popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

client1122.exe

AsyncRAT GIF Format PE32 PE File .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 12, 2021, 9:57 a.m. May 12, 2021, 10:04 a.m.
Size 91.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 7bf8da9ae283c60e226852fee7ad3d94
SHA256 27ba35dbeb5324bd780ae6a95c5aae93fcb47c5aa8f48b1c21f83000a55de2da
CRC32 C6C7DA63
ssdeep 1536:16xb7zXiyZKQp5FlUeOFeFamwcjAb5JAn807SEzHa9CImZKaIa:16V7zXiyZKigT0lw5bu+19CImZvIa
Yara
  • Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT
  • Is_DotNET_EXE - (no description)
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Y
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x874dd3
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x6fd1e303
sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x738bfc2e
sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7389dd03
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73881a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73881c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x7388244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 c7 45 e4 00 00 00 00 c7 45
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x877186
registers.esp: 3658092
registers.edi: 3658112
registers.eax: 0
registers.ebp: 3658128
registers.edx: 195
registers.ebx: 3659760
registers.esi: 39833640
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x874e87
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
CoUninitializeEE+0xa5b4 CreateAssemblyNameObject-0x36a1 clr+0x29df8 @ 0x6fbc9df8
CoUninitializeEE+0xa5eb CreateAssemblyNameObject-0x366a clr+0x29e2f @ 0x6fbc9e2f
CoUninitializeEE+0xa6b9 CreateAssemblyNameObject-0x359c clr+0x29efd @ 0x6fbc9efd
CoUninitializeEE+0xa75e CreateAssemblyNameObject-0x34f7 clr+0x29fa2 @ 0x6fbc9fa2
PreBindAssemblyEx+0x6798 StrongNameSignatureVerification-0xb7b3 clr+0x17e303 @ 0x6fd1e303
sxsJitStartup-0x14c66 clrjit+0x3fc2e @ 0x738bfc2e
sxsJitStartup-0x36b91 clrjit+0x1dd03 @ 0x7389dd03
sxsJitStartup-0x52e34 clrjit+0x1a60 @ 0x73881a60
sxsJitStartup-0x52c52 clrjit+0x1c42 @ 0x73881c42
sxsJitStartup-0x52447 clrjit+0x244d @ 0x7388244d
sxsJitStartup-0x50878 clrjit+0x401c @ 0x7388401c
sxsJitStartup-0x50762 clrjit+0x4132 @ 0x73884132
sxsJitStartup-0x50612 clrjit+0x4282 @ 0x73884282
sxsJitStartup-0x502ff clrjit+0x4595 @ 0x73884595
CreateAssemblyNameObject+0x61d0 GetMetaDataInternalInterface-0x3229f clr+0x33669 @ 0x6fbd3669
CreateAssemblyNameObject+0x6268 GetMetaDataInternalInterface-0x32207 clr+0x33701 @ 0x6fbd3701
CreateAssemblyNameObject+0x62aa GetMetaDataInternalInterface-0x321c5 clr+0x33743 @ 0x6fbd3743
CreateAssemblyNameObject+0x6503 GetMetaDataInternalInterface-0x31f6c clr+0x3399c @ 0x6fbd399c
CreateAssemblyNameObject+0x5ffd GetMetaDataInternalInterface-0x32472 clr+0x33496 @ 0x6fbd3496
CreateAssemblyNameObject+0x6c42 GetMetaDataInternalInterface-0x3182d clr+0x340db @ 0x6fbd40db
DllRegisterServerInternal+0x98c9 CoUninitializeEE-0x3b6f clr+0x1bcd5 @ 0x6fbbbcd5
DllUnregisterServerInternal-0x760b clr+0x2ae9 @ 0x6fba2ae9
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 c7 45 e4 00 00 00 00 c7 45
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x877186
registers.esp: 3658092
registers.edi: 3658112
registers.eax: 0
registers.ebp: 3658128
registers.edx: 195
registers.ebx: 3659760
registers.esi: 39861540
registers.ecx: 0
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 1376256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00790000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4748
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4748
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6fba2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00790000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00810000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003d7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003bc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00870000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00871000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00875000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0076f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00760000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00876000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00877000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00878000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00879000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0087f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05df0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05df1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05df2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4748
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05df3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 9468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13295476736
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13294841856
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴 자동 업데이트.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 도구\VBA 프로젝트용 디지털 인증서.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Python 2.7\Uninstall Python.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Groove 2007.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Help.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\HttpWatch Studio.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell Modules.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
file C:\Users\test22\Links\Desktop.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Chrome.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 사전.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 타자연습.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Backup and Restore Center.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Get Help.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Java\Check For Updates.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴오피스 한글 2010.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Publisher 2007.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 문서찾기.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office Excel 2007.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Microsoft Office\Microsoft Office 도구\Microsoft Office 2007 언어 설정.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Security Configuration Management.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\한글과컴퓨터\한컴오피스 한글 2010\한컴 기본 설정.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Default Programs.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Python 2.7\IDLE (Python GUI).lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\한컴 사전.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\HttpWatch Professional Edition\Automation Examples.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk
file C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk
file C:\Users\test22\Links\Downloads.lnk
cmdline "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\client1122.exe
cmdline "schtasks" /DELETE /TN "Raccine Rules Updater" /F
cmdline cmd.exe "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\client1122.exe
cmdline "cmd.exe" /c rd /s /q D:\\$Recycle.bin
cmdline "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
cmdline "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
file C:\Users\test22\AppData\Local\Temp\client1122.exe
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "RaccineSettings.exe")
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 8780
thread_handle: 0x000002f0
process_identifier: 7960
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "taskkill" /F /IM RaccineSettings.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000002fc
1 1 0

