ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Analysis

max time kernel
58s
resource
win7

Sharing

Copy URL

Twitter E-mail

General

Target

wanacryptor.exe
Sample

190914-r8yvytde4n
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score

N/A

Malware Config

Signatures

Views/modifies file attributes 1 TTPs
evasion

Suspicious use of WriteProcessMemory 17 IoCs

at	description	Process	procid_target
1934	PID 1396 wrote to memory of 1340	wanacryptor.exe	26
1981	PID 1396 wrote to memory of 844	wanacryptor.exe	28
3962	PID 1396 wrote to memory of 2036	wanacryptor.exe	30
4243	PID 1396 wrote to memory of 2024	wanacryptor.exe	31
4945	PID 2024 wrote to memory of 1992	cmd.exe	33
26083	PID 1396 wrote to memory of 1948	wanacryptor.exe	35
26146	PID 1396 wrote to memory of 1852	wanacryptor.exe	36
26286	PID 1852 wrote to memory of 1112	cmd.exe	38
31871	PID 1948 wrote to memory of 1676	@[email protected]	40
34039	PID 1396 wrote to memory of 1168	wanacryptor.exe	42
34164	PID 1396 wrote to memory of 1276	wanacryptor.exe	43
34305	PID 1396 wrote to memory of 1184	wanacryptor.exe	44
34414	PID 1396 wrote to memory of 2020	wanacryptor.exe	45
35147	PID 2020 wrote to memory of 1804	cmd.exe	47
38875	PID 1112 wrote to memory of 1220	@[email protected]	48
39016	PID 1220 wrote to memory of 2008	cmd.exe	50
40326	PID 1220 wrote to memory of 944	cmd.exe	52

Modifies file permissions 1 TTPs

File and Directory Permissions Modification
T1222
Loads dropped DLL
Executes dropped EXE

