37eb37531307922404843a3a8f8532209fe189f4e3df88bd8bbae; Size is 3514; Max size: 100000000
2026-06-28 23:00:05,995 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{9649483F-6222-42D2-A87D-99A61463BED6}.tmp to files\4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1; Size is 1024; Max size: 100000000
2026-06-28 23:00:06,011 [root] WARNING: Folder at path "C:\cUJPOo\debugger" does not exist, skipping
2026-06-28 23:00:06,012 [root] WARNING: Folder at path "C:\cUJPOo\tlsdump" does not exist, skipping
2026-06-28 23:00:06,014 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log