SmartHawk

16.4

0-day

该样本未表现出任何异常！

重新分析

下载样本

57558bdab2008feb661e223e24dd1e437556bcab3c5f5a50cb5f0a640050ae0e

44efccc6dc37d85446f50934c8f83f04.exe

分析耗时

448s

最近分析

文件大小

1.2MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

未检测暂无反病毒引擎检测结果

Queries for the computername (24 个事件)

Time & API	Arguments	Status	Return
1619384483.750625 GetComputerNameA	computer_name: OSKAR-PC	success	1
1619384504.766265 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384507.870396 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384516.287243 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384521.434433 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384523.547186 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384550.973753 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384553.387815 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384567.052878 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384576.879753 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384613.76294 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384626.708878 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384631.450692 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384657.545065 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384676.232317 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384689.48194 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384693.70094 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384751.66163 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384752.87194 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384752.88038 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384762.787003 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384768.91163 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384770.87194 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619384792.381003 GetComputerNameW	computer_name: OSKAR-PC	success	1

Command line console output was observed (50 out of 808 个事件)

Time & API	Arguments	Status	Return
1619384481.281625 WriteConsoleA	buffer: Admin console_handle: 0x00000007	success	1
1619384481.281625 WriteConsoleA	buffer: IntegrityLevel = 4 (2-low,3-user,4-admin,5-system,6-protected_system) console_handle: 0x00000007	success	1
1619384483.750625 WriteConsoleA	buffer: [LDRIVES]: C:\ console_handle: 0x00000007	success	1
1619384483.750625 WriteConsoleA	buffer: [GENKEY] console_handle: 0x00000007	success	1
1619384489.718625 WriteConsoleA	buffer: [DONE]: 02D100E68CE8EDB9 console_handle: 0x00000007	success	1
1619384489.734625 WriteConsoleA	buffer: [LDRIVESSCAN] console_handle: 0x00000007	success	1
1619384496.687625 WriteConsoleA	buffer: [DONE]: 5192_0GB console_handle: 0x00000007	success	1
1619384496.687625 WriteConsoleA	buffer: [LOGSAVED] console_handle: 0x00000007	success	1
1619384496.750625 WriteConsoleA	buffer: [LPROGRESS][0]: G=0 / B=0 / T=5192 console_handle: 0x00000007	success	1
1619384498.250625 WriteConsoleA	buffer: [LPROGRESS][8]: G=56 / B=0 / T=5192 console_handle: 0x00000007	success	1
1619384499.750625 WriteConsoleA	buffer: [LPROGRESS][8]: G=135 / B=0 / T=5192 console_handle: 0x00000007	success	1
1619384501.437625 WriteConsoleA	buffer: [LPROGRESS][8]: G=196 / B=0 / T=5192 console_handle: 0x00000007	success	1
1619384503.093625 WriteConsoleA	buffer: [LPROGRESS][8]: G=299 / B=1 / T=5192 console_handle: 0x00000007	success	1
1619384504.593625 WriteConsoleA	buffer: [LPROGRESS][8]: G=334 / B=1 / T=5192 console_handle: 0x00000007	success	1
1619384506.093625 WriteConsoleA	buffer: [LPROGRESS][8]: G=382 / B=1 / T=5192 console_handle: 0x00000007	success	1
1619384507.593625 WriteConsoleA	buffer: [LPROGRESS][8]: G=457 / B=2 / T=5192 console_handle: 0x00000007	success	1
1619384509.093625 WriteConsoleA	buffer: [LPROGRESS][8]: G=514 / B=2 / T=5192 console_handle: 0x00000007	success	1