Wannacry file encrypt 396 IoCs

at	description	ioc	Process
4321	File renamed	C:\Users\Admin\Desktop\BlockEnable.docx.WNCRYT => C:\Users\Admin\Desktop\BlockEnable.docx.WNCRY	wanacryptor.exe
4321	File opened for modification	C:\Users\Admin\Desktop\BlockEnable.docx.WNCRY	wanacryptor.exe
4477	File renamed	C:\Users\Admin\Desktop\CloseStart.dotx.WNCRYT => C:\Users\Admin\Desktop\CloseStart.dotx.WNCRY	wanacryptor.exe
4477	File opened for modification	C:\Users\Admin\Desktop\CloseStart.dotx.WNCRY	wanacryptor.exe
4602	File renamed	C:\Users\Admin\Desktop\CopyPing.bat.WNCRYT => C:\Users\Admin\Desktop\CopyPing.bat.WNCRY	wanacryptor.exe
4602	File opened for modification	C:\Users\Admin\Desktop\CopyPing.bat.WNCRY	wanacryptor.exe
4711	File renamed	C:\Users\Admin\Desktop\DisconnectBlock.7z.WNCRYT => C:\Users\Admin\Desktop\DisconnectBlock.7z.WNCRY	wanacryptor.exe
4711	File opened for modification	C:\Users\Admin\Desktop\DisconnectBlock.7z.WNCRY	wanacryptor.exe
4789	File renamed	C:\Users\Admin\Desktop\ExportEnter.zip.WNCRYT => C:\Users\Admin\Desktop\ExportEnter.zip.WNCRY	wanacryptor.exe
4789	File opened for modification	C:\Users\Admin\Desktop\ExportEnter.zip.WNCRY	wanacryptor.exe
5008	File renamed	C:\Users\Admin\Desktop\HideOut.potx.WNCRYT => C:\Users\Admin\Desktop\HideOut.potx.WNCRY	wanacryptor.exe
5008	File opened for modification	C:\Users\Admin\Desktop\HideOut.potx.WNCRY	wanacryptor.exe
5132	File renamed	C:\Users\Admin\Desktop\LimitSave.tiff.WNCRYT => C:\Users\Admin\Desktop\LimitSave.tiff.WNCRY	wanacryptor.exe
5132	File opened for modification	C:\Users\Admin\Desktop\LimitSave.tiff.WNCRY	wanacryptor.exe
5226	File renamed	C:\Users\Admin\Desktop\PublishUnblock.3gp.WNCRYT => C:\Users\Admin\Desktop\PublishUnblock.3gp.WNCRY	wanacryptor.exe
5226	File opened for modification	C:\Users\Admin\Desktop\PublishUnblock.3gp.WNCRY	wanacryptor.exe
5366	File renamed	C:\Users\Admin\Desktop\RequestPop.xlsb.WNCRYT => C:\Users\Admin\Desktop\RequestPop.xlsb.WNCRY	wanacryptor.exe
5366	File opened for modification	C:\Users\Admin\Desktop\RequestPop.xlsb.WNCRY	wanacryptor.exe
5522	File renamed	C:\Users\Admin\Desktop\UnprotectJoin.mp3.WNCRYT => C:\Users\Admin\Desktop\UnprotectJoin.mp3.WNCRY	wanacryptor.exe
5522	File opened for modification	C:\Users\Admin\Desktop\UnprotectJoin.mp3.WNCRY	wanacryptor.exe
5741	File renamed	C:\Users\Admin\Documents\ExitFind.doc.WNCRYT => C:\Users\Admin\Documents\ExitFind.doc.WNCRY	wanacryptor.exe
5741	File opened for modification	C:\Users\Admin\Documents\ExitFind.doc.WNCRY	wanacryptor.exe
5819	File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	wanacryptor.exe
5819	File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	wanacryptor.exe
6053	File renamed	C:\Users\Admin\Documents\MergeMount.pptx.WNCRYT => C:\Users\Admin\Documents\MergeMount.pptx.WNCRY	wanacryptor.exe
6053	File opened for modification	C:\Users\Admin\Documents\MergeMount.pptx.WNCRY	wanacryptor.exe
6240	File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	wanacryptor.exe
6240	File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	wanacryptor.exe
6396	File renamed	C:\Users\Admin\Documents\OpenSwitch.csv.WNCRYT => C:\Users\Admin\Documents\OpenSwitch.csv.WNCRY	wanacryptor.exe
6396	File opened for modification	C:\Users\Admin\Documents\OpenSwitch.csv.WNCRY	wanacryptor.exe
6505	File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	wanacryptor.exe
6505	File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	wanacryptor.exe
6677	File renamed	C:\Users\Admin\Documents\RemoveCompare.ppt.WNCRYT => C:\Users\Admin\Documents\RemoveCompare.ppt.WNCRY	wanacryptor.exe
6677	File opened for modification	C:\Users\Admin\Documents\RemoveCompare.ppt.WNCRY	wanacryptor.exe
6864	File renamed	C:\Users\Admin\Documents\UndoMount.vsd.WNCRYT => C:\Users\Admin\Documents\UndoMount.vsd.WNCRY	wanacryptor.exe
6864	File opened for modification	C:\Users\Admin\Documents\UndoMount.vsd.WNCRY	wanacryptor.exe
7098	File renamed	C:\Users\Admin\Documents\DenyBackup.xlt.WNCRYT => C:\Users\Admin\Documents\DenyBackup.xlt.WNCRY	wanacryptor.exe
7098	File opened for modification	C:\Users\Admin\Documents\DenyBackup.xlt.WNCRY	wanacryptor.exe
7285	File renamed	C:\Users\Admin\Documents\GrantPush.ppsm.WNCRYT => C:\Users\Admin\Documents\GrantPush.ppsm.WNCRY	wanacryptor.exe
7285	File opened for modification	C:\Users\Admin\Documents\GrantPush.ppsm.WNCRY	wanacryptor.exe
7441	File renamed	C:\Users\Admin\Documents\InstallBlock.xlt.WNCRYT => C:\Users\Admin\Documents\InstallBlock.xlt.WNCRY	wanacryptor.exe
7441	File opened for modification	C:\Users\Admin\Documents\InstallBlock.xlt.WNCRY	wanacryptor.exe
7597	File renamed	C:\Users\Admin\Documents\JoinLimit.ods.WNCRYT => C:\Users\Admin\Documents\JoinLimit.ods.WNCRY	wanacryptor.exe
7597	File opened for modification	C:\Users\Admin\Documents\JoinLimit.ods.WNCRY	wanacryptor.exe
7722	File renamed	C:\Users\Admin\Documents\OutTest.xlt.WNCRYT => C:\Users\Admin\Documents\OutTest.xlt.WNCRY	wanacryptor.exe
7722	File opened for modification	C:\Users\Admin\Documents\OutTest.xlt.WNCRY	wanacryptor.exe
7847	File renamed	C:\Users\Admin\Documents\ProtectRename.ppsx.WNCRYT => C:\Users\Admin\Documents\ProtectRename.ppsx.WNCRY	wanacryptor.exe
7847	File opened for modification	C:\Users\Admin\Documents\ProtectRename.ppsx.WNCRY	wanacryptor.exe
8003	File renamed	C:\Users\Admin\Documents\ReadStart.dotm.WNCRYT => C:\Users\Admin\Documents\ReadStart.dotm.WNCRY	wanacryptor.exe
8003	File opened for modification	C:\Users\Admin\Documents\ReadStart.dotm.WNCRY	wanacryptor.exe
8221	File renamed	C:\Users\Admin\Documents\ReceiveRead.ppsx.WNCRYT => C:\Users\Admin\Documents\ReceiveRead.ppsx.WNCRY	wanacryptor.exe
8221	File opened for modification	C:\Users\Admin\Documents\ReceiveRead.ppsx.WNCRY	wanacryptor.exe
8362	File renamed	C:\Users\Admin\Documents\SearchPing.xltx.WNCRYT => C:\Users\Admin\Documents\SearchPing.xltx.WNCRY	wanacryptor.exe
8362	File opened for modification	C:\Users\Admin\Documents\SearchPing.xltx.WNCRY	wanacryptor.exe
8533	File renamed	C:\Users\Admin\Documents\SendEnter.potm.WNCRYT => C:\Users\Admin\Documents\SendEnter.potm.WNCRY	wanacryptor.exe
8533	File opened for modification	C:\Users\Admin\Documents\SendEnter.potm.WNCRY	wanacryptor.exe
8830	File renamed	C:\Users\Admin\Documents\SkipShow.pot.WNCRYT => C:\Users\Admin\Documents\SkipShow.pot.WNCRY	wanacryptor.exe
8830	File opened for modification	C:\Users\Admin\Documents\SkipShow.pot.WNCRY	wanacryptor.exe