CreateProcessInternalW

 thread_identifier: 5980
thread_handle: 0x000002f0
process_identifier: 8800
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000300
1 1 0

CreateProcessInternalW

 thread_identifier: 8620
thread_handle: 0x000002f0
process_identifier: 4716
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "reg" delete HKCU\Software\Raccine /F
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000308
1 1 0

CreateProcessInternalW

 thread_identifier: 7236
thread_handle: 0x000002f0
process_identifier: 2848
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "schtasks" /DELETE /TN "Raccine Rules Updater" /F
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000310
1 1 0

CreateProcessInternalW

 thread_identifier: 3624
thread_handle: 0x0000032c
process_identifier: 6200
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000338
1 1 0

CreateProcessInternalW

 thread_identifier: 6472
thread_handle: 0x0000032c
process_identifier: 4496
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "cmd.exe" /c rd /s /q D:\\$Recycle.bin
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000033c
1 1 0

CreateProcessInternalW

 thread_identifier: 3812
thread_handle: 0x0000032c
process_identifier: 4120
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config Dnscache start= auto
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000038c
1 1 0

CreateProcessInternalW

 thread_identifier: 6744
thread_handle: 0x0000032c
process_identifier: 8772
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config FDResPub start= auto
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000390
1 1 0

CreateProcessInternalW

 thread_identifier: 6444
thread_handle: 0x0000032c
process_identifier: 6080
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SQLTELEMETRY start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000398
1 1 0

CreateProcessInternalW

 thread_identifier: 4420
thread_handle: 0x0000032c
process_identifier: 3180
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003a0
1 1 0

CreateProcessInternalW

 thread_identifier: 7012
thread_handle: 0x0000032c
process_identifier: 8248
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SSDPSRV start= auto
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003a8
1 1 0

CreateProcessInternalW

 thread_identifier: 3080
thread_handle: 0x0000032c
process_identifier: 4104
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003b0
1 1 0

CreateProcessInternalW

 thread_identifier: 3632
thread_handle: 0x0000032c
process_identifier: 2736
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SstpSvc start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003b8
1 1 0

CreateProcessInternalW

 thread_identifier: 2700
thread_handle: 0x0000032c
process_identifier: 7304
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003c0
1 1 0

CreateProcessInternalW

 thread_identifier: 6708
thread_handle: 0x00000330
process_identifier: 6688
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config upnphost start= auto
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003d0
1 1 0

CreateProcessInternalW

 thread_identifier: 1032
thread_handle: 0x00000330
process_identifier: 2000
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "sc.exe" config SQLWriter start= disabled
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003d8
1 1 0

CreateProcessInternalW

 thread_identifier: 7808
thread_handle: 0x000003f0
process_identifier: 1596
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" start Dnscache /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000330
1 1 0

CreateProcessInternalW

 thread_identifier: 1348
thread_handle: 0x000003f0
process_identifier: 4340
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" start FDResPub /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000430
1 1 0

CreateProcessInternalW

 thread_identifier: 448
thread_handle: 0x0000043c
process_identifier: 2300
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop bedbg /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000045c
1 1 0

CreateProcessInternalW

 thread_identifier: 2564
thread_handle: 0x0000043c
process_identifier: 1536
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" start SSDPSRV /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000498
1 1 0

CreateProcessInternalW

 thread_identifier: 6344
thread_handle: 0x0000043c
process_identifier: 2308
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQL$SQL_2008 /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000004c4
1 1 0