1619384510.593625 WriteConsoleA	buffer: [LPROGRESS][8]: G=582 / B=2 / T=5192 console_handle: 0x00000007	success	1
1619384512.093625 WriteConsoleA	buffer: [LPROGRESS][8]: G=608 / B=2 / T=5192 console_handle: 0x00000007	success	1
1619384513.593625 WriteConsoleA	buffer: [LPROGRESS][8]: G=710 / B=2 / T=5192 console_handle: 0x00000007	success	1
1619384525.203625 WriteConsoleA	buffer: [LPROGRESS][8]: G=751 / B=3 / T=5192 console_handle: 0x00000007	success	1
1619384526.703625 WriteConsoleA	buffer: [LPROGRESS][8]: G=758 / B=4 / T=5192 console_handle: 0x00000007	success	1
1619384528.203625 WriteConsoleA	buffer: [LPROGRESS][8]: G=758 / B=4 / T=5192 console_handle: 0x00000007	success	1
1619384529.703625 WriteConsoleA	buffer: [LPROGRESS][8]: G=764 / B=4 / T=5192 console_handle: 0x00000007	success	1
1619384531.203625 WriteConsoleA	buffer: [LPROGRESS][8]: G=796 / B=5 / T=5192 console_handle: 0x00000007	success	1
1619384532.703625 WriteConsoleA	buffer: [LPROGRESS][8]: G=796 / B=5 / T=5192 console_handle: 0x00000007	success	1
1619384534.203625 WriteConsoleA	buffer: [LPROGRESS][8]: G=796 / B=5 / T=5192 console_handle: 0x00000007	success	1
1619384542.156625 WriteConsoleA	buffer: [LPROGRESS][8]: G=796 / B=6 / T=5192 console_handle: 0x00000007	success	1
1619384543.750625 WriteConsoleA	buffer: [LPROGRESS][8]: G=804 / B=6 / T=5192 console_handle: 0x00000007	success	1
1619384545.250625 WriteConsoleA	buffer: [LPROGRESS][8]: G=804 / B=6 / T=5192 console_handle: 0x00000007	success	1
1619384546.750625 WriteConsoleA	buffer: [LPROGRESS][8]: G=811 / B=6 / T=5192 console_handle: 0x00000007	success	1
1619384548.343625 WriteConsoleA	buffer: [LPROGRESS][8]: G=812 / B=7 / T=5192 console_handle: 0x00000007	success	1
1619384549.843625 WriteConsoleA	buffer: [LPROGRESS][8]: G=812 / B=7 / T=5192 console_handle: 0x00000007	success	1
1619384551.343625 WriteConsoleA	buffer: [LPROGRESS][8]: G=812 / B=7 / T=5192 console_handle: 0x00000007	success	1
1619384553.890625 WriteConsoleA	buffer: [LPROGRESS][8]: G=821 / B=8 / T=5192 console_handle: 0x00000007	success	1
1619384555.390625 WriteConsoleA	buffer: [LPROGRESS][8]: G=862 / B=8 / T=5192 console_handle: 0x00000007	success	1
1619384556.890625 WriteConsoleA	buffer: [LPROGRESS][8]: G=867 / B=8 / T=5192 console_handle: 0x00000007	success	1
1619384558.390625 WriteConsoleA	buffer: [LPROGRESS][8]: G=885 / B=8 / T=5192 console_handle: 0x00000007	success	1
1619384559.890625 WriteConsoleA	buffer: [LPROGRESS][8]: G=886 / B=9 / T=5192 console_handle: 0x00000007	success	1
1619384561.390625 WriteConsoleA	buffer: [LPROGRESS][8]: G=886 / B=9 / T=5192 console_handle: 0x00000007	success	1
1619384562.890625 WriteConsoleA	buffer: [LPROGRESS][8]: G=886 / B=9 / T=5192 console_handle: 0x00000007	success	1
1619384574.531625 WriteConsoleA	buffer: [LPROGRESS][8]: G=886 / B=10 / T=5192 console_handle: 0x00000007	success	1
1619384576.031625 WriteConsoleA	buffer: [LPROGRESS][8]: G=908 / B=10 / T=5192 console_handle: 0x00000007	success	1
1619384577.531625 WriteConsoleA	buffer: [LPROGRESS][8]: G=926 / B=10 / T=5192 console_handle: 0x00000007	success	1
1619384579.031625 WriteConsoleA	buffer: [LPROGRESS][8]: G=926 / B=10 / T=5192 console_handle: 0x00000007	success	1
1619384582.718625 WriteConsoleA	buffer: [LPROGRESS][8]: G=926 / B=11 / T=5192 console_handle: 0x00000007	success	1
1619384584.218625 WriteConsoleA	buffer: [LPROGRESS][8]: G=936 / B=11 / T=5192 console_handle: 0x00000007	success	1
1619384585.718625 WriteConsoleA	buffer: [LPROGRESS][8]: G=936 / B=11 / T=5192 console_handle: 0x00000007	success	1
1619384587.218625 WriteConsoleA	buffer: [LPROGRESS][8]: G=936 / B=11 / T=5192 console_handle: 0x00000007	success	1
1619384591.734625 WriteConsoleA	buffer: [LPROGRESS][8]: G=941 / B=12 / T=5192 console_handle: 0x00000007	success	1