9079	File renamed	C:\Users\Admin\Documents\SubmitMount.xltx.WNCRYT => C:\Users\Admin\Documents\SubmitMount.xltx.WNCRY	wanacryptor.exe
9079	File opened for modification	C:\Users\Admin\Documents\SubmitMount.xltx.WNCRY	wanacryptor.exe
9235	File renamed	C:\Users\Admin\Documents\SyncUninstall.ppsm.WNCRYT => C:\Users\Admin\Documents\SyncUninstall.ppsm.WNCRY	wanacryptor.exe
9235	File opened for modification	C:\Users\Admin\Documents\SyncUninstall.ppsm.WNCRY	wanacryptor.exe
9360	File renamed	C:\Users\Admin\Documents\UnpublishSplit.potx.WNCRYT => C:\Users\Admin\Documents\UnpublishSplit.potx.WNCRY	wanacryptor.exe
9360	File opened for modification	C:\Users\Admin\Documents\UnpublishSplit.potx.WNCRY	wanacryptor.exe
9500	File renamed	C:\Users\Admin\Documents\WaitGet.docm.WNCRYT => C:\Users\Admin\Documents\WaitGet.docm.WNCRY	wanacryptor.exe
9500	File opened for modification	C:\Users\Admin\Documents\WaitGet.docm.WNCRY	wanacryptor.exe
9968	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	wanacryptor.exe
9968	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	wanacryptor.exe
10343	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	wanacryptor.exe
10343	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	wanacryptor.exe
10343	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	wanacryptor.exe
10343	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	wanacryptor.exe
10374	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY	wanacryptor.exe
10374	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY	wanacryptor.exe
10390	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY	wanacryptor.exe
10390	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY	wanacryptor.exe
10421	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY	wanacryptor.exe
10421	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY	wanacryptor.exe
10452	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY	wanacryptor.exe
10452	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY	wanacryptor.exe
10483	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY	wanacryptor.exe
10483	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY	wanacryptor.exe
10514	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY	wanacryptor.exe
10514	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY	wanacryptor.exe
10546	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY	wanacryptor.exe
10546	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY	wanacryptor.exe
10561	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY	wanacryptor.exe
10561	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY	wanacryptor.exe
10592	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY	wanacryptor.exe
10592	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY	wanacryptor.exe
10608	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY	wanacryptor.exe
10608	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY	wanacryptor.exe
10608	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY	wanacryptor.exe
10608	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY	wanacryptor.exe
10639	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY	wanacryptor.exe
10639	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY	wanacryptor.exe
10655	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY	wanacryptor.exe
10655	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY	wanacryptor.exe
10670	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY	wanacryptor.exe
10670	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY	wanacryptor.exe
10702	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY	wanacryptor.exe
10702	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY	wanacryptor.exe
10733	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY	wanacryptor.exe
10733	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY	wanacryptor.exe
10748	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY	wanacryptor.exe
10748	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY	wanacryptor.exe
10780	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY	wanacryptor.exe
10780	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY	wanacryptor.exe
11294	File renamed	C:\Users\Admin\AppData\Roaming\JoinOut.doc.WNCRYT => C:\Users\Admin\AppData\Roaming\JoinOut.doc.WNCRY	wanacryptor.exe
11294	File opened for modification	C:\Users\Admin\AppData\Roaming\JoinOut.doc.WNCRY	wanacryptor.exe
11357	File renamed	C:\Users\Admin\AppData\Roaming\UnblockSwitch.jpeg.WNCRYT => C:\Users\Admin\AppData\Roaming\UnblockSwitch.jpeg.WNCRY	wanacryptor.exe
11357	File opened for modification	C:\Users\Admin\AppData\Roaming\UnblockSwitch.jpeg.WNCRY	wanacryptor.exe
11638	File renamed	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY	wanacryptor.exe
11638	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY	wanacryptor.exe
11731	File renamed	C:\Users\Admin\Downloads\DismountGrant.csv.WNCRYT => C:\Users\Admin\Downloads\DismountGrant.csv.WNCRY	wanacryptor.exe
11731	File opened for modification	C:\Users\Admin\Downloads\DismountGrant.csv.WNCRY	wanacryptor.exe
11762	File renamed	C:\Users\Admin\Downloads\RedoExport.jpg.WNCRYT => C:\Users\Admin\Downloads\RedoExport.jpg.WNCRY	wanacryptor.exe
11762	File opened for modification	C:\Users\Admin\Downloads\RedoExport.jpg.WNCRY	wanacryptor.exe
11778	File renamed	C:\Users\Admin\Downloads\RepairSelect.csv.WNCRYT => C:\Users\Admin\Downloads\RepairSelect.csv.WNCRY	wanacryptor.exe
11778	File opened for modification	C:\Users\Admin\Downloads\RepairSelect.csv.WNCRY	wanacryptor.exe
11872	File renamed	C:\Users\Admin\Music\GetDismount.xls.WNCRYT => C:\Users\Admin\Music\GetDismount.xls.WNCRY	wanacryptor.exe
11872	File opened for modification	C:\Users\Admin\Music\GetDismount.xls.WNCRY	wanacryptor.exe
11903	File renamed	C:\Users\Admin\Music\MergeDebug.pptx.WNCRYT => C:\Users\Admin\Music\MergeDebug.pptx.WNCRY	wanacryptor.exe
11903	File opened for modification	C:\Users\Admin\Music\MergeDebug.pptx.WNCRY	wanacryptor.exe
11965	File renamed	C:\Users\Admin\Pictures\ConvertInitialize.jpeg.WNCRYT => C:\Users\Admin\Pictures\ConvertInitialize.jpeg.WNCRY	wanacryptor.exe
11965	File opened for modification	C:\Users\Admin\Pictures\ConvertInitialize.jpeg.WNCRY	wanacryptor.exe
11996	File renamed	C:\Users\Admin\Pictures\DisableAdd.dwg.WNCRYT => C:\Users\Admin\Pictures\DisableAdd.dwg.WNCRY	wanacryptor.exe
