From 67c4539ed756343bd059a9a9333625e5574b7a0e Mon Sep 17 00:00:00 2001
From: ZikyHD <zikyhd@gmail.com>
Date: Tue, 6 Dec 2022 21:16:47 +0000
Subject: [PATCH] Add timestamp try for rotten evtx files

---
 zircolite.py | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/zircolite.py b/zircolite.py
index 043e4fd..8cb7586 100755
--- a/zircolite.py
+++ b/zircolite.py
@@ -597,12 +597,16 @@ def flatten(x, name=""):
                         self.timeAfter != "1970-01-01T00:00:00"
                         or self.timeBefore != "9999-12-12T23:59:59"
                     ) and (self.timeField in JSONLine):
-                        timestamp = time.strptime(
-                            JSONLine[self.timeField].split(".")[0].replace("Z", ""),
-                            "%Y-%m-%dT%H:%M:%S",
-                        )
-                        if timestamp > self.timeAfter and timestamp < self.timeBefore:
+                        try:
+                            timestamp = time.strptime(
+                                JSONLine[self.timeField].split(".")[0].replace("Z", ""),
+                                "%Y-%m-%dT%H:%M:%S",
+                            )
+                        except:
                             JSONOutput.append(JSONLine)
+                        else:
+                            if timestamp > self.timeAfter and timestamp < self.timeBefore:
+                                JSONOutput.append(JSONLine)
                     else:
                         JSONOutput.append(JSONLine)
                     JSONLine = {}