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pl.pak

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384487.749375 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)

section	.itext
section	.didata

One or more processes crashed (50 out of 84 个事件)

Time & API	Arguments	Status
1619384496.921625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 52295724 registers.edi: 34 registers.eax: 52295724 registers.ebp: 52295804 registers.edx: 0 registers.ebx: 31829320 registers.esi: 41229844 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384496.921625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 54523948 registers.edi: 34 registers.eax: 54523948 registers.ebp: 54524028 registers.edx: 0 registers.ebx: 31829416 registers.esi: 31780940 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384499.515625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829152 registers.esi: 41406932 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384499.734625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 30970860 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384499.734625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829152 registers.esi: 30971372 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384499.890625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 41323244 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.015625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 46921772 registers.edi: 34 registers.eax: 46921772 registers.ebp: 46921852 registers.edx: 0 registers.ebx: 31829344 registers.esi: 41230300 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.250625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829152 registers.esi: 31133724 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.359625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 54523948 registers.edi: 34 registers.eax: 54523948 registers.ebp: 54524028 registers.edx: 0 registers.ebx: 31829416 registers.esi: 30971628 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.359625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829152 registers.esi: 30971884 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.375625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 54523948 registers.edi: 34 registers.eax: 54523948 registers.ebp: 54524028 registers.edx: 0 registers.ebx: 31829152 registers.esi: 30972268 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.406625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 54523948 registers.edi: 34 registers.eax: 54523948 registers.ebp: 54524028 registers.edx: 0 registers.ebx: 31829152 registers.esi: 30973036 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.406625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829416 registers.esi: 30972396 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.484625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 46921772 registers.edi: 34 registers.eax: 46921772 registers.ebp: 46921852 registers.edx: 0 registers.ebx: 31829344 registers.esi: 30972012 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.484625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 46921772 registers.edi: 34 registers.eax: 46921772 registers.ebp: 46921852 registers.edx: 0 registers.ebx: 31829344 registers.esi: 30972524 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.625625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 54523948 registers.edi: 34 registers.eax: 54523948 registers.ebp: 54524028 registers.edx: 0 registers.ebx: 31829152 registers.esi: 41232428 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.625625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 46921772 registers.edi: 34 registers.eax: 46921772 registers.ebp: 46921852 registers.edx: 0 registers.ebx: 31829344 registers.esi: 30877188 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.625625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829416 registers.esi: 30876980 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.906625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 31781892 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.968625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48756780 registers.edi: 34 registers.eax: 48756780 registers.ebp: 48756860 registers.edx: 0 registers.ebx: 31829392 registers.esi: 41407412 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.968625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48756780 registers.edi: 34 registers.eax: 48756780 registers.ebp: 48756860 registers.edx: 0 registers.ebx: 31829392 registers.esi: 30972652 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.968625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48756780 registers.edi: 34 registers.eax: 48756780 registers.ebp: 48756860 registers.edx: 0 registers.ebx: 31829392 registers.esi: 41407532 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384500.984625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48756780 registers.edi: 34 registers.eax: 48756780 registers.ebp: 48756860 registers.edx: 0 registers.ebx: 31829392 registers.esi: 30973292 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.218625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 54523948 registers.edi: 34 registers.eax: 54523948 registers.ebp: 54524028 registers.edx: 0 registers.ebx: 31829152 registers.esi: 30994700 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.234625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48756780 registers.edi: 34 registers.eax: 48756780 registers.ebp: 48756860 registers.edx: 0 registers.ebx: 31829392 registers.esi: 41367196 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.234625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 48756780 registers.edi: 34 registers.eax: 48756780 registers.ebp: 48756860 registers.edx: 0 registers.ebx: 31829392 registers.esi: 31957132 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.234625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829416 registers.esi: 30877292 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.234625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829416 registers.esi: 41324204 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.250625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829416 registers.esi: 32139468 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.250625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 45873196 registers.edi: 34 registers.eax: 45873196 registers.ebp: 45873276 registers.edx: 0 registers.ebx: 31829416 registers.esi: 31956916 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.265625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 31782436 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.281625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 41366748 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.281625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 30994124 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.281625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 30972780 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.281625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 41407652 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.812625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 46921772 registers.edi: 34 registers.eax: 46921772 registers.ebp: 46921852 registers.edx: 0 registers.ebx: 31829344 registers.esi: 41366972 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.937625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 31783116 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.937625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 32139068 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384501.937625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 50526252 registers.edi: 34 registers.eax: 50526252 registers.ebp: 50526332 registers.edx: 0 registers.ebx: 31829368 registers.esi: 32138988 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.031625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7f0b5 44efccc6dc37d85446f50934c8f83f04+0xcfa6d @ 0x4cfa6d TMethodImplementationIntercept+0x8274b 44efccc6dc37d85446f50934c8f83f04+0xd3103 @ 0x4d3103 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 59373540 registers.edi: 34 registers.eax: 59373540 registers.ebp: 59373620 registers.edx: 0 registers.ebx: 31829008 registers.esi: 41229540 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.031625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 52295724 registers.edi: 34 registers.eax: 52295724 registers.ebp: 52295804 registers.edx: 0 registers.ebx: 31829320 registers.esi: 41366860 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.171625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 52295724 registers.edi: 34 registers.eax: 52295724 registers.ebp: 52295804 registers.edx: 0 registers.ebx: 31829320 registers.esi: 30972140 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.171625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 52295724 registers.edi: 34 registers.eax: 52295724 registers.ebp: 52295804 registers.edx: 0 registers.ebx: 31829320 registers.esi: 30972908 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.562625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 52295724 registers.edi: 34 registers.eax: 52295724 registers.ebp: 52295804 registers.edx: 0 registers.ebx: 31829320 registers.esi: 31782980 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.562625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 31782572 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.562625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 31782708 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.562625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 30973164 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384502.562625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 30994268 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384503.078625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 31078508 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success
1619384503.078625 __exception__	stacktrace: TMethodImplementationIntercept+0x3ca37 44efccc6dc37d85446f50934c8f83f04+0x8d3ef @ 0x48d3ef TMethodImplementationIntercept+0x3c8f1 44efccc6dc37d85446f50934c8f83f04+0x8d2a9 @ 0x48d2a9 TMethodImplementationIntercept+0x7efb9 44efccc6dc37d85446f50934c8f83f04+0xcf971 @ 0x4cf971 TMethodImplementationIntercept+0x81e3d 44efccc6dc37d85446f50934c8f83f04+0xd27f5 @ 0x4d27f5 TMethodImplementationIntercept+0x46774 44efccc6dc37d85446f50934c8f83f04+0x9712c @ 0x49712c TMethodImplementationIntercept-0x48f4a 44efccc6dc37d85446f50934c8f83f04+0x7a6e @ 0x407a6e BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 56293420 registers.edi: 34 registers.eax: 56293420 registers.ebp: 56293500 registers.edx: 0 registers.ebx: 31829488 registers.esi: 31184156 registers.ecx: 7 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xeedfade exception.offset: 46887 exception.address: 0x778eb727	success

A process attempted to delay the analysis task. (1 个事件)

description

44efccc6dc37d85446f50934c8f83f04.exe tried to sleep 318 seconds, actually delayed analysis time by 318 seconds

Steals private information from local Internet browsers (5 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\#MKES_INFO#.rtf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\#MKES_INFO#.rtf
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db

Creates (office) documents on the filesystem (3 个事件)

file	C:\Users\Administrator.Oskar-PC\Documents\gAEBDJUSZw.doc
file	C:\Users\Administrator.Oskar-PC\Documents\lfDqBitXNrHO.docx
file	C:\Users\Administrator.Oskar-PC\Documents\FJrOaEBMijG.docx