11996	File opened for modification	C:\Users\Admin\Pictures\DisableAdd.dwg.WNCRY	wanacryptor.exe
12012	File renamed	C:\Users\Admin\Pictures\NewAdd.jpeg.WNCRYT => C:\Users\Admin\Pictures\NewAdd.jpeg.WNCRY	wanacryptor.exe
12012	File opened for modification	C:\Users\Admin\Pictures\NewAdd.jpeg.WNCRY	wanacryptor.exe
12043	File renamed	C:\Users\Admin\Pictures\RequestAdd.dwg.WNCRYT => C:\Users\Admin\Pictures\RequestAdd.dwg.WNCRY	wanacryptor.exe
12043	File opened for modification	C:\Users\Admin\Pictures\RequestAdd.dwg.WNCRY	wanacryptor.exe
12074	File renamed	C:\Users\Admin\Pictures\SaveOpen.dwg.WNCRYT => C:\Users\Admin\Pictures\SaveOpen.dwg.WNCRY	wanacryptor.exe
12074	File opened for modification	C:\Users\Admin\Pictures\SaveOpen.dwg.WNCRY	wanacryptor.exe
12090	File renamed	C:\Users\Admin\Pictures\SplitOpen.jpeg.WNCRYT => C:\Users\Admin\Pictures\SplitOpen.jpeg.WNCRY	wanacryptor.exe
12090	File opened for modification	C:\Users\Admin\Pictures\SplitOpen.jpeg.WNCRY	wanacryptor.exe
12262	File renamed	C:\Users\Admin\Pictures\SplitStop.dwg.WNCRYT => C:\Users\Admin\Pictures\SplitStop.dwg.WNCRY	wanacryptor.exe
12262	File opened for modification	C:\Users\Admin\Pictures\SplitStop.dwg.WNCRY	wanacryptor.exe
12277	File renamed	C:\Users\Admin\Pictures\UnpublishRedo.jpg.WNCRYT => C:\Users\Admin\Pictures\UnpublishRedo.jpg.WNCRY	wanacryptor.exe
12277	File opened for modification	C:\Users\Admin\Pictures\UnpublishRedo.jpg.WNCRY	wanacryptor.exe
12308	File renamed	C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRYT => C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY	wanacryptor.exe
12308	File opened for modification	C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY	wanacryptor.exe
13182	File renamed	C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY	wanacryptor.exe
13182	File opened for modification	C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY	wanacryptor.exe
13572	File renamed	C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY	wanacryptor.exe
13572	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY	wanacryptor.exe
13603	File renamed	C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY	wanacryptor.exe
13603	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY	wanacryptor.exe
13634	File renamed	C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY	wanacryptor.exe
13634	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY	wanacryptor.exe
13666	File renamed	C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY	wanacryptor.exe
13666	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY	wanacryptor.exe
13697	File renamed	C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY	wanacryptor.exe
13697	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY	wanacryptor.exe
13712	File renamed	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY	wanacryptor.exe
13712	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY	wanacryptor.exe
13744	File renamed	C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY	wanacryptor.exe
13744	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY	wanacryptor.exe
13775	File renamed	C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY	wanacryptor.exe
13775	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY	wanacryptor.exe
13837	File renamed	C:\Users\Admin\AppData\Local\IconCache.db.WNCRYT => C:\Users\Admin\AppData\Local\IconCache.db.WNCRY	wanacryptor.exe
13837	File opened for modification	C:\Users\Admin\AppData\Local\IconCache.db.WNCRY	wanacryptor.exe
13837	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRY	wanacryptor.exe
13837	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRY	wanacryptor.exe
13868	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY	wanacryptor.exe
13868	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY	wanacryptor.exe
13868	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY	wanacryptor.exe
13868	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY	wanacryptor.exe
13884	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRY	wanacryptor.exe
13884	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRY	wanacryptor.exe
13900	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRY	wanacryptor.exe
13900	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRY	wanacryptor.exe
13915	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRY	wanacryptor.exe
13915	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRY	wanacryptor.exe
13915	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRY	wanacryptor.exe
13915	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRY	wanacryptor.exe
13931	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRY	wanacryptor.exe
13931	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRY	wanacryptor.exe
13993	File renamed	C:\Users\Admin\AppData\Roaming\GetConnect.rar.WNCRYT => C:\Users\Admin\AppData\Roaming\GetConnect.rar.WNCRY	wanacryptor.exe
13993	File opened for modification	C:\Users\Admin\AppData\Roaming\GetConnect.rar.WNCRY	wanacryptor.exe
14024	File renamed	C:\Users\Admin\AppData\Roaming\TraceStop.asf.WNCRYT => C:\Users\Admin\AppData\Roaming\TraceStop.asf.WNCRY	wanacryptor.exe
14024	File opened for modification	C:\Users\Admin\AppData\Roaming\TraceStop.asf.WNCRY	wanacryptor.exe
14180	File renamed	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRY	wanacryptor.exe
14180	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRY	wanacryptor.exe
14212	File renamed	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY	wanacryptor.exe
14212	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY	wanacryptor.exe
14243	File renamed	C:\Users\Admin\Downloads\ClearRemove.pps.WNCRYT => C:\Users\Admin\Downloads\ClearRemove.pps.WNCRY	wanacryptor.exe
14243	File opened for modification	C:\Users\Admin\Downloads\ClearRemove.pps.WNCRY	wanacryptor.exe
14274	File renamed	C:\Users\Admin\Downloads\CompressUndo.png.WNCRYT => C:\Users\Admin\Downloads\CompressUndo.png.WNCRY	wanacryptor.exe
14274	File opened for modification	C:\Users\Admin\Downloads\CompressUndo.png.WNCRY	wanacryptor.exe
14305	File renamed	C:\Users\Admin\Downloads\ConfirmDisable.rar.WNCRYT => C:\Users\Admin\Downloads\ConfirmDisable.rar.WNCRY	wanacryptor.exe
14305	File opened for modification	C:\Users\Admin\Downloads\ConfirmDisable.rar.WNCRY	wanacryptor.exe
14336	File renamed	C:\Users\Admin\Downloads\ConvertFromNew.docm.WNCRYT => C:\Users\Admin\Downloads\ConvertFromNew.docm.WNCRY	wanacryptor.exe