CreateProcessInternalW

 thread_identifier: 3984
thread_handle: 0x00000440
process_identifier: 5624
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop avpsus /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000049c
1 1 0

CreateProcessInternalW

 thread_identifier: 5452
thread_handle: 0x000004e4
process_identifier: 4860
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop EhttpSrv /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000004f4
1 1 0

CreateProcessInternalW

 thread_identifier: 6368
thread_handle: 0x00000504
process_identifier: 2488
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" start upnphost /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000004fc
1 1 0

CreateProcessInternalW

 thread_identifier: 7708
thread_handle: 0x00000500
process_identifier: 7904
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQL$SQLEXPRESS /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000518
1 1 0

CreateProcessInternalW

 thread_identifier: 5924
thread_handle: 0x00000500
process_identifier: 108
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop McAfeeDLPAgentService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000568
1 1 0

CreateProcessInternalW

 thread_identifier: 3808
thread_handle: 0x00000500
process_identifier: 8436
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MMS /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000056c
1 1 0

CreateProcessInternalW

 thread_identifier: 648
thread_handle: 0x00000500
process_identifier: 1924
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop mfewc /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000570
1 1 0

CreateProcessInternalW

 thread_identifier: 4060
thread_handle: 0x00000500
process_identifier: 852
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop ekrn /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000308
1 1 0

CreateProcessInternalW

 thread_identifier: 6800
thread_handle: 0x00000500
process_identifier: 6276
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop ccEvtMgr /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003a8
1 1 0

CreateProcessInternalW

 thread_identifier: 4436
thread_handle: 0x00000500
process_identifier: 1936
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop mozyprobackup /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000570
1 1 0

CreateProcessInternalW

 thread_identifier: 6832
thread_handle: 0x00000500
process_identifier: 3440
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop BMR Boot Service /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x0000049c
1 1 0

CreateProcessInternalW

 thread_identifier: 8132
thread_handle: 0x00000500
process_identifier: 8796
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQL$TPS /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003c0
1 1 0

CreateProcessInternalW

 thread_identifier: 560
thread_handle: 0x00000500
process_identifier: 6672
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQL$SYSTEM_BGC /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003d0
1 1 0

CreateProcessInternalW

 thread_identifier: 3200
thread_handle: 0x00000564
process_identifier: 2892
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop ccSetMgr /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000330
1 1 0

CreateProcessInternalW

 thread_identifier: 2740
thread_handle: 0x00000564
process_identifier: 5444
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop NetBackup BMR MTFTP Service /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000310
1 1 0

CreateProcessInternalW

 thread_identifier: 6520
thread_handle: 0x00000564
process_identifier: 2304
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop EPSecurityService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003c0
1 1 0

CreateProcessInternalW

 thread_identifier: 2292
thread_handle: 0x00000564
process_identifier: 5200
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop EPUpdateService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003a8
1 1 0

CreateProcessInternalW

 thread_identifier: 4048
thread_handle: 0x000003c0
process_identifier: 8344
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop SavRoam /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000390
1 1 0

CreateProcessInternalW

 thread_identifier: 8360
thread_handle: 0x00000390
process_identifier: 6716
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop DefWatch /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000564
1 1 0

CreateProcessInternalW

 thread_identifier: 6236
thread_handle: 0x00000390
process_identifier: 2072
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003a8
1 1 0

CreateProcessInternalW

 thread_identifier: 5832
thread_handle: 0x00000564
process_identifier: 4668
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop ntrtscan /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003c0
1 1 0

CreateProcessInternalW

 thread_identifier: 1900
thread_handle: 0x00000564
process_identifier: 7712
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop RTVscan /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000310
1 1 0

CreateProcessInternalW

 thread_identifier: 7456
thread_handle: 0x00000564
process_identifier: 3988
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop QBFCService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003b0
1 1 0

CreateProcessInternalW

 thread_identifier: 3276
thread_handle: 0x00000564
process_identifier: 6000
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop EsgShKernel /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003d0
1 1 0

CreateProcessInternalW

 thread_identifier: 8112
thread_handle: 0x00000564
process_identifier: 2980
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQL$TPSAMA /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x000003c0
1 1 0

CreateProcessInternalW

 thread_identifier: 7492
thread_handle: 0x00000564
process_identifier: 4056
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop VSNAPVSS /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000308
1 1 0

CreateProcessInternalW

 thread_identifier: 6968
thread_handle: 0x00000564
process_identifier: 8200
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop QBIDPService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000308
1 1 0

CreateProcessInternalW

 thread_identifier: 7028
thread_handle: 0x00000564
process_identifier: 3336
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop PDVFSService /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000390
1 1 0