Creates executable files on the filesystem (50 out of 52 个事件)

file	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\hwZEOMG2.bat
file	C:\Python27\Lib\idlelib\idle.bat
file	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe
file	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdate.exe
file	C:\Python27\Lib\distutils\command\wininst-7.1.exe
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\WSQjTny9.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\ELtT3m1T.vbs
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateOnDemand.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe
file	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk
file	C:\Python27\Lib\distutils\command\wininst-9.0-amd64.exe
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe
file	C:\Program Files\Microsoft Games\Chess\Chess.exe
file	C:\Program Files\Microsoft Games\Hearts\Hearts.exe
file	C:\Python27\Lib\distutils\command\wininst-9.0.exe
file	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
file	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
file	C:\Python27\Lib\distutils\command\wininst-6.0.exe
file	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateComRegisterShell64.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleCrashHandler64.exe
file	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk
file	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateCore.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxControl.exe
file	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file	C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleCrashHandler.exe
file	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe
file	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk
file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe
file	C:\Python27\Lib\distutils\command\wininst-8.0.exe
file	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
file	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk
file	C:\Program Files (x86)\Google\Update\Install\{F316F932-D7FD-48B6-B843-54EA690C23D9}\89.0.4389.114_chrome_installer.exe
file	C:\Program Files (x86)\Google\Update\1.3.36.72\GoogleUpdateBroker.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\WSQjTny964.exe
file	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe

Creates a shortcut to an executable file (7 个事件)

file	C:\Program Files\Microsoft Games\Chess\ChessMCE.lnk
file	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk
file	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.lnk
file	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk
file	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk
file	C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.lnk
file	C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk

Creates a suspicious process (23 个事件)

cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "ImagingDevices.exe.mui" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "ChessMCE.png" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "JNTFiltr.dll.mui" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "SpiderSolitaireMCE.png" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "wabmig.exe" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "RacDatabase.sdf" -nobanner
cmdline	cmd.exe /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
cmdline	"C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Administrator.Oskar-PC\AppData\Roaming\ELtT3m1T.vbs"
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "Genko_2.jtp" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "Seyes.jtp" -nobanner
cmdline	schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "blank.jtp" -nobanner
cmdline	"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\0Za8cz8a.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
cmdline	"C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\44efccc6dc37d85446f50934c8f83f04.exe" "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\NWogEcPV.exe"
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "PurblePlaceMCE.png" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "RacWmiDatabase.sdf" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "Graph.jtp" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "WinMail.exe" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "jnwdui.dll.mui" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "Workflow.VisualBasic.Targets" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "MahjongMCE.png" -nobanner
cmdline	C:\Windows\system32\cmd.exe /c WSQjTny9.exe -accepteula "HeartsMCE.png" -nobanner
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384513.321377 ShellExecuteExW	parameters: /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F filepath: cmd.exe filepath_r: cmd.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.9577867114691205

section

{'size_of_data': '0x00043800', 'virtual_address': '0x000f5000', 'entropy': 7.9577867114691205, 'name': '.rsrc', 'virtual_size': '0x00043800'}

description

A section with a high entropy has been found

entropy

0.22565816966151275

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (22 个事件)

Time & API	Arguments	Status	Return
1619384516.287243 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384523.562186 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384558.93494 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1619384558.95094 LookupPrivilegeValueW	system_name: privilege_name: SeLoadDriverPrivilege	success	1
1619384550.973753 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384553.387815 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384567.052878 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384576.895753 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384613.77894 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384626.708878 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384631.450692 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384657.561065 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384676.232317 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384689.48194 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384693.71594 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384751.66163 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384752.88794 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384752.89638 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384762.802003 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384768.92763 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384770.87194 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1
1619384792.381003 LookupPrivilegeValueW	system_name: privilege_name: SeTakeOwnershipPrivilege	success	1

Uses Windows utilities for basic Windows functionality (7 个事件)

cmdline	reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\0Za8cz8a.bmp" /f
cmdline	cmd.exe /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
cmdline	schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
cmdline	"C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Administrator.Oskar-PC\AppData\Roaming\0Za8cz8a.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
cmdline	reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
cmdline	reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F

Communicates with host for which no DNS query was performed (4 个事件)

host	113.108.239.196
host	172.217.24.14
host	203.208.41.65
host	203.208.41.98

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384483.750625 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

Installs itself for autorun at Windows startup (4 个事件)

reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath	reg_value	\??\C:\Windows\system32\Drivers\PROCEXP152.SYS
cmdline	cmd.exe /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
cmdline	schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
cmdline	"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F

Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)

file	C:\Python27\agent.pyw

Loads a driver (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619384562.30994 NtLoadDriver	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\PROCEXP152	success	0	0

Attempts to modify desktop wallpaper (2 个事件)

registry	HKEY_CURRENT_USER\Control Panel\Desktop\WallpaperStyle
registry	HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

One or more non-safelisted processes were created (2 个事件)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F
parent_process	wscript.exe				martian_process	cmd.exe /C schtasks /Create /tn DSHCA /tr "C:\Users\Administrator.Oskar-PC\AppData\Roaming\r2XjgiWm.bat" /sc minute /mo 5 /RL HIGHEST /F

Uses suspicious command line tools or Windows utilities (25 个事件)

cmdline	cacls "C:\Program Files\Microsoft Games\Chess\ChessMCE.png" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\Templates\Seyes.jtp" /E /G Administrator:F /C
cmdline	cacls "C:\Users\All Users\Microsoft\RAC\StateData\RacDatabase.sdf" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Mail\WinMail.exe" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\zh-CN\JNTFiltr.dll.mui" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\zh-CN\jnwmon.dll.mui" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Photo Viewer\zh-CN\ImagingDevices.exe.mui" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\Templates\Memo.jtp" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\Templates\Graph.jtp" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Mail\zh-CN\msoeres.dll.mui" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Mail\wabmig.exe" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\Templates\Genko_2.jtp" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets" /E /G Administrator:F /C
cmdline	cacls "C:\Users\All Users\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files (x86)\Windows Mail\WinMail.exe" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\zh-CN\NBMapTIP.dll.mui" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\Templates\blank.jtp" /E /G Administrator:F /C
cmdline	cacls "C:\Program Files\Windows Journal\zh-CN\jnwdui.dll.mui" /E /G Administrator:F /C

Detects VirtualBox through the presence of a file (8 个事件)

file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxControl.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxTray.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxDrvInst.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxWHQLFake.exe
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxGuest.sys
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxMouse.sys
file	C:\Program Files\Oracle\VirtualBox Guest Additions\VBoxVideo.sys
file	C:\Program Files\Oracle\VirtualBox Guest Additions\uninst.exe

Stops Windows services (1 个事件)

service

PROCEXP152 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\Start)

Performs 1244 file moves indicative of a ransomware file encryption process (50 out of 1244 个事件)

Time & API	Arguments	Status	Return
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\185test.db newfilepath: C:\Python27\Lib\test\[MarkEvans333@criptext.com].jXAtc4iZ-gK1bMNAH.MKES newfilepath_r: C:\Python27\Lib\test\[MarkEvans333@criptext.com].jXAtc4iZ-gK1bMNAH.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\185test.db	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\[MarkEvans333@criptext.com].5i3DQiap-9vTNYEv2.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\[MarkEvans333@criptext.com].5i3DQiap-9vTNYEv2.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\Documents\FJrOaEBMijG.docx newfilepath: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].howIX4WM-TLoTN7VD.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].howIX4WM-TLoTN7VD.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\FJrOaEBMijG.docx	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].7twAPUMY-AfXko3IA.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].7twAPUMY-AfXko3IA.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\Documents\gAEBDJUSZw.doc newfilepath: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].dpcpeG96-Mh0UAWi0.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].dpcpeG96-Mh0UAWi0.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\gAEBDJUSZw.doc	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].owWjH6Nt-eWy3sryJ.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].owWjH6Nt-eWy3sryJ.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\testtar.tar newfilepath: C:\Python27\Lib\test\[MarkEvans333@criptext.com].5FBoHpH4-7FczfLOa.MKES newfilepath_r: C:\Python27\Lib\test\[MarkEvans333@criptext.com].5FBoHpH4-7FczfLOa.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\testtar.tar	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\Documents\lfDqBitXNrHO.docx newfilepath: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].9281KYP3-2aYAGxIZ.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].9281KYP3-2aYAGxIZ.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\lfDqBitXNrHO.docx	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].W4GiFbFk-SWqVKGqN.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].W4GiFbFk-SWqVKGqN.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].PMvBsQyE-bo4gPEiC.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].PMvBsQyE-bo4gPEiC.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].0RNgMpkT-qnzGsuD1.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].0RNgMpkT-qnzGsuD1.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].LVkpFDbr-XNWKvl2c.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].LVkpFDbr-XNWKvl2c.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].1EwoZCmR-jghNoZGZ.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].1EwoZCmR-jghNoZGZ.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\imghdrdata\python.jpg newfilepath: C:\Python27\Lib\test\imghdrdata\[MarkEvans333@criptext.com].NMETA3Ax-c3pO8njc.MKES newfilepath_r: C:\Python27\Lib\test\imghdrdata\[MarkEvans333@criptext.com].NMETA3Ax-c3pO8njc.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\imghdrdata\python.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\zipdir.zip newfilepath: C:\Python27\Lib\test\[MarkEvans333@criptext.com].4q8sT5Dm-ZOcgiJje.MKES newfilepath_r: C:\Python27\Lib\test\[MarkEvans333@criptext.com].4q8sT5Dm-ZOcgiJje.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\zipdir.zip	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].8Ddhmlb5-4jDkgHhO.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].8Ddhmlb5-4jDkgHhO.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mKNmWx88-nArcmv5a.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mKNmWx88-nArcmv5a.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].J9euxdKU-ZStW7BCl.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].J9euxdKU-ZStW7BCl.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].QLWWhZfv-CQGAx2ry.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].QLWWhZfv-CQGAx2ry.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uC1SsGRR-UfwJQ47Q.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uC1SsGRR-UfwJQ47Q.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].dCPoT0Fe-gVgwRFY7.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].dCPoT0Fe-gVgwRFY7.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mAmjsJWj-JRm53GoZ.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mAmjsJWj-JRm53GoZ.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].j54lYN6H-IEJrCd4i.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].j54lYN6H-IEJrCd4i.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4uKVOKtm-kBcDNu6n.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4uKVOKtm-kBcDNu6n.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].HHKEZ5EM-LAs3nwPd.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].HHKEZ5EM-LAs3nwPd.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].WNPKRCQe-i5lcy33T.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].WNPKRCQe-i5lcy33T.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].VllVm851-eRopxTC6.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].VllVm851-eRopxTC6.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].k7DB5GX0-vSryByfk.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].k7DB5GX0-vSryByfk.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].OHsZ2ji6-kcjzWZla.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].OHsZ2ji6-kcjzWZla.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].tg5nKl5j-xSkCB2FD.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].tg5nKl5j-xSkCB2FD.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oH6drDtU-rOSaQLef.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oH6drDtU-rOSaQLef.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].Gf8Xs1xt-fzM7hmby.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].Gf8Xs1xt-fzM7hmby.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].kkG4hJOA-RCe7AQxw.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].kkG4hJOA-RCe7AQxw.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mQLL85Bs-HdS91vHL.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mQLL85Bs-HdS91vHL.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].b2dEEYVo-PWIV4UL0.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].b2dEEYVo-PWIV4UL0.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BoMcDLir-kxD4pYhI.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BoMcDLir-kxD4pYhI.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uh7IQDmE-D6mxbRWd.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uh7IQDmE-D6mxbRWd.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oV3c171j-q7c5Hqrb.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oV3c171j-q7c5Hqrb.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].N4hUtsjb-D5EXeTXQ.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].N4hUtsjb-D5EXeTXQ.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BBZG2waS-C8oESHfW.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BBZG2waS-C8oESHfW.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].m7KgQoRs-BvB0fWjZ.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].m7KgQoRs-BvB0fWjZ.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].sytpb7xX-TKI6JDKq.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].sytpb7xX-TKI6JDKq.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].YKidhy8f-RkHCt4Nv.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].YKidhy8f-RkHCt4Nv.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4Hw5gvxG-Z65QoDQH.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4Hw5gvxG-Z65QoDQH.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].LSXTjS24-eCiYDbZ4.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].LSXTjS24-eCiYDbZ4.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].uWaAyqEe-xziXtdLf.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].uWaAyqEe-xziXtdLf.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].fvXefxKU-0gZ3Z672.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].fvXefxKU-0gZ3Z672.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].yG07mqDW-OmrfaT6l.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].yG07mqDW-OmrfaT6l.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].FaAm5VYZ-d5YDBDCr.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].FaAm5VYZ-d5YDBDCr.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].47TFWXVv-symkI7Tz.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].47TFWXVv-symkI7Tz.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg	success	1