14336	File opened for modification	C:\Users\Admin\Downloads\ConvertFromNew.docm.WNCRY	wanacryptor.exe
14368	File renamed	C:\Users\Admin\Downloads\ConvertToCopy.wma.WNCRYT => C:\Users\Admin\Downloads\ConvertToCopy.wma.WNCRY	wanacryptor.exe
14368	File opened for modification	C:\Users\Admin\Downloads\ConvertToCopy.wma.WNCRY	wanacryptor.exe
14383	File renamed	C:\Users\Admin\Downloads\ResetRedo.svg.WNCRYT => C:\Users\Admin\Downloads\ResetRedo.svg.WNCRY	wanacryptor.exe
14383	File opened for modification	C:\Users\Admin\Downloads\ResetRedo.svg.WNCRY	wanacryptor.exe
14414	File renamed	C:\Users\Admin\Downloads\SendStep.potm.WNCRYT => C:\Users\Admin\Downloads\SendStep.potm.WNCRY	wanacryptor.exe
14414	File opened for modification	C:\Users\Admin\Downloads\SendStep.potm.WNCRY	wanacryptor.exe
14446	File renamed	C:\Users\Admin\Downloads\StartAssert.mp3.WNCRYT => C:\Users\Admin\Downloads\StartAssert.mp3.WNCRY	wanacryptor.exe
14446	File opened for modification	C:\Users\Admin\Downloads\StartAssert.mp3.WNCRY	wanacryptor.exe
14461	File renamed	C:\Users\Admin\Downloads\TraceExpand.wmv.WNCRYT => C:\Users\Admin\Downloads\TraceExpand.wmv.WNCRY	wanacryptor.exe
14461	File opened for modification	C:\Users\Admin\Downloads\TraceExpand.wmv.WNCRY	wanacryptor.exe
14492	File renamed	C:\Users\Admin\Downloads\UnpublishSwitch.mp3.WNCRYT => C:\Users\Admin\Downloads\UnpublishSwitch.mp3.WNCRY	wanacryptor.exe
14492	File opened for modification	C:\Users\Admin\Downloads\UnpublishSwitch.mp3.WNCRY	wanacryptor.exe
14508	File renamed	C:\Users\Admin\Downloads\WatchCopy.vbs.WNCRYT => C:\Users\Admin\Downloads\WatchCopy.vbs.WNCRY	wanacryptor.exe
14508	File opened for modification	C:\Users\Admin\Downloads\WatchCopy.vbs.WNCRY	wanacryptor.exe
14539	File renamed	C:\Users\Admin\Music\CloseOut.7z.WNCRYT => C:\Users\Admin\Music\CloseOut.7z.WNCRY	wanacryptor.exe
14539	File opened for modification	C:\Users\Admin\Music\CloseOut.7z.WNCRY	wanacryptor.exe
14570	File renamed	C:\Users\Admin\Music\CloseStop.potx.WNCRYT => C:\Users\Admin\Music\CloseStop.potx.WNCRY	wanacryptor.exe
14570	File opened for modification	C:\Users\Admin\Music\CloseStop.potx.WNCRY	wanacryptor.exe
14602	File renamed	C:\Users\Admin\Music\CompressUnregister.gif.WNCRYT => C:\Users\Admin\Music\CompressUnregister.gif.WNCRY	wanacryptor.exe
14617	File opened for modification	C:\Users\Admin\Music\CompressUnregister.gif.WNCRY	wanacryptor.exe
14648	File renamed	C:\Users\Admin\Music\ConvertOut.ppsx.WNCRYT => C:\Users\Admin\Music\ConvertOut.ppsx.WNCRY	wanacryptor.exe
14648	File opened for modification	C:\Users\Admin\Music\ConvertOut.ppsx.WNCRY	wanacryptor.exe
14680	File renamed	C:\Users\Admin\Music\ConvertSet.asp.WNCRYT => C:\Users\Admin\Music\ConvertSet.asp.WNCRY	wanacryptor.exe
14680	File opened for modification	C:\Users\Admin\Music\ConvertSet.asp.WNCRY	wanacryptor.exe
14711	File renamed	C:\Users\Admin\Music\CopyAssert.bmp.WNCRYT => C:\Users\Admin\Music\CopyAssert.bmp.WNCRY	wanacryptor.exe
14711	File opened for modification	C:\Users\Admin\Music\CopyAssert.bmp.WNCRY	wanacryptor.exe
14742	File renamed	C:\Users\Admin\Music\DebugStart.m3u.WNCRYT => C:\Users\Admin\Music\DebugStart.m3u.WNCRY	wanacryptor.exe
14742	File opened for modification	C:\Users\Admin\Music\DebugStart.m3u.WNCRY	wanacryptor.exe
14758	File renamed	C:\Users\Admin\Music\DisableUse.docm.WNCRYT => C:\Users\Admin\Music\DisableUse.docm.WNCRY	wanacryptor.exe
14758	File opened for modification	C:\Users\Admin\Music\DisableUse.docm.WNCRY	wanacryptor.exe
14773	File renamed	C:\Users\Admin\Music\MeasureSave.ps1.WNCRYT => C:\Users\Admin\Music\MeasureSave.ps1.WNCRY	wanacryptor.exe
14773	File opened for modification	C:\Users\Admin\Music\MeasureSave.ps1.WNCRY	wanacryptor.exe
14820	File renamed	C:\Users\Admin\Music\RedoConvertTo.mid.WNCRYT => C:\Users\Admin\Music\RedoConvertTo.mid.WNCRY	wanacryptor.exe
14820	File opened for modification	C:\Users\Admin\Music\RedoConvertTo.mid.WNCRY	wanacryptor.exe
14882	File renamed	C:\Users\Admin\Music\ResetRevoke.wma.WNCRYT => C:\Users\Admin\Music\ResetRevoke.wma.WNCRY	wanacryptor.exe
14882	File opened for modification	C:\Users\Admin\Music\ResetRevoke.wma.WNCRY	wanacryptor.exe
14945	File renamed	C:\Users\Admin\Music\SetUnblock.png.WNCRYT => C:\Users\Admin\Music\SetUnblock.png.WNCRY	wanacryptor.exe
14945	File opened for modification	C:\Users\Admin\Music\SetUnblock.png.WNCRY	wanacryptor.exe
14976	File renamed	C:\Users\Admin\Pictures\ExitDismount.png.WNCRYT => C:\Users\Admin\Pictures\ExitDismount.png.WNCRY	wanacryptor.exe
14976	File opened for modification	C:\Users\Admin\Pictures\ExitDismount.png.WNCRY	wanacryptor.exe
15007	File renamed	C:\Users\Admin\Pictures\ImportApprove.png.WNCRYT => C:\Users\Admin\Pictures\ImportApprove.png.WNCRY	wanacryptor.exe
15007	File opened for modification	C:\Users\Admin\Pictures\ImportApprove.png.WNCRY	wanacryptor.exe
15023	File renamed	C:\Users\Admin\Pictures\LimitImport.raw.WNCRYT => C:\Users\Admin\Pictures\LimitImport.raw.WNCRY	wanacryptor.exe
15023	File opened for modification	C:\Users\Admin\Pictures\LimitImport.raw.WNCRY	wanacryptor.exe
15038	File renamed	C:\Users\Admin\Pictures\MoveNew.tiff.WNCRYT => C:\Users\Admin\Pictures\MoveNew.tiff.WNCRY	wanacryptor.exe
15038	File opened for modification	C:\Users\Admin\Pictures\MoveNew.tiff.WNCRY	wanacryptor.exe
15085	File renamed	C:\Users\Admin\Pictures\RenamePing.tif.WNCRYT => C:\Users\Admin\Pictures\RenamePing.tif.WNCRY	wanacryptor.exe
15085	File opened for modification	C:\Users\Admin\Pictures\RenamePing.tif.WNCRY	wanacryptor.exe
15101	File renamed	C:\Users\Admin\Pictures\RepairSwitch.png.WNCRYT => C:\Users\Admin\Pictures\RepairSwitch.png.WNCRY	wanacryptor.exe
15101	File opened for modification	C:\Users\Admin\Pictures\RepairSwitch.png.WNCRY	wanacryptor.exe
15116	File renamed	C:\Users\Admin\Pictures\ResolveSplit.png.WNCRYT => C:\Users\Admin\Pictures\ResolveSplit.png.WNCRY	wanacryptor.exe
15116	File opened for modification	C:\Users\Admin\Pictures\ResolveSplit.png.WNCRY	wanacryptor.exe
15132	File renamed	C:\Users\Admin\Pictures\RestartBackup.raw.WNCRYT => C:\Users\Admin\Pictures\RestartBackup.raw.WNCRY	wanacryptor.exe
15132	File opened for modification	C:\Users\Admin\Pictures\RestartBackup.raw.WNCRY	wanacryptor.exe
15148	File renamed	C:\Users\Admin\Pictures\TraceGrant.bmp.WNCRYT => C:\Users\Admin\Pictures\TraceGrant.bmp.WNCRY	wanacryptor.exe