CreateProcessInternalW

 thread_identifier: 1852
thread_handle: 0x00000390
process_identifier: 2752
current_directory: C:\Users\test22\AppData\Local\Temp
filepath:
track: 1
command_line: "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 1
process_handle: 0x00000564
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline "net.exe" stop SDRSVC /y
cmdline "net.exe" stop SamSs /y
cmdline "net.exe" start SSDPSRV /y
cmdline "net.exe" start FDResPub /y
cmdline "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
cmdline "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
cmdline "net.exe" stop Smcinst /y
cmdline "net.exe" stop msftesql$PROD /y
cmdline "net.exe" stop EPUpdateService /y
cmdline "net.exe" stop “Sophos AutoUpdate Service” /y
cmdline "net.exe" stop “Sophos Device Control Service” /y
cmdline "net.exe" start Dnscache /y
cmdline "net.exe" stop MSSQLServerADHelper100 /y
cmdline "net.exe" stop BMR Boot Service /y
cmdline "net.exe" stop “SQLsafe Filter Service” /y
cmdline "net.exe" stop DefWatch /y
cmdline "net.exe" stop MSSQL$PRACTTICEBGC /y
cmdline "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
cmdline "net.exe" stop VeeamBackupSvc /y
cmdline "net.exe" stop MBAMService /y
cmdline "net.exe" stop MSSQL$TPSAMA /y
cmdline "net.exe" stop QBIDPService /y
cmdline "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
cmdline "net.exe" stop McShield /y
cmdline "net.exe" stop sms_site_sql_backup /y
cmdline "net.exe" stop QBFCService /y
cmdline "net.exe" stop McAfeeDLPAgentService /y
cmdline "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
cmdline "net.exe" stop mfefire /y
cmdline "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
cmdline "net.exe" stop QBCFMonitorService /y
cmdline "net.exe" stop “Sophos Safestore Service” /y
cmdline "net.exe" stop SQLAgent$SBSMONITORING /y
cmdline "net.exe" stop MSExchangeIS /y
cmdline "net.exe" stop MSSQL$BKUPEXEC /y
cmdline "net.exe" stop “Enterprise Client Service” /y
cmdline "net.exe" stop SmcService /y
cmdline "net.exe" stop EhttpSrv /y
cmdline "net.exe" stop MSSQL$SQL_2008 /y
cmdline "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\client1122.exe
cmdline "schtasks" /DELETE /TN "Raccine Rules Updater" /F
cmdline "net.exe" stop audioendpointbuilder /y
cmdline "net.exe" stop “Veeam Backup Catalog Data Service” /y
cmdline "net.exe" stop bedbg /y
cmdline "net.exe" stop “intel(r) proset monitoring service” /y
cmdline "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
cmdline "net.exe" stop KAVFS /y
cmdline "net.exe" stop “Zoolz 2 Service” /y
cmdline "net.exe" stop AcronisAgent /y
cmdline cmd.exe "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\test22\AppData\Local\Temp\client1122.exe
host 172.217.25.14
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt.reofgv
file C:\Windows\Sandboxie.ini
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\Application.etl
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppOobe.etl
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppSetup.log
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Uninstall.log
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppSetupResult.ini
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\EppSetup.etl
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\MSSecurityClient_Setup_4.10.209.0_epp_Install.log
Time & API Arguments Status Return Repeated