Appends a new file extension or content to 1244 files indicative of a ransomware file encryption process (50 out of 1244 个事件)

Time & API	Arguments	Status	Return
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\185test.db newfilepath: C:\Python27\Lib\test\[MarkEvans333@criptext.com].jXAtc4iZ-gK1bMNAH.MKES newfilepath_r: C:\Python27\Lib\test\[MarkEvans333@criptext.com].jXAtc4iZ-gK1bMNAH.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\185test.db	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\[MarkEvans333@criptext.com].5i3DQiap-9vTNYEv2.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\[MarkEvans333@criptext.com].5i3DQiap-9vTNYEv2.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\Documents\FJrOaEBMijG.docx newfilepath: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].howIX4WM-TLoTN7VD.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].howIX4WM-TLoTN7VD.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\FJrOaEBMijG.docx	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].7twAPUMY-AfXko3IA.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].7twAPUMY-AfXko3IA.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\Documents\gAEBDJUSZw.doc newfilepath: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].dpcpeG96-Mh0UAWi0.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].dpcpeG96-Mh0UAWi0.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\gAEBDJUSZw.doc	success	1
1619384497.031625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].owWjH6Nt-eWy3sryJ.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\[MarkEvans333@criptext.com].owWjH6Nt-eWy3sryJ.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\testtar.tar newfilepath: C:\Python27\Lib\test\[MarkEvans333@criptext.com].5FBoHpH4-7FczfLOa.MKES newfilepath_r: C:\Python27\Lib\test\[MarkEvans333@criptext.com].5FBoHpH4-7FczfLOa.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\testtar.tar	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\Documents\lfDqBitXNrHO.docx newfilepath: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].9281KYP3-2aYAGxIZ.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\[MarkEvans333@criptext.com].9281KYP3-2aYAGxIZ.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\Documents\lfDqBitXNrHO.docx	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].W4GiFbFk-SWqVKGqN.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].W4GiFbFk-SWqVKGqN.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].PMvBsQyE-bo4gPEiC.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].PMvBsQyE-bo4gPEiC.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].0RNgMpkT-qnzGsuD1.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].0RNgMpkT-qnzGsuD1.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].LVkpFDbr-XNWKvl2c.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].LVkpFDbr-XNWKvl2c.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].1EwoZCmR-jghNoZGZ.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].1EwoZCmR-jghNoZGZ.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\imghdrdata\python.jpg newfilepath: C:\Python27\Lib\test\imghdrdata\[MarkEvans333@criptext.com].NMETA3Ax-c3pO8njc.MKES newfilepath_r: C:\Python27\Lib\test\imghdrdata\[MarkEvans333@criptext.com].NMETA3Ax-c3pO8njc.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\imghdrdata\python.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Python27\Lib\test\zipdir.zip newfilepath: C:\Python27\Lib\test\[MarkEvans333@criptext.com].4q8sT5Dm-ZOcgiJje.MKES newfilepath_r: C:\Python27\Lib\test\[MarkEvans333@criptext.com].4q8sT5Dm-ZOcgiJje.MKES flags: 1 oldfilepath_r: C:\Python27\Lib\test\zipdir.zip	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].8Ddhmlb5-4jDkgHhO.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].8Ddhmlb5-4jDkgHhO.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mKNmWx88-nArcmv5a.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mKNmWx88-nArcmv5a.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].J9euxdKU-ZStW7BCl.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].J9euxdKU-ZStW7BCl.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].QLWWhZfv-CQGAx2ry.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].QLWWhZfv-CQGAx2ry.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uC1SsGRR-UfwJQ47Q.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uC1SsGRR-UfwJQ47Q.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg	success	1
1619384497.046625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].dCPoT0Fe-gVgwRFY7.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].dCPoT0Fe-gVgwRFY7.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mAmjsJWj-JRm53GoZ.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mAmjsJWj-JRm53GoZ.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].j54lYN6H-IEJrCd4i.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].j54lYN6H-IEJrCd4i.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4uKVOKtm-kBcDNu6n.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4uKVOKtm-kBcDNu6n.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].HHKEZ5EM-LAs3nwPd.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].HHKEZ5EM-LAs3nwPd.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].WNPKRCQe-i5lcy33T.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].WNPKRCQe-i5lcy33T.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].VllVm851-eRopxTC6.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].VllVm851-eRopxTC6.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].k7DB5GX0-vSryByfk.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].k7DB5GX0-vSryByfk.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].OHsZ2ji6-kcjzWZla.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].OHsZ2ji6-kcjzWZla.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].tg5nKl5j-xSkCB2FD.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].tg5nKl5j-xSkCB2FD.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oH6drDtU-rOSaQLef.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oH6drDtU-rOSaQLef.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].Gf8Xs1xt-fzM7hmby.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].Gf8Xs1xt-fzM7hmby.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].kkG4hJOA-RCe7AQxw.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].kkG4hJOA-RCe7AQxw.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg newfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mQLL85Bs-HdS91vHL.MKES newfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].mQLL85Bs-HdS91vHL.MKES flags: 1 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].b2dEEYVo-PWIV4UL0.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].b2dEEYVo-PWIV4UL0.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BoMcDLir-kxD4pYhI.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BoMcDLir-kxD4pYhI.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uh7IQDmE-D6mxbRWd.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].uh7IQDmE-D6mxbRWd.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oV3c171j-q7c5Hqrb.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].oV3c171j-q7c5Hqrb.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].N4hUtsjb-D5EXeTXQ.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].N4hUtsjb-D5EXeTXQ.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BBZG2waS-C8oESHfW.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].BBZG2waS-C8oESHfW.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].m7KgQoRs-BvB0fWjZ.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].m7KgQoRs-BvB0fWjZ.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].sytpb7xX-TKI6JDKq.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].sytpb7xX-TKI6JDKq.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].YKidhy8f-RkHCt4Nv.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].YKidhy8f-RkHCt4Nv.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg	success	1
1619384498.546625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4Hw5gvxG-Z65QoDQH.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].4Hw5gvxG-Z65QoDQH.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].LSXTjS24-eCiYDbZ4.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].LSXTjS24-eCiYDbZ4.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].uWaAyqEe-xziXtdLf.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].uWaAyqEe-xziXtdLf.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].fvXefxKU-0gZ3Z672.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].fvXefxKU-0gZ3Z672.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].yG07mqDW-OmrfaT6l.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].yG07mqDW-OmrfaT6l.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg newfilepath: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].FaAm5VYZ-d5YDBDCr.MKES newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\[MarkEvans333@criptext.com].FaAm5VYZ-d5YDBDCr.MKES flags: 1 oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg	success	1
1619384498.671625 MoveFileWithProgressW	oldfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg newfilepath: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].47TFWXVv-symkI7Tz.MKES newfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\[MarkEvans333@criptext.com].47TFWXVv-symkI7Tz.MKES flags: 1 oldfilepath_r: C:\Users\Oskar\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg	success	1

The process wscript.exe wrote an executable file to disk which it then attempted to execute (2 个事件)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-03-04 06:25:34

Imports

Library oleaut32.dll:

• 0x4ef36c SysFreeString

• 0x4ef370 SysReAllocStringLen

• 0x4ef374 SysAllocStringLen

• 0x4ef378 SafeArrayPtrOfIndex

• 0x4ef37c SafeArrayGetUBound

• 0x4ef380 SafeArrayGetLBound

• 0x4ef384 SafeArrayCreate

• 0x4ef388 VariantChangeType

• 0x4ef38c VariantCopy

• 0x4ef390 VariantClear

• 0x4ef394 VariantInit

• 0x4ef398 GetErrorInfo

Library advapi32.dll:

• 0x4ef3a0 RegQueryValueExW

• 0x4ef3a4 RegOpenKeyExW

• 0x4ef3a8 RegCloseKey

• 0x4ef3ac OpenThreadToken

• 0x4ef3b0 OpenProcessToken

• 0x4ef3b4 GetUserNameA

• 0x4ef3b8 GetTokenInformation

• 0x4ef3bc GetSidSubAuthorityCount

• 0x4ef3c0 GetSidSubAuthority

• 0x4ef3c4 FreeSid

• 0x4ef3c8 EqualSid

• 0x4ef3cc AllocateAndInitializeSid

• 0x4ef3d0 CryptGenRandom

• 0x4ef3d4 CryptReleaseContext

• 0x4ef3d8 CryptAcquireContextW

Library user32.dll:

• 0x4ef3e0 MessageBoxA

• 0x4ef3e4 CharNextW

• 0x4ef3e8 LoadStringW

• 0x4ef3ec PeekMessageW

• 0x4ef3f0 MsgWaitForMultipleObjects

• 0x4ef3f4 MessageBoxW

• 0x4ef3f8 GetSystemMetrics

• 0x4ef3fc CharUpperBuffW

• 0x4ef400 CharUpperW

• 0x4ef404 CharLowerBuffW

Library kernel32.dll:

• 0x4ef40c Sleep

• 0x4ef410 VirtualFree

• 0x4ef414 VirtualAlloc

• 0x4ef418 lstrlenW

• 0x4ef41c VirtualQuery

• 0x4ef420 GetTickCount

• 0x4ef424 GetSystemInfo

• 0x4ef428 GetVersion

• 0x4ef42c CompareStringW

• 0x4ef430 IsDBCSLeadByteEx

• 0x4ef434 IsValidLocale

• 0x4ef438 SetThreadLocale

• 0x4ef43c GetSystemDefaultUILanguage

• 0x4ef440 GetUserDefaultUILanguage

• 0x4ef444 GetLocaleInfoW

• 0x4ef448 WideCharToMultiByte

• 0x4ef44c MultiByteToWideChar

• 0x4ef450 GetConsoleOutputCP

• 0x4ef454 GetConsoleCP

• 0x4ef458 GetACP

• 0x4ef45c LoadLibraryExW

• 0x4ef460 GetStartupInfoW

• 0x4ef464 GetProcAddress

• 0x4ef468 GetModuleHandleW

• 0x4ef46c GetModuleFileNameW

• 0x4ef470 GetCommandLineW

• 0x4ef474 FreeLibrary

• 0x4ef478 GetLastError

• 0x4ef47c UnhandledExceptionFilter

• 0x4ef480 RtlUnwind

• 0x4ef484 RaiseException

• 0x4ef488 ExitProcess

• 0x4ef48c ExitThread

• 0x4ef490 SwitchToThread

• 0x4ef494 GetCurrentThreadId

• 0x4ef498 CreateThread

• 0x4ef49c DeleteCriticalSection

• 0x4ef4a0 LeaveCriticalSection

• 0x4ef4a4 EnterCriticalSection

• 0x4ef4a8 InitializeCriticalSection

• 0x4ef4ac FindFirstFileW

• 0x4ef4b0 FindClose

• 0x4ef4b4 WriteFile

• 0x4ef4b8 SetFilePointer

• 0x4ef4bc SetEndOfFile

• 0x4ef4c0 ReadFile

• 0x4ef4c4 GetFileType

• 0x4ef4c8 GetFileSize

• 0x4ef4cc CreateFileW

• 0x4ef4d0 GetStdHandle

• 0x4ef4d4 CloseHandle

• 0x4ef4d8 LoadLibraryA

• 0x4ef4dc TlsSetValue

• 0x4ef4e0 TlsGetValue

• 0x4ef4e4 LocalFree

• 0x4ef4e8 LocalAlloc

• 0x4ef4ec WaitForSingleObject

• 0x4ef4f0 WaitForMultipleObjects

• 0x4ef4f4 VirtualQueryEx

• 0x4ef4f8 VirtualProtect

• 0x4ef4fc VerSetConditionMask

• 0x4ef500 VerifyVersionInfoW

• 0x4ef504 SuspendThread

• 0x4ef508 SizeofResource

• 0x4ef50c SetThreadPriority

• 0x4ef510 SetLastError

• 0x4ef514 SetFileAttributesW

• 0x4ef518 SetEvent

• 0x4ef51c SetErrorMode

• 0x4ef520 ResumeThread

• 0x4ef524 ResetEvent

• 0x4ef528 ReleaseMutex

• 0x4ef52c QueryPerformanceFrequency

• 0x4ef530 QueryPerformanceCounter

• 0x4ef534 OpenMutexW

• 0x4ef538 MoveFileExW

• 0x4ef53c LockResource

• 0x4ef540 LoadResource

• 0x4ef544 LoadLibraryW

• 0x4ef548 HeapFree

• 0x4ef54c HeapDestroy

• 0x4ef550 HeapCreate

• 0x4ef554 HeapAlloc

• 0x4ef558 GetVolumeInformationW

• 0x4ef55c GetVersionExW

• 0x4ef560 GetUserDefaultLangID

• 0x4ef564 GetUserDefaultLCID

• 0x4ef568 GetThreadTimes

• 0x4ef56c GetThreadPriority

• 0x4ef570 GetThreadLocale

• 0x4ef574 GetSystemTimes

• 0x4ef578 GetSystemDefaultLangID

• 0x4ef57c GetSystemDefaultLCID

• 0x4ef580 GetProcessTimes

• 0x4ef584 GetLocalTime

• 0x4ef588 GetFullPathNameW

• 0x4ef58c GetFileAttributesW

• 0x4ef590 GetExitCodeThread

• 0x4ef594 GetDriveTypeW

• 0x4ef598 GetDiskFreeSpaceW

• 0x4ef59c GetDateFormatW

• 0x4ef5a0 GetCurrentThread

• 0x4ef5a4 GetCurrentProcessId

• 0x4ef5a8 GetCurrentProcess

• 0x4ef5ac GetComputerNameA

• 0x4ef5b0 GetCPInfoExW

• 0x4ef5b4 GetCPInfo

• 0x4ef5b8 FreeResource

• 0x4ef5bc InterlockedCompareExchange

• 0x4ef5c0 FormatMessageW

• 0x4ef5c4 FindResourceW

• 0x4ef5c8 FindNextFileW

• 0x4ef5cc ExpandEnvironmentStringsW

• 0x4ef5d0 EnumSystemLocalesW

• 0x4ef5d4 EnumCalendarInfoW

• 0x4ef5d8 DeleteFileW

• 0x4ef5dc CreateProcessW

• 0x4ef5e0 CreateMutexW

• 0x4ef5e4 CreateEventW

Library ole32.dll:

• 0x4ef5ec CoUninitialize

• 0x4ef5f0 CoInitialize

Library shell32.dll:

• 0x4ef5f8 SHGetSpecialFolderPathW

Library wsock32.dll:

• 0x4ef600 WSACleanup

• 0x4ef604 WSAStartup

• 0x4ef608 gethostname

• 0x4ef60c gethostbyname

• 0x4ef610 inet_ntoa

Library netapi32.dll:

• 0x4ef618 NetShareEnum

• 0x4ef61c NetApiBufferFree

Exports

Ordinal	Address	Name
1	0x4509b8	TMethodImplementationIntercept

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
sec.timerz.org
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49182	192.168.56.1	445

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	51378	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60384	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.