15148	File opened for modification	C:\Users\Admin\Pictures\TraceGrant.bmp.WNCRY	wanacryptor.exe
15179	File renamed	C:\Users\Admin\Pictures\UseConvert.raw.WNCRYT => C:\Users\Admin\Pictures\UseConvert.raw.WNCRY	wanacryptor.exe
15179	File opened for modification	C:\Users\Admin\Pictures\UseConvert.raw.WNCRY	wanacryptor.exe
15210	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY	wanacryptor.exe
15210	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY	wanacryptor.exe
15226	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY	wanacryptor.exe
15226	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY	wanacryptor.exe
15226	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY	wanacryptor.exe
15226	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY	wanacryptor.exe
15241	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY	wanacryptor.exe
15241	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY	wanacryptor.exe
15272	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY	wanacryptor.exe
15272	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY	wanacryptor.exe
15272	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY	wanacryptor.exe
15272	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY	wanacryptor.exe
16224	File renamed	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT => C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY	wanacryptor.exe
16224	File opened for modification	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY	wanacryptor.exe
16240	File renamed	C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY	wanacryptor.exe
16240	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY	wanacryptor.exe
16255	File renamed	C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY	wanacryptor.exe
16255	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY	wanacryptor.exe
16271	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY	wanacryptor.exe
16271	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY	wanacryptor.exe
16271	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY	wanacryptor.exe
16271	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY	wanacryptor.exe
16302	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY	wanacryptor.exe
16302	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY	wanacryptor.exe
16302	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY	wanacryptor.exe
16302	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY	wanacryptor.exe
16318	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY	wanacryptor.exe
16318	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY	wanacryptor.exe
16333	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY	wanacryptor.exe
16333	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY	wanacryptor.exe
16333	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY	wanacryptor.exe
16333	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY	wanacryptor.exe
16349	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRY	wanacryptor.exe
16349	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRY	wanacryptor.exe
16364	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRY	wanacryptor.exe
16364	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRY	wanacryptor.exe
16364	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRY	wanacryptor.exe
16364	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRY	wanacryptor.exe
16380	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRY	wanacryptor.exe
16380	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRY	wanacryptor.exe
16396	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRY	wanacryptor.exe
16396	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRY	wanacryptor.exe
16396	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRY	wanacryptor.exe
16396	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRY	wanacryptor.exe
16411	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRY	wanacryptor.exe
16411	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRY	wanacryptor.exe
16411	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRY	wanacryptor.exe
16411	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRY	wanacryptor.exe
16427	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRY	wanacryptor.exe
16427	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRY	wanacryptor.exe
16427	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRY	wanacryptor.exe
16427	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRY	wanacryptor.exe
16442	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRY	wanacryptor.exe
16442	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRY	wanacryptor.exe
16442	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRY	wanacryptor.exe
16442	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRY	wanacryptor.exe
16458	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRY	wanacryptor.exe
16458	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRY	wanacryptor.exe
16474	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRY	wanacryptor.exe
16474	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRY	wanacryptor.exe
16474	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRY	wanacryptor.exe
16474	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRY	wanacryptor.exe
16489	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRY	wanacryptor.exe
16489	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRY	wanacryptor.exe
16489	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRY	wanacryptor.exe
16489	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRY	wanacryptor.exe
16505	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRY	wanacryptor.exe
16505	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRY	wanacryptor.exe
16505	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRY	wanacryptor.exe
16505	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRY	wanacryptor.exe
16520	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRY	wanacryptor.exe
16520	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRY	wanacryptor.exe
16536	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRY	wanacryptor.exe
16536	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRY	wanacryptor.exe
16552	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRY	wanacryptor.exe
16552	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRY	wanacryptor.exe