ControlService

 service_handle: 0x0048ebd8
service_name: AudioSrv
control_code: 1
1 1 0

ControlService

 service_handle: 0x0048e8e0
service_name: AUDIOENDPOINTBUILDER
control_code: 1
1 1 0
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
cmdline "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
cmdline "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
file C:\Python27\agent.pyw
file C:\tmpzdcjvb\analyzer.py
file C:\Windows\bootstat.dat
file C:\Python27\tcl\tcl8.5\encoding\iso2022-kr.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-3.enc
file C:\Python27\tcl\tcl8.5\encoding\euc-cn.enc
file C:\Python27\tcl\tcl8.5\encoding\cp857.enc
file C:\Python27\tcl\tcl8.5\encoding\macIceland.enc
file C:\Python27\tcl\tcl8.5\encoding\macCyrillic.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-8.enc
file C:\Python27\tcl\tcl8.5\encoding\cp860.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-10.enc
file C:\Python27\tcl\tcl8.5\encoding\ksc5601.enc
file C:\Python27\tcl\tcl8.5\encoding\gb12345.enc
file C:\Python27\tcl\tcl8.5\encoding\cp1254.enc
file C:\Python27\tcl\tcl8.5\encoding\cp1255.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-2.enc
file C:\Python27\tcl\tcl8.5\encoding\macGreek.enc
file C:\Python27\tcl\tcl8.5\encoding\cp437.enc
file C:\Python27\tcl\tcl8.5\encoding\cp775.enc
file C:\Python27\tcl\tcl8.5\encoding\big5.enc
file C:\Python27\tcl\tcl8.5\encoding\cp936.enc
file C:\Python27\tcl\tcl8.5\encoding\cp869.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-5.enc
file C:\Python27\tcl\tcl8.5\encoding\cp949.enc
file C:\Python27\tcl\tcl8.5\encoding\ascii.enc
file C:\Python27\tcl\tcl8.5\encoding\macRoman.enc
file C:\Python27\tcl\tcl8.5\encoding\gb1988.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-15.enc
file C:\Python27\tcl\tcl8.5\encoding\ebcdic.enc
file C:\Python27\tcl\tcl8.5\encoding\macThai.enc
file C:\Python27\tcl\tcl8.5\encoding\cp865.enc
file C:\Python27\tcl\tcl8.5\encoding\shiftjis.enc
file C:\Python27\tcl\tcl8.5\encoding\macCentEuro.enc
file C:\Python27\tcl\tcl8.5\encoding\cp850.enc
file C:\Python27\tcl\tcl8.5\encoding\jis0212.enc
file C:\Python27\tcl\tcl8.5\encoding\cp1251.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-9.enc
file C:\Python27\tcl\tcl8.5\encoding\euc-jp.enc
file C:\Python27\tcl\tcl8.5\encoding\euc-kr.enc
file C:\Python27\tcl\tcl8.5\encoding\iso2022-jp.enc
file C:\Python27\tcl\tcl8.5\encoding\macTurkish.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-1.enc
file C:\Python27\tcl\tcl8.5\encoding\cp866.enc
file C:\Python27\tcl\tcl8.5\encoding\macRomania.enc
file C:\Python27\tcl\tcl8.5\encoding\jis0201.enc
file C:\Python27\tcl\tcl8.5\encoding\macDingbats.enc
file C:\Python27\tcl\tcl8.5\encoding\iso8859-4.enc
file C:\Python27\tcl\tcl8.5\encoding\cp1250.enc
file C:\Python27\tcl\tcl8.5\encoding\cp862.enc
file C:\Python27\tcl\tcl8.5\encoding\cp864.enc
file C:\Python27\tcl\tcl8.5\encoding\koi8-r.enc
file C:\Python27\tcl\tcl8.5\encoding\koi8-u.enc
file C:\Users\test22\AppData\Local\Temp\RESTORE_FILES_INFO.txt
file C:\Users\test22\Desktop\RESTORE_FILES_INFO.txt
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\readme.txt.reofgv
flags: 2
oldfilepath_r: C:\readme.txt
newfilepath: C:\readme.txt.reofgv
oldfilepath: C:\readme.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Windows\bootstat.dat.reofgv
flags: 2
oldfilepath_r: C:\Windows\bootstat.dat
newfilepath: C:\Windows\bootstat.dat.reofgv
oldfilepath: C:\Windows\bootstat.dat
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.reofgv
flags: 2
oldfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt
newfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.reofgv
oldfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\util\TCPView\Eula.txt.reofgv
flags: 2
oldfilepath_r: C:\util\TCPView\Eula.txt
newfilepath: C:\util\TCPView\Eula.txt.reofgv
oldfilepath: C:\util\TCPView\Eula.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\util\ProcessMonitor\Eula.txt.reofgv
flags: 2
oldfilepath_r: C:\util\ProcessMonitor\Eula.txt
newfilepath: C:\util\ProcessMonitor\Eula.txt.reofgv
oldfilepath: C:\util\ProcessMonitor\Eula.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc
newfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.reofgv
oldfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt
newfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.reofgv
oldfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt
newfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.reofgv
oldfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
newfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.reofgv
oldfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx
newfilepath: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx.reofgv
oldfilepath: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
newfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.reofgv
oldfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf
newfilepath: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm
newfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.reofgv
oldfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\fTiSpCrSio.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\fTiSpCrSio.doc
newfilepath: C:\Users\test22\Documents\fTiSpCrSio.doc.reofgv
oldfilepath: C:\Users\test22\Documents\fTiSpCrSio.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gRTPjfsvFz.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gRTPjfsvFz.doc
newfilepath: C:\Users\test22\Documents\gRTPjfsvFz.doc.reofgv
oldfilepath: C:\Users\test22\Documents\gRTPjfsvFz.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf
newfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx
newfilepath: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx.reofgv
oldfilepath: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
newfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.reofgv
oldfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx
newfilepath: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx.reofgv
oldfilepath: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt
newfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.reofgv
oldfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc
newfilepath: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc.reofgv
oldfilepath: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx
newfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.reofgv
oldfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf
newfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\QcXmfONaPB.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\QcXmfONaPB.docm
newfilepath: C:\Users\test22\Documents\QcXmfONaPB.docm.reofgv
oldfilepath: C:\Users\test22\Documents\QcXmfONaPB.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.cpp.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.cpp
newfilepath: C:\Users\test22\Documents\readme.cpp.reofgv
oldfilepath: C:\Users\test22\Documents\readme.cpp
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.doc
newfilepath: C:\Users\test22\Documents\readme.doc.reofgv
oldfilepath: C:\Users\test22\Documents\readme.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.hwp.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.hwp
newfilepath: C:\Users\test22\Documents\readme.hwp.reofgv
oldfilepath: C:\Users\test22\Documents\readme.hwp
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.txt
newfilepath: C:\Users\test22\Documents\readme.txt.reofgv
oldfilepath: C:\Users\test22\Documents\readme.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.xls.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.xls
newfilepath: C:\Users\test22\Documents\readme.xls.reofgv
oldfilepath: C:\Users\test22\Documents\readme.xls
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm
newfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.reofgv
oldfilepath: C:\Users\test22\Documents\sByekmDWYN.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\tbGINJnrMNdr.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\tbGINJnrMNdr.docx
newfilepath: C:\Users\test22\Documents\tbGINJnrMNdr.docx.reofgv
oldfilepath: C:\Users\test22\Documents\tbGINJnrMNdr.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc
newfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.reofgv
oldfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf
newfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf
newfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Desktop\readme.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Desktop\readme.txt
newfilepath: C:\Users\test22\Desktop\readme.txt.reofgv
oldfilepath: C:\Users\test22\Desktop\readme.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg
newfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html
newfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb
newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb
newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat
newfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.reofgv
oldfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat
newfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.reofgv
oldfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat
newfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat
0 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\readme.txt.reofgv
flags: 2
oldfilepath_r: C:\readme.txt
newfilepath: C:\readme.txt.reofgv
oldfilepath: C:\readme.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Windows\bootstat.dat.reofgv
flags: 2
oldfilepath_r: C:\Windows\bootstat.dat
newfilepath: C:\Windows\bootstat.dat.reofgv
oldfilepath: C:\Windows\bootstat.dat
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.reofgv
flags: 2
oldfilepath_r: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt
newfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt.reofgv
oldfilepath: C:\util\mini-KMS_Activator_v1.1_Office.2010.VL.ENG.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\util\TCPView\Eula.txt.reofgv
flags: 2
oldfilepath_r: C:\util\TCPView\Eula.txt
newfilepath: C:\util\TCPView\Eula.txt.reofgv
oldfilepath: C:\util\TCPView\Eula.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\util\ProcessMonitor\Eula.txt.reofgv
flags: 2
oldfilepath_r: C:\util\ProcessMonitor\Eula.txt
newfilepath: C:\util\ProcessMonitor\Eula.txt.reofgv
oldfilepath: C:\util\ProcessMonitor\Eula.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc
newfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.reofgv
oldfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt
newfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.reofgv
oldfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt
newfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.reofgv
oldfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
newfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.reofgv
oldfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx
newfilepath: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx.reofgv
oldfilepath: C:\Users\test22\Documents\epgqtXtRZvwmrmF.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
newfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.reofgv
oldfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf
newfilepath: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\ffsCATZyHNmKwxF.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm
newfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.reofgv
oldfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\fTiSpCrSio.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\fTiSpCrSio.doc
newfilepath: C:\Users\test22\Documents\fTiSpCrSio.doc.reofgv
oldfilepath: C:\Users\test22\Documents\fTiSpCrSio.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gRTPjfsvFz.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gRTPjfsvFz.doc
newfilepath: C:\Users\test22\Documents\gRTPjfsvFz.doc.reofgv
oldfilepath: C:\Users\test22\Documents\gRTPjfsvFz.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf
newfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx
newfilepath: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx.reofgv
oldfilepath: C:\Users\test22\Documents\ifsjIZDoQsdGp.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
newfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.reofgv
oldfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx
newfilepath: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx.reofgv
oldfilepath: C:\Users\test22\Documents\JeEyGbNjUWjVuZ.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt
newfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.reofgv
oldfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc
newfilepath: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc.reofgv
oldfilepath: C:\Users\test22\Documents\NyWPrKiMApAFxUeZ.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx
newfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.reofgv
oldfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf
newfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\QcXmfONaPB.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\QcXmfONaPB.docm
newfilepath: C:\Users\test22\Documents\QcXmfONaPB.docm.reofgv
oldfilepath: C:\Users\test22\Documents\QcXmfONaPB.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.cpp.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.cpp
newfilepath: C:\Users\test22\Documents\readme.cpp.reofgv
oldfilepath: C:\Users\test22\Documents\readme.cpp
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.doc
newfilepath: C:\Users\test22\Documents\readme.doc.reofgv
oldfilepath: C:\Users\test22\Documents\readme.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.hwp.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.hwp
newfilepath: C:\Users\test22\Documents\readme.hwp.reofgv
oldfilepath: C:\Users\test22\Documents\readme.hwp
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.txt
newfilepath: C:\Users\test22\Documents\readme.txt.reofgv
oldfilepath: C:\Users\test22\Documents\readme.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.xls.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.xls
newfilepath: C:\Users\test22\Documents\readme.xls.reofgv
oldfilepath: C:\Users\test22\Documents\readme.xls
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm
newfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.reofgv
oldfilepath: C:\Users\test22\Documents\sByekmDWYN.docm
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\tbGINJnrMNdr.docx.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\tbGINJnrMNdr.docx
newfilepath: C:\Users\test22\Documents\tbGINJnrMNdr.docx.reofgv
oldfilepath: C:\Users\test22\Documents\tbGINJnrMNdr.docx
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc
newfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.reofgv
oldfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf
newfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf
newfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.reofgv
oldfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Desktop\readme.txt.reofgv
flags: 2
oldfilepath_r: C:\Users\test22\Desktop\readme.txt
newfilepath: C:\Users\test22\Desktop\readme.txt.reofgv
oldfilepath: C:\Users\test22\Desktop\readme.txt
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
newfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.reofgv
oldfilepath: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg
newfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html
newfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics\energy-report.html
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb
newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\tmp.edb
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb
newfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat
newfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat.reofgv
oldfilepath: C:\Users\All Users\Microsoft\RAC\StateData\RacMetaData.dat
0 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat
newfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat.reofgv
oldfilepath: C:\Users\All Users\Microsoft\OFFICE\DATA\opa12.dat
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.reofgv
flags: 2
oldfilepath_r: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat
newfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat.reofgv
oldfilepath: C:\Users\All Users\Microsoft\Network\Downloader\qmgr0.dat
0 0
file C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.reofgv
file C:\Python27\Lib\test\cjkencodings\big5hkscs.txt.reofgv
file C:\Python27\click\click_image\attach.png.reofgv
file C:\Python27\tcl\tk8.5\images\logo64.gif.reofgv
file C:\Python27\tcl\tk8.5\msgs\da.msg.reofgv
file C:\Python27\Lib\email\test\data\msg_11.txt.reofgv
file C:\Python27\Lib\test\ssl_key.passwd.pem.reofgv
file C:\Python27\Lib\site-packages\PyScreeze-0.1.26-py2.7.egg-info\installed-files.txt.reofgv
file C:\Python27\Lib\site-packages\PyGetWindow-0.0.8-py2.7.egg-info\requires.txt.reofgv
file C:\Python27\tcl\tix8.4.3\pref\WmDefault.txt.reofgv
file C:\Python27\Lib\email\test\data\msg_30.txt.reofgv
file C:\Python27\Lib\test\cjkencodings\shift_jisx0213.txt.reofgv
file C:\Python27\Lib\email\test\data\msg_29.txt.reofgv
file C:\Python27\tcl\tcl8.5\msgs\fa.msg.reofgv
file C:\Python27\tcl\tix8.4.3\pref\SGIGray.cs.reofgv
file C:\Python27\tcl\tcl8.5\msgs\ga.msg.reofgv
file C:\Python27\Lib\email\test\data\msg_25.txt.reofgv
file C:\Python27\tcl\tcl8.5\msgs\nl.msg.reofgv
file C:\Python27\tcl\tix8.4.3\bitmaps\file.gif.reofgv
file C:\Python27\tcl\tix8.4.3\bitmaps\no_entry.gif.reofgv
file C:\Python27\Lib\test\cjkencodings\big5hkscs-utf8.txt.reofgv
file C:\Python27\tcl\tcl8.5\tzdata\Iceland.reofgv
file C:\Python27\tcl\tk8.5\images\logoLarge.gif.reofgv
file C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.reofgv
file C:\Python27\Tools\pynche\webcolors.txt.reofgv
file C:\Python27\tcl\tk8.5\images\pwrdLogo200.gif.reofgv
file C:\Python27\Lib\idlelib\NEWS.txt.reofgv
file C:\Python27\tcl\tcl8.5\msgs\de_be.msg.reofgv
file C:\Python27\Lib\site-packages\README.txt.reofgv
file C:\Python27\Lib\email\test\data\msg_28.txt.reofgv
file C:\Python27\Lib\test\audiodata\pluck-pcm32.wav.reofgv
file C:\Python27\Lib\test\cjkencodings\big5.txt.reofgv
file C:\Python27\Lib\test\nullbytecert.pem.reofgv
file C:\Users\test22\Documents\sByekmDWYN.docm.reofgv
file C:\Python27\tcl\tcl8.5\msgs\zh_cn.msg.reofgv
file C:\Python27\tcl\tcl8.5\msgs\es_sv.msg.reofgv
file C:\Python27\Lib\test\floating_points.txt.reofgv
file C:\Python27\Lib\test\test_doctest4.txt.reofgv
file C:\Python27\tcl\tcl8.5\msgs\ga_ie.msg.reofgv
file C:\Python27\Lib\test\audiodata\pluck-pcm16.wav.reofgv
file C:\Python27\tcl\tcl8.5\tzdata\Canada\Newfoundland.reofgv
file C:\Python27\tcl\tcl8.5\msgs\hi_in.msg.reofgv
file C:\Python27\Lib\email\test\data\msg_18.txt.reofgv
file C:\util\TCPView\Eula.txt.reofgv
file C:\Python27\Lib\test\cjkencodings\euc_jp-utf8.txt.reofgv
file C:\Python27\click\click\click_image\exec1.png.reofgv
file C:\Python27\Lib\email\test\data\msg_12a.txt.reofgv
file C:\Python27\Lib\test\ffdh3072.pem.reofgv
file C:\Python27\tcl\tcl8.5\msgs\es.msg.reofgv
file C:\Python27\tcl\tcl8.5\msgs\nb.msg.reofgv
Elastic malicious (high confidence)
MicroWorld-eScan Gen:Heur.MSIL.Bladabindi.1
FireEye Generic.mg.7bf8da9ae283c60e
ALYac Trojan.Ransom.Thanos
Cylance Unsafe
Zillya Trojan.Filecoder.Win32.18350
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 005689411 )
Alibaba Ransom:MSIL/Cryptolocker.7be74f43
K7GW Trojan ( 005689411 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.MSIL.Bladabindi.1
BitDefenderTheta Gen:NN.ZemsilF.34688.fm0@am7DGxg
Cyren W32/A-770b6427!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of MSIL/Filecoder.Thanos.A
TrendMicro-HouseCall Ransom.MSIL.THANOS.SM
Avast Win32:RansomX-gen [Ransom]
Kaspersky HEUR:Trojan-Ransom.MSIL.Crypren.gen
BitDefender Gen:Heur.MSIL.Bladabindi.1
Paloalto generic.ml
AegisLab Trojan.MSIL.Crypren.j!c
APEX Malicious
Rising Ransom.Crypren!8.1D6C (CLOUD)
Ad-Aware Gen:Heur.MSIL.Bladabindi.1
Sophos Mal/Generic-R + Mal/Hakbit-A
F-Secure Heuristic.HEUR/AGEN.1141108
DrWeb Trojan.EncoderNET.31368
VIPRE Trojan.Win32.Generic!BT
TrendMicro Ransom.MSIL.THANOS.SM
McAfee-GW-Edition BehavesLike.Win32.Generic.nh
Emsisoft Gen:Heur.MSIL.Bladabindi.1 (B)
Ikarus Trojan-Ransom.Thanos
Webroot W32.Trojan.Gen
Avira HEUR/AGEN.1142063
Gridinsoft Ransom.Win32.AI.sa
Microsoft Ransom:MSIL/Cryptolocker.PDN!MTB
ZoneAlarm HEUR:Trojan-Ransom.MSIL.Crypren.gen
GData Gen:Heur.MSIL.Bladabindi.1
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.RL_Generic.C4219461
McAfee Ransom-Thanos!7BF8DA9AE283
MAX malware (ai score=100)
VBA32 TScope.Trojan.MSIL
Malwarebytes Malware.AI.2022078683
Tencent Msil.Trojan.Crypren.Ammq
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Thanos.A!tr.ransom
AVG Win32:RansomX-gen [Ransom]
Cybereason malicious.ae283c