16583	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRY	wanacryptor.exe
16583	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRY	wanacryptor.exe
16583	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRY	wanacryptor.exe
16583	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRY	wanacryptor.exe
16583	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRY	wanacryptor.exe
16583	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRY	wanacryptor.exe
16598	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRY	wanacryptor.exe
16598	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRY	wanacryptor.exe
16598	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRY	wanacryptor.exe
16598	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRY	wanacryptor.exe
16598	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRY	wanacryptor.exe
16598	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRY	wanacryptor.exe
16614	File renamed	C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY	wanacryptor.exe
16614	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY	wanacryptor.exe
16614	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.WNCRY	wanacryptor.exe
16614	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.WNCRY	wanacryptor.exe
16630	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY	wanacryptor.exe
16630	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY	wanacryptor.exe
16645	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.WNCRY	wanacryptor.exe
16645	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.WNCRY	wanacryptor.exe
16661	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{6B239685-FFE8-4040-8B6B-C8037F126992}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6B239685-FFE8-4040-8B6B-C8037F126992}.2.ver0x0000000000000001.db.WNCRY	wanacryptor.exe
16661	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{6B239685-FFE8-4040-8B6B-C8037F126992}.2.ver0x0000000000000001.db.WNCRY	wanacryptor.exe
16661	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{92438015-700D-4D70-B1F2-AD3B167C202D}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{92438015-700D-4D70-B1F2-AD3B167C202D}.2.ver0x0000000000000001.db.WNCRY	wanacryptor.exe
16661	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{92438015-700D-4D70-B1F2-AD3B167C202D}.2.ver0x0000000000000001.db.WNCRY	wanacryptor.exe
16676	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRY	wanacryptor.exe
16676	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRY	wanacryptor.exe
16708	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRY	wanacryptor.exe
16708	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRY	wanacryptor.exe
16708	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRY	wanacryptor.exe
16708	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRY	wanacryptor.exe
16723	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRY	wanacryptor.exe
16723	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRY	wanacryptor.exe
16739	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRY	wanacryptor.exe
16739	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRY	wanacryptor.exe
16770	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRY	wanacryptor.exe
16770	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRY	wanacryptor.exe
16770	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRY	wanacryptor.exe
16770	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRY	wanacryptor.exe
16786	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRY	wanacryptor.exe
16786	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRY	wanacryptor.exe
16801	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRY	wanacryptor.exe
16801	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRY	wanacryptor.exe
16848	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRY	wanacryptor.exe
16848	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRY	wanacryptor.exe
17129	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRY	wanacryptor.exe
17129	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRY	wanacryptor.exe
17410	File renamed	C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY	wanacryptor.exe
17410	File opened for modification	C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY	wanacryptor.exe
17706	File renamed	C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRYT => C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRY	wanacryptor.exe
17706	File opened for modification	C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRY	wanacryptor.exe
17831	File renamed	C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRYT => C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY	wanacryptor.exe
17831	File opened for modification	C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY	wanacryptor.exe
18002	File renamed	C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRYT => C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRY	wanacryptor.exe
18002	File opened for modification	C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRY	wanacryptor.exe
18642	File renamed	C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRYT => C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRY	wanacryptor.exe
18642	File opened for modification	C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRY	wanacryptor.exe
18642	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRY	wanacryptor.exe
18642	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRY	wanacryptor.exe
18642	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY	wanacryptor.exe
18642	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY	wanacryptor.exe
18642	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY	wanacryptor.exe
18642	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY	wanacryptor.exe
18642	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY	wanacryptor.exe
18642	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY	wanacryptor.exe
18642	File opened (read-only)	C:\hiberfil.sys.WNCRY	wanacryptor.exe
18642	File opened (read-only)	C:\pagefile.sys.WNCRY	wanacryptor.exe
25725	File renamed	C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPsWW2.cab.WNCRYT => C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPsWW2.cab.WNCRY	wanacryptor.exe
25725	File opened for modification	C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPsWW2.cab.WNCRY	wanacryptor.exe

Drops startup file 4 IoCs

at	description	ioc	Process
11622	File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCB63.tmp	wanacryptor.exe
11622	File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCB63.tmp	wanacryptor.exe
11669	File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCB96.tmp	wanacryptor.exe
11669	File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCB96.tmp	wanacryptor.exe

Sets desktop wallpaper registry value 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

at	description	ioc	Process
25740	Set value (str)	\REGISTRY\USER\S-1-5-21-206847876-899690649-509147175-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wanacryptor.exe
35100	Set value (str)	\REGISTRY\USER\S-1-5-21-206847876-899690649-509147175-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry key 1 TTPs

Modify Registry
T1112

Suspicious use of AdjustPrivilegeToken 45 IoCs

at	description	Process
35178	Token: SeTcbPrivilege	taskse.exe
35287	Token: SeTcbPrivilege	taskse.exe
39577	Token: SeBackupPrivilege	vssvc.exe
39577	Token: SeRestorePrivilege	vssvc.exe
39577	Token: SeAuditPrivilege	vssvc.exe
40763	Token: SeIncreaseQuotaPrivilege	WMIC.exe
40763	Token: SeSecurityPrivilege	WMIC.exe
40763	Token: SeTakeOwnershipPrivilege	WMIC.exe
40763	Token: SeLoadDriverPrivilege	WMIC.exe
40763	Token: SeSystemProfilePrivilege	WMIC.exe
40763	Token: SeSystemtimePrivilege	WMIC.exe
40763	Token: SeProfSingleProcessPrivilege	WMIC.exe
40763	Token: SeIncBasePriorityPrivilege	WMIC.exe
40763	Token: SeCreatePagefilePrivilege	WMIC.exe
40763	Token: SeBackupPrivilege	WMIC.exe
40763	Token: SeRestorePrivilege	WMIC.exe
40763	Token: SeShutdownPrivilege	WMIC.exe
40763	Token: SeDebugPrivilege	WMIC.exe
40763	Token: SeSystemEnvironmentPrivilege	WMIC.exe
40763	Token: SeRemoteShutdownPrivilege	WMIC.exe
40763	Token: SeUndockPrivilege	WMIC.exe
40763	Token: SeManageVolumePrivilege	WMIC.exe
40763	Token: 33	WMIC.exe
40763	Token: 34	WMIC.exe
40763	Token: 35	WMIC.exe
42120	Token: SeIncreaseQuotaPrivilege	WMIC.exe
42120	Token: SeSecurityPrivilege	WMIC.exe
42120	Token: SeTakeOwnershipPrivilege	WMIC.exe
42120	Token: SeLoadDriverPrivilege	WMIC.exe
42120	Token: SeSystemProfilePrivilege	WMIC.exe
42120	Token: SeSystemtimePrivilege	WMIC.exe
42120	Token: SeProfSingleProcessPrivilege	WMIC.exe
42120	Token: SeIncBasePriorityPrivilege	WMIC.exe
42120	Token: SeCreatePagefilePrivilege	WMIC.exe
42120	Token: SeBackupPrivilege	WMIC.exe
42120	Token: SeRestorePrivilege	WMIC.exe
42120	Token: SeShutdownPrivilege	WMIC.exe
42120	Token: SeDebugPrivilege	WMIC.exe
42120	Token: SeSystemEnvironmentPrivilege	WMIC.exe
42120	Token: SeRemoteShutdownPrivilege	WMIC.exe
42120	Token: SeUndockPrivilege	WMIC.exe
42120	Token: SeManageVolumePrivilege	WMIC.exe
42120	Token: 33	WMIC.exe
42120	Token: 34	WMIC.exe
42120	Token: 35	WMIC.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
35287	Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
35287	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cyvxzzxok869 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Known Tor node 6 IoCs

ioc
136.243.214.137
131.188.40.189
51.254.136.195
51.15.37.97
69.61.35.184
91.121.2.157

Interacts with shadow copies 2 TTPs
ransomware

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
39765	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
40061	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
40123	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
40264	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Deletes shadow copies 2 TTPs
ransomware

Inhibit System Recovery
T1490
wannacry family
family

C:\Users\Admin\AppData\Local\Temp\wanacryptor.exe
C:\Users\Admin\AppData\Local\Temp\wanacryptor.exe
1⤵
- Suspicious use of WriteProcessMemory
- Wannacry file encrypt
- Drops startup file
- Sets desktop wallpaper registry value
PID:1396

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
PID:1340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "178101617820419049321885077359-87789090-191727426984886390-6711845102105673393"
1⤵
PID:1380

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "68380638-134117025015965239272017080203-436434211-11862560892050406990-298502429"
1⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c 139481568464772.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1690689405-1506149047231406383-1911316898631372605275143358-242892880-1530755520"
1⤵
PID:1944

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "15804464931282432220-2256829231953425047327404231840102483-1247746587-1867096663"
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
PID:1676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "148124263116397275361090110393-4470268301547177365-543692993-569028428-1023424954"
1⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Sets desktop wallpaper registry value
PID:1184

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cyvxzzxok869" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1305222551-109869974663209089623338521831648504-755834288-581640509-679532229"
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cyvxzzxok869" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run entry to start application
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1686866176-1627706350-13825995481855397851892833719333043900-1974993625-1599686765"
1⤵
PID:1996

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:852

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1158
T1060
T1107
T1031

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads