Task
task1
Sample
wanacryptor.exe
Resource
win7
0 signatures
Task
task2
Sample
wanacryptor.exe
Resource
win10
0 signatures
General
-
Target
wanacryptor.exe
-
Sample
190914-r8yvytde4n
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Score
N/A
Malware Config
Signatures
-
Views/modifies file attributes 1 TTPs
-
Suspicious use of WriteProcessMemory 13 IoCs
at description Process procid_target 1360 PID 3604 wrote to memory of 3596 wanacryptor.exe 40 1391 PID 3604 wrote to memory of 3632 wanacryptor.exe 41 4953 PID 3604 wrote to memory of 2276 wanacryptor.exe 44 5141 PID 3604 wrote to memory of 2828 wanacryptor.exe 45 5531 PID 2828 wrote to memory of 3488 cmd.exe 47 35141 PID 3604 wrote to memory of 3104 wanacryptor.exe 51 35985 PID 3604 wrote to memory of 3388 wanacryptor.exe 52 35985 PID 3604 wrote to memory of 3228 wanacryptor.exe 53 36235 PID 3228 wrote to memory of 3492 cmd.exe 55 40938 PID 3388 wrote to memory of 2716 @[email protected] 57 49656 PID 3492 wrote to memory of 3632 @[email protected] 59 50031 PID 3632 wrote to memory of 3164 cmd.exe 61 50766 PID 3632 wrote to memory of 3908 cmd.exe 63 -
Modifies file permissions 1 TTPs
-
Executes dropped EXE
-
Wannacry file encrypt 437 IoCs
at description ioc Process 5219 File renamed C:\Users\Admin\Desktop\AddProtect.txt.WNCRYT => C:\Users\Admin\Desktop\AddProtect.txt.WNCRY wanacryptor.exe 5219 File opened for modification C:\Users\Admin\Desktop\AddProtect.txt.WNCRY wanacryptor.exe 5328 File renamed C:\Users\Admin\Desktop\ImportRestore.pptx.WNCRYT => C:\Users\Admin\Desktop\ImportRestore.pptx.WNCRY wanacryptor.exe 5328 File opened for modification C:\Users\Admin\Desktop\ImportRestore.pptx.WNCRY wanacryptor.exe 5422 File renamed C:\Users\Admin\Desktop\ConvertToMount.png.WNCRYT => C:\Users\Admin\Desktop\ConvertToMount.png.WNCRY wanacryptor.exe 5422 File opened for modification C:\Users\Admin\Desktop\ConvertToMount.png.WNCRY wanacryptor.exe 5516 File renamed C:\Users\Admin\Desktop\ExpandInitialize.mpg.WNCRYT => C:\Users\Admin\Desktop\ExpandInitialize.mpg.WNCRY wanacryptor.exe 5516 File opened for modification C:\Users\Admin\Desktop\ExpandInitialize.mpg.WNCRY wanacryptor.exe 5610 File renamed C:\Users\Admin\Desktop\GroupRedo.xlsb.WNCRYT => C:\Users\Admin\Desktop\GroupRedo.xlsb.WNCRY wanacryptor.exe 5610 File opened for modification C:\Users\Admin\Desktop\GroupRedo.xlsb.WNCRY wanacryptor.exe 5781 File renamed C:\Users\Admin\Documents\ConvertOut.pdf.WNCRYT => C:\Users\Admin\Documents\ConvertOut.pdf.WNCRY wanacryptor.exe 5781 File opened for modification C:\Users\Admin\Documents\ConvertOut.pdf.WNCRY wanacryptor.exe 5860 File renamed C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY wanacryptor.exe 5860 File opened for modification C:\Users\Admin\Documents\Files.docx.WNCRY wanacryptor.exe 5985 File renamed C:\Users\Admin\Documents\ImportStep.csv.WNCRYT => C:\Users\Admin\Documents\ImportStep.csv.WNCRY wanacryptor.exe 5985 File opened for modification C:\Users\Admin\Documents\ImportStep.csv.WNCRY wanacryptor.exe 6047 File renamed C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY wanacryptor.exe 6047 File opened for modification C:\Users\Admin\Documents\Opened.docx.WNCRY wanacryptor.exe 6141 File renamed C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY wanacryptor.exe 6141 File opened for modification C:\Users\Admin\Documents\Recently.docx.WNCRY wanacryptor.exe 6266 File renamed C:\Users\Admin\Documents\StartLock.xls.WNCRYT => C:\Users\Admin\Documents\StartLock.xls.WNCRY wanacryptor.exe 6266 File opened for modification C:\Users\Admin\Documents\StartLock.xls.WNCRY wanacryptor.exe 6391 File renamed C:\Users\Admin\Documents\TraceJoin.xls.WNCRYT => C:\Users\Admin\Documents\TraceJoin.xls.WNCRY wanacryptor.exe 6391 File opened for modification C:\Users\Admin\Documents\TraceJoin.xls.WNCRY wanacryptor.exe 6500 File renamed C:\Users\Admin\Documents\UndoUnblock.doc.WNCRYT => C:\Users\Admin\Documents\UndoUnblock.doc.WNCRY wanacryptor.exe 6500 File opened for modification C:\Users\Admin\Documents\UndoUnblock.doc.WNCRY wanacryptor.exe 6656 File renamed C:\Users\Admin\Documents\UpdateDebug.txt.WNCRYT => C:\Users\Admin\Documents\UpdateDebug.txt.WNCRY wanacryptor.exe 6656 File opened for modification C:\Users\Admin\Documents\UpdateDebug.txt.WNCRY wanacryptor.exe 6766 File renamed C:\Users\Admin\Documents\EnterRegister.docm.WNCRYT => C:\Users\Admin\Documents\EnterRegister.docm.WNCRY wanacryptor.exe 6766 File opened for modification C:\Users\Admin\Documents\EnterRegister.docm.WNCRY wanacryptor.exe 6875 File renamed C:\Users\Admin\Documents\FormatPing.dotx.WNCRYT => C:\Users\Admin\Documents\FormatPing.dotx.WNCRY wanacryptor.exe 6875 File opened for modification C:\Users\Admin\Documents\FormatPing.dotx.WNCRY wanacryptor.exe 7000 File renamed C:\Users\Admin\Documents\RequestLimit.ods.WNCRYT => C:\Users\Admin\Documents\RequestLimit.ods.WNCRY wanacryptor.exe 7000 File opened for modification C:\Users\Admin\Documents\RequestLimit.ods.WNCRY wanacryptor.exe 7172 File renamed C:\Users\Admin\Documents\SetRestore.docm.WNCRYT => C:\Users\Admin\Documents\SetRestore.docm.WNCRY wanacryptor.exe 7172 File opened for modification C:\Users\Admin\Documents\SetRestore.docm.WNCRY wanacryptor.exe 7313 File renamed C:\Users\Admin\Documents\TraceCompress.ppsm.WNCRYT => C:\Users\Admin\Documents\TraceCompress.ppsm.WNCRY wanacryptor.exe 7313 File opened for modification C:\Users\Admin\Documents\TraceCompress.ppsm.WNCRY wanacryptor.exe 7656 File renamed C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY wanacryptor.exe 7656 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY wanacryptor.exe 7860 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ThirdPartyNotices.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ThirdPartyNotices.txt.WNCRY wanacryptor.exe 7860 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ThirdPartyNotices.txt.WNCRY wanacryptor.exe 11453 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.0.filtertrie.intermediate.txt.WNCRY wanacryptor.exe 11453 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.0.filtertrie.intermediate.txt.WNCRY wanacryptor.exe 11485 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appsconversions.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appsconversions.txt.WNCRY wanacryptor.exe 11485 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appsconversions.txt.WNCRY wanacryptor.exe 11531 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appsglobals.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appsglobals.txt.WNCRY wanacryptor.exe 11531 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appsglobals.txt.WNCRY wanacryptor.exe 11563 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appssynonyms.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appssynonyms.txt.WNCRY wanacryptor.exe 11563 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\appssynonyms.txt.WNCRY wanacryptor.exe 11578 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingsconversions.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingsconversions.txt.WNCRY wanacryptor.exe 11578 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingsconversions.txt.WNCRY wanacryptor.exe 11594 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingsglobals.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingsglobals.txt.WNCRY wanacryptor.exe 11594 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingsglobals.txt.WNCRY wanacryptor.exe 11625 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingssynonyms.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingssynonyms.txt.WNCRY wanacryptor.exe 11625 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{4e9c1f36-0f8a-404d-9af2-560aaaa1ab73}\settingssynonyms.txt.WNCRY wanacryptor.exe 11641 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126798733144454.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126798733144454.txt.WNCRY wanacryptor.exe 11641 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126798733144454.txt.WNCRY wanacryptor.exe 11656 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126798788414726.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126798788414726.txt.WNCRY wanacryptor.exe 11656 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126798788414726.txt.WNCRY wanacryptor.exe 11688 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126800500406504.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126800500406504.txt.WNCRY wanacryptor.exe 11688 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126800500406504.txt.WNCRY wanacryptor.exe 11703 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126800964452456.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126800964452456.txt.WNCRY wanacryptor.exe 11703 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126800964452456.txt.WNCRY wanacryptor.exe 11735 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126802211147212.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126802211147212.txt.WNCRY wanacryptor.exe 11735 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126802211147212.txt.WNCRY wanacryptor.exe 11766 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126804281698707.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126804281698707.txt.WNCRY wanacryptor.exe 11766 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126804281698707.txt.WNCRY wanacryptor.exe 11797 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809101383845.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809101383845.txt.WNCRY wanacryptor.exe 11797 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809101383845.txt.WNCRY wanacryptor.exe 11828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809556507561.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809556507561.txt.WNCRY wanacryptor.exe 11828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809556507561.txt.WNCRY wanacryptor.exe 11844 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809865147062.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809865147062.txt.WNCRY wanacryptor.exe 11844 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126809865147062.txt.WNCRY wanacryptor.exe 11875 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810164245478.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810164245478.txt.WNCRY wanacryptor.exe 11875 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810164245478.txt.WNCRY wanacryptor.exe 11906 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810465275337.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810465275337.txt.WNCRY wanacryptor.exe 11906 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810465275337.txt.WNCRY wanacryptor.exe 11938 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810763852709.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810763852709.txt.WNCRY wanacryptor.exe 11938 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126810763852709.txt.WNCRY wanacryptor.exe 11969 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811064878624.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811064878624.txt.WNCRY wanacryptor.exe 11969 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811064878624.txt.WNCRY wanacryptor.exe 12000 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811368095600.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811368095600.txt.WNCRY wanacryptor.exe 12000 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811368095600.txt.WNCRY wanacryptor.exe 12031 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811665621523.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811665621523.txt.WNCRY wanacryptor.exe 12031 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126811665621523.txt.WNCRY wanacryptor.exe 12078 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126813624053841.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126813624053841.txt.WNCRY wanacryptor.exe 12078 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126813624053841.txt.WNCRY wanacryptor.exe 12110 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126813710951618.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126813710951618.txt.WNCRY wanacryptor.exe 12110 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126813710951618.txt.WNCRY wanacryptor.exe 12141 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818298362580.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818298362580.txt.WNCRY wanacryptor.exe 12141 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818298362580.txt.WNCRY wanacryptor.exe 12156 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818558367619.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818558367619.txt.WNCRY wanacryptor.exe 12156 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818558367619.txt.WNCRY wanacryptor.exe 12235 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818860605010.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818860605010.txt.WNCRY wanacryptor.exe 12235 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126818860605010.txt.WNCRY wanacryptor.exe 12266 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126820434310902.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126820434310902.txt.WNCRY wanacryptor.exe 12266 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126820434310902.txt.WNCRY wanacryptor.exe 13531 File renamed C:\Users\Admin\AppData\Roaming\MeasureLimit.csv.WNCRYT => C:\Users\Admin\AppData\Roaming\MeasureLimit.csv.WNCRY wanacryptor.exe 13531 File opened for modification C:\Users\Admin\AppData\Roaming\MeasureLimit.csv.WNCRY wanacryptor.exe 13594 File renamed C:\Users\Admin\AppData\Roaming\RemoveExit.jpg.WNCRYT => C:\Users\Admin\AppData\Roaming\RemoveExit.jpg.WNCRY wanacryptor.exe 13594 File opened for modification C:\Users\Admin\AppData\Roaming\RemoveExit.jpg.WNCRY wanacryptor.exe 13641 File renamed C:\Users\Admin\AppData\Roaming\RequestHide.txt.WNCRYT => C:\Users\Admin\AppData\Roaming\RequestHide.txt.WNCRY wanacryptor.exe 13641 File opened for modification C:\Users\Admin\AppData\Roaming\RequestHide.txt.WNCRY wanacryptor.exe 13781 File renamed C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.WNCRY wanacryptor.exe 13781 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.WNCRY wanacryptor.exe 13844 File renamed C:\Users\Admin\Downloads\ApproveStart.txt.WNCRYT => C:\Users\Admin\Downloads\ApproveStart.txt.WNCRY wanacryptor.exe 13844 File opened for modification C:\Users\Admin\Downloads\ApproveStart.txt.WNCRY wanacryptor.exe 13906 File renamed C:\Users\Admin\Downloads\AssertUnprotect.vsdx.WNCRYT => C:\Users\Admin\Downloads\AssertUnprotect.vsdx.WNCRY wanacryptor.exe 13906 File opened for modification C:\Users\Admin\Downloads\AssertUnprotect.vsdx.WNCRY wanacryptor.exe 13922 File renamed C:\Users\Admin\Downloads\ConvertInvoke.dwg.WNCRYT => C:\Users\Admin\Downloads\ConvertInvoke.dwg.WNCRY wanacryptor.exe 13922 File opened for modification C:\Users\Admin\Downloads\ConvertInvoke.dwg.WNCRY wanacryptor.exe 13985 File renamed C:\Users\Admin\Downloads\EnterSkip.jpg.WNCRYT => C:\Users\Admin\Downloads\EnterSkip.jpg.WNCRY wanacryptor.exe 13985 File opened for modification C:\Users\Admin\Downloads\EnterSkip.jpg.WNCRY wanacryptor.exe 14016 File renamed C:\Users\Admin\Downloads\RemoveResume.jpeg.WNCRYT => C:\Users\Admin\Downloads\RemoveResume.jpeg.WNCRY wanacryptor.exe 14016 File opened for modification C:\Users\Admin\Downloads\RemoveResume.jpeg.WNCRY wanacryptor.exe 14047 File renamed C:\Users\Admin\Downloads\StartSubmit.txt.WNCRYT => C:\Users\Admin\Downloads\StartSubmit.txt.WNCRY wanacryptor.exe 14047 File opened for modification C:\Users\Admin\Downloads\StartSubmit.txt.WNCRY wanacryptor.exe 14125 File renamed C:\Users\Admin\Pictures\EnterInstall.dwg.WNCRYT => C:\Users\Admin\Pictures\EnterInstall.dwg.WNCRY wanacryptor.exe 14125 File opened for modification C:\Users\Admin\Pictures\EnterInstall.dwg.WNCRY wanacryptor.exe 14188 File renamed C:\Users\Admin\Pictures\HideInitialize.jpeg.WNCRYT => C:\Users\Admin\Pictures\HideInitialize.jpeg.WNCRY wanacryptor.exe 14188 File opened for modification C:\Users\Admin\Pictures\HideInitialize.jpeg.WNCRY wanacryptor.exe 14266 File renamed C:\Users\Admin\Pictures\RequestClose.jpg.WNCRYT => C:\Users\Admin\Pictures\RequestClose.jpg.WNCRY wanacryptor.exe 14266 File opened for modification C:\Users\Admin\Pictures\RequestClose.jpg.WNCRY wanacryptor.exe 14297 File renamed C:\Users\Admin\Pictures\RevokeCompare.dwg.WNCRYT => C:\Users\Admin\Pictures\RevokeCompare.dwg.WNCRY wanacryptor.exe 14297 File opened for modification C:\Users\Admin\Pictures\RevokeCompare.dwg.WNCRY wanacryptor.exe 14344 File renamed C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRYT => C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY wanacryptor.exe 14344 File opened for modification C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY wanacryptor.exe 19625 File renamed C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt.WNCRYT => C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt.WNCRY wanacryptor.exe 19625 File opened for modification C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt.WNCRY wanacryptor.exe 19813 File renamed C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY wanacryptor.exe 19813 File opened for modification C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY wanacryptor.exe 20000 File renamed C:\BOOTSECT.BAK.WNCRYT => C:\BOOTSECT.BAK.WNCRY wanacryptor.exe 20000 File opened for modification C:\BOOTSECT.BAK.WNCRY wanacryptor.exe 20016 File renamed C:\Users\Admin\AppData\Local\IconCache.db.WNCRYT => C:\Users\Admin\AppData\Local\IconCache.db.WNCRY wanacryptor.exe 20016 File opened for modification C:\Users\Admin\AppData\Local\IconCache.db.WNCRY wanacryptor.exe 20031 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppBlue.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppBlue.png.WNCRY wanacryptor.exe 20031 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppBlue.png.WNCRY wanacryptor.exe 20047 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppWhite.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppWhite.png.WNCRY wanacryptor.exe 20047 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppWhite.png.WNCRY wanacryptor.exe 20078 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.gif.WNCRY wanacryptor.exe 20078 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.gif.WNCRY wanacryptor.exe 20094 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.png.WNCRY wanacryptor.exe 20094 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.png.WNCRY wanacryptor.exe 20110 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppBlue.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppBlue.png.WNCRY wanacryptor.exe 20110 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppBlue.png.WNCRY wanacryptor.exe 20125 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppWhite.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppWhite.png.WNCRY wanacryptor.exe 20125 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppWhite.png.WNCRY wanacryptor.exe 20141 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Error.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Error.png.WNCRY wanacryptor.exe 20141 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Error.png.WNCRY wanacryptor.exe 20156 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\OneDriveLogo.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\OneDriveLogo.png.WNCRY wanacryptor.exe 20156 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\OneDriveLogo.png.WNCRY wanacryptor.exe 20172 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaCritical.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaCritical.png.WNCRY wanacryptor.exe 20172 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaCritical.png.WNCRY wanacryptor.exe 20188 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaError.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaError.png.WNCRY wanacryptor.exe 20188 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaError.png.WNCRY wanacryptor.exe 20203 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaNearing.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaNearing.png.WNCRY wanacryptor.exe 20203 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\QuotaNearing.png.WNCRY wanacryptor.exe 20250 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ScreenshotOptIn.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ScreenshotOptIn.gif.WNCRY wanacryptor.exe 20250 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ScreenshotOptIn.gif.WNCRY wanacryptor.exe 20281 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Warning.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Warning.png.WNCRY wanacryptor.exe 20281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Warning.png.WNCRY wanacryptor.exe 20281 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\cloud.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\cloud.svg.WNCRY wanacryptor.exe 20281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\cloud.svg.WNCRY wanacryptor.exe 20313 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\iceBucket.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\iceBucket.svg.WNCRY wanacryptor.exe 20313 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\iceBucket.svg.WNCRY wanacryptor.exe 20328 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\onedrivePremium.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\onedrivePremium.svg.WNCRY wanacryptor.exe 20328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\onedrivePremium.svg.WNCRY wanacryptor.exe 20344 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\partiallyFreezing.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\partiallyFreezing.svg.WNCRY wanacryptor.exe 20344 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\partiallyFreezing.svg.WNCRY wanacryptor.exe 20360 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\settings.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\settings.svg.WNCRY wanacryptor.exe 20360 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\settings.svg.WNCRY wanacryptor.exe 20375 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\settingsdisabled.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\settingsdisabled.svg.WNCRY wanacryptor.exe 20375 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\settingsdisabled.svg.WNCRY wanacryptor.exe 20391 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\stackedIceCubes.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\stackedIceCubes.svg.WNCRY wanacryptor.exe 20391 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\stackedIceCubes.svg.WNCRY wanacryptor.exe 20406 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\waterGlass.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\waterGlass.svg.WNCRY wanacryptor.exe 20406 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\waterGlass.svg.WNCRY wanacryptor.exe 20406 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_13_0.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_13_0.png.WNCRY wanacryptor.exe 20406 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_13_0.png.WNCRY wanacryptor.exe 20422 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRY wanacryptor.exe 20422 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRY wanacryptor.exe 20422 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRY wanacryptor.exe 20422 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRY wanacryptor.exe 20453 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY wanacryptor.exe 20453 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY wanacryptor.exe 20485 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.WNCRY wanacryptor.exe 20485 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db.WNCRY wanacryptor.exe 20500 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.WNCRY wanacryptor.exe 20500 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.WNCRY wanacryptor.exe 20516 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRY wanacryptor.exe 20516 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRY wanacryptor.exe 20563 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY wanacryptor.exe 20563 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY wanacryptor.exe 20625 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY wanacryptor.exe 20625 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY wanacryptor.exe 20797 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY wanacryptor.exe 20797 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY wanacryptor.exe 20813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY wanacryptor.exe 20813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY wanacryptor.exe 20844 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY wanacryptor.exe 20844 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY wanacryptor.exe 20922 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY wanacryptor.exe 20922 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY wanacryptor.exe 20985 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY wanacryptor.exe 20985 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY wanacryptor.exe 21031 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY wanacryptor.exe 21031 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY wanacryptor.exe 21031 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY wanacryptor.exe 21031 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY wanacryptor.exe 21078 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY wanacryptor.exe 21078 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY wanacryptor.exe 21110 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\045d3532[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\045d3532[1].js.WNCRY wanacryptor.exe 21110 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\045d3532[1].js.WNCRY wanacryptor.exe 21125 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\049fdf74[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\049fdf74[1].js.WNCRY wanacryptor.exe 21125 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\049fdf74[1].js.WNCRY wanacryptor.exe 21141 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\0c3a2f0b[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\0c3a2f0b[1].js.WNCRY wanacryptor.exe 21141 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\0c3a2f0b[1].js.WNCRY wanacryptor.exe 21172 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\359d2aee[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\359d2aee[1].js.WNCRY wanacryptor.exe 21172 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\359d2aee[1].js.WNCRY wanacryptor.exe 21250 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\38817ca5[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\38817ca5[1].js.WNCRY wanacryptor.exe 21250 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\38817ca5[1].js.WNCRY wanacryptor.exe 21266 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\3c8600a8[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\3c8600a8[1].js.WNCRY wanacryptor.exe 21266 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\3c8600a8[1].js.WNCRY wanacryptor.exe 21281 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\4276cfeb[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\4276cfeb[1].js.WNCRY wanacryptor.exe 21281 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\4276cfeb[1].js.WNCRY wanacryptor.exe 21344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\53c747e0[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\53c747e0[1].js.WNCRY wanacryptor.exe 21344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\53c747e0[1].js.WNCRY wanacryptor.exe 21360 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\665f5f09[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\665f5f09[1].js.WNCRY wanacryptor.exe 21360 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\665f5f09[1].js.WNCRY wanacryptor.exe 21375 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\68cf2f48[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\68cf2f48[1].js.WNCRY wanacryptor.exe 21375 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\68cf2f48[1].js.WNCRY wanacryptor.exe 21375 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\8636b4dd[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\8636b4dd[1].js.WNCRY wanacryptor.exe 21375 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\8636b4dd[1].js.WNCRY wanacryptor.exe 21406 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\8c9625fb[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\8c9625fb[1].js.WNCRY wanacryptor.exe 21406 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\8c9625fb[1].js.WNCRY wanacryptor.exe 21422 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\a811f440[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\a811f440[1].js.WNCRY wanacryptor.exe 21422 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\a811f440[1].js.WNCRY wanacryptor.exe 21438 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cca0c2d7[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cca0c2d7[1].js.WNCRY wanacryptor.exe 21438 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cca0c2d7[1].js.WNCRY wanacryptor.exe 21453 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cdd4b693[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cdd4b693[1].js.WNCRY wanacryptor.exe 21453 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cdd4b693[1].js.WNCRY wanacryptor.exe 21610 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cf9fad16[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cf9fad16[1].js.WNCRY wanacryptor.exe 21610 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\cf9fad16[1].js.WNCRY wanacryptor.exe 21750 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\d4857707[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\d4857707[1].js.WNCRY wanacryptor.exe 21750 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\d4857707[1].js.WNCRY wanacryptor.exe 21844 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\d9fc7a9b[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\d9fc7a9b[1].js.WNCRY wanacryptor.exe 21844 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\d9fc7a9b[1].js.WNCRY wanacryptor.exe 21891 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\dbef2181[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\dbef2181[1].js.WNCRY wanacryptor.exe 21891 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\dbef2181[1].js.WNCRY wanacryptor.exe 21891 File opened (read-only) C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb.WNCRY wanacryptor.exe 21938 File renamed C:\Users\Admin\AppData\Roaming\AddDismount.avi.WNCRYT => C:\Users\Admin\AppData\Roaming\AddDismount.avi.WNCRY wanacryptor.exe 21938 File opened for modification C:\Users\Admin\AppData\Roaming\AddDismount.avi.WNCRY wanacryptor.exe 22016 File renamed C:\Users\Admin\AppData\Roaming\BlockSearch.wav.WNCRYT => C:\Users\Admin\AppData\Roaming\BlockSearch.wav.WNCRY wanacryptor.exe 22016 File opened for modification C:\Users\Admin\AppData\Roaming\BlockSearch.wav.WNCRY wanacryptor.exe 22063 File renamed C:\Users\Admin\AppData\Roaming\DisconnectConfirm.7z.WNCRYT => C:\Users\Admin\AppData\Roaming\DisconnectConfirm.7z.WNCRY wanacryptor.exe 22063 File opened for modification C:\Users\Admin\AppData\Roaming\DisconnectConfirm.7z.WNCRY wanacryptor.exe 22110 File renamed C:\Users\Admin\AppData\Roaming\EnterConnect.wma.WNCRYT => C:\Users\Admin\AppData\Roaming\EnterConnect.wma.WNCRY wanacryptor.exe 22110 File opened for modification C:\Users\Admin\AppData\Roaming\EnterConnect.wma.WNCRY wanacryptor.exe 22156 File renamed C:\Users\Admin\AppData\Roaming\ExitRead.xlsb.WNCRYT => C:\Users\Admin\AppData\Roaming\ExitRead.xlsb.WNCRY wanacryptor.exe 22156 File opened for modification C:\Users\Admin\AppData\Roaming\ExitRead.xlsb.WNCRY wanacryptor.exe 22203 File renamed C:\Users\Admin\AppData\Roaming\NewCompare.wmv.WNCRYT => C:\Users\Admin\AppData\Roaming\NewCompare.wmv.WNCRY wanacryptor.exe 22203 File opened for modification C:\Users\Admin\AppData\Roaming\NewCompare.wmv.WNCRY wanacryptor.exe 22235 File renamed C:\Users\Admin\AppData\Roaming\RegisterSync.mpeg.WNCRYT => C:\Users\Admin\AppData\Roaming\RegisterSync.mpeg.WNCRY wanacryptor.exe 22235 File opened for modification C:\Users\Admin\AppData\Roaming\RegisterSync.mpeg.WNCRY wanacryptor.exe 22281 File renamed C:\Users\Admin\AppData\Roaming\SwitchOut.wmv.WNCRYT => C:\Users\Admin\AppData\Roaming\SwitchOut.wmv.WNCRY wanacryptor.exe 22281 File opened for modification C:\Users\Admin\AppData\Roaming\SwitchOut.wmv.WNCRY wanacryptor.exe 22313 File renamed C:\Users\Admin\AppData\Roaming\TestRead.docm.WNCRYT => C:\Users\Admin\AppData\Roaming\TestRead.docm.WNCRY wanacryptor.exe 22313 File opened for modification C:\Users\Admin\AppData\Roaming\TestRead.docm.WNCRY wanacryptor.exe 22469 File renamed C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.WNCRY wanacryptor.exe 22469 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.WNCRY wanacryptor.exe 22485 File renamed C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY wanacryptor.exe 22485 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY wanacryptor.exe 22531 File renamed C:\Users\Admin\Downloads\CloseUndo.vbs.WNCRYT => C:\Users\Admin\Downloads\CloseUndo.vbs.WNCRY wanacryptor.exe 22531 File opened for modification C:\Users\Admin\Downloads\CloseUndo.vbs.WNCRY wanacryptor.exe 22563 File renamed C:\Users\Admin\Downloads\ConfirmEnter.pptm.WNCRYT => C:\Users\Admin\Downloads\ConfirmEnter.pptm.WNCRY wanacryptor.exe 22563 File opened for modification C:\Users\Admin\Downloads\ConfirmEnter.pptm.WNCRY wanacryptor.exe 22610 File renamed C:\Users\Admin\Downloads\DebugShow.pptm.WNCRYT => C:\Users\Admin\Downloads\DebugShow.pptm.WNCRY wanacryptor.exe 22610 File opened for modification C:\Users\Admin\Downloads\DebugShow.pptm.WNCRY wanacryptor.exe 22672 File renamed C:\Users\Admin\Downloads\FormatRemove.cmd.WNCRYT => C:\Users\Admin\Downloads\FormatRemove.cmd.WNCRY wanacryptor.exe 22672 File opened for modification C:\Users\Admin\Downloads\FormatRemove.cmd.WNCRY wanacryptor.exe 22719 File renamed C:\Users\Admin\Downloads\GroupShow.ps1.WNCRYT => C:\Users\Admin\Downloads\GroupShow.ps1.WNCRY wanacryptor.exe 22719 File opened for modification C:\Users\Admin\Downloads\GroupShow.ps1.WNCRY wanacryptor.exe 22766 File renamed C:\Users\Admin\Downloads\ReadBlock.odp.WNCRYT => C:\Users\Admin\Downloads\ReadBlock.odp.WNCRY wanacryptor.exe 22766 File opened for modification C:\Users\Admin\Downloads\ReadBlock.odp.WNCRY wanacryptor.exe 22828 File renamed C:\Users\Admin\Downloads\ReadUnpublish.mpg.WNCRYT => C:\Users\Admin\Downloads\ReadUnpublish.mpg.WNCRY wanacryptor.exe 22828 File opened for modification C:\Users\Admin\Downloads\ReadUnpublish.mpg.WNCRY wanacryptor.exe 22875 File renamed C:\Users\Admin\Downloads\WaitSet.3g2.WNCRYT => C:\Users\Admin\Downloads\WaitSet.3g2.WNCRY wanacryptor.exe 22875 File opened for modification C:\Users\Admin\Downloads\WaitSet.3g2.WNCRY wanacryptor.exe 22953 File renamed C:\Users\Admin\Music\BackupInstall.ods.WNCRYT => C:\Users\Admin\Music\BackupInstall.ods.WNCRY wanacryptor.exe 22953 File opened for modification C:\Users\Admin\Music\BackupInstall.ods.WNCRY wanacryptor.exe 23016 File renamed C:\Users\Admin\Music\CompleteSelect.pps.WNCRYT => C:\Users\Admin\Music\CompleteSelect.pps.WNCRY wanacryptor.exe 23016 File opened for modification C:\Users\Admin\Music\CompleteSelect.pps.WNCRY wanacryptor.exe 23094 File renamed C:\Users\Admin\Music\ResetSave.mpg.WNCRYT => C:\Users\Admin\Music\ResetSave.mpg.WNCRY wanacryptor.exe 23094 File opened for modification C:\Users\Admin\Music\ResetSave.mpg.WNCRY wanacryptor.exe 23141 File renamed C:\Users\Admin\Music\SelectUnpublish.mp3.WNCRYT => C:\Users\Admin\Music\SelectUnpublish.mp3.WNCRY wanacryptor.exe 23141 File opened for modification C:\Users\Admin\Music\SelectUnpublish.mp3.WNCRY wanacryptor.exe 23375 File renamed C:\Users\Admin\Music\TraceSplit.xlt.WNCRYT => C:\Users\Admin\Music\TraceSplit.xlt.WNCRY wanacryptor.exe 23375 File opened for modification C:\Users\Admin\Music\TraceSplit.xlt.WNCRY wanacryptor.exe 23453 File renamed C:\Users\Admin\Pictures\GetInvoke.tiff.WNCRYT => C:\Users\Admin\Pictures\GetInvoke.tiff.WNCRY wanacryptor.exe 23453 File opened for modification C:\Users\Admin\Pictures\GetInvoke.tiff.WNCRY wanacryptor.exe 23485 File renamed C:\Users\Admin\Pictures\InvokeRestart.gif.WNCRYT => C:\Users\Admin\Pictures\InvokeRestart.gif.WNCRY wanacryptor.exe 23485 File opened for modification C:\Users\Admin\Pictures\InvokeRestart.gif.WNCRY wanacryptor.exe 23563 File renamed C:\Users\Admin\Pictures\JoinCompress.tif.WNCRYT => C:\Users\Admin\Pictures\JoinCompress.tif.WNCRY wanacryptor.exe 23563 File opened for modification C:\Users\Admin\Pictures\JoinCompress.tif.WNCRY wanacryptor.exe 23610 File renamed C:\Users\Admin\Pictures\MoveUse.raw.WNCRYT => C:\Users\Admin\Pictures\MoveUse.raw.WNCRY wanacryptor.exe 23610 File opened for modification C:\Users\Admin\Pictures\MoveUse.raw.WNCRY wanacryptor.exe 23688 File renamed C:\Users\Admin\Pictures\PopProtect.tiff.WNCRYT => C:\Users\Admin\Pictures\PopProtect.tiff.WNCRY wanacryptor.exe 23688 File opened for modification C:\Users\Admin\Pictures\PopProtect.tiff.WNCRY wanacryptor.exe 23781 File renamed C:\Users\Admin\Pictures\ProtectWatch.png.WNCRYT => C:\Users\Admin\Pictures\ProtectWatch.png.WNCRY wanacryptor.exe 23781 File opened for modification C:\Users\Admin\Pictures\ProtectWatch.png.WNCRY wanacryptor.exe 23938 File renamed C:\Users\Admin\Pictures\ReceiveFind.bmp.WNCRYT => C:\Users\Admin\Pictures\ReceiveFind.bmp.WNCRY wanacryptor.exe 23938 File opened for modification C:\Users\Admin\Pictures\ReceiveFind.bmp.WNCRY wanacryptor.exe 24188 File renamed C:\Users\Admin\Pictures\SplitBlock.tif.WNCRYT => C:\Users\Admin\Pictures\SplitBlock.tif.WNCRY wanacryptor.exe 24188 File opened for modification C:\Users\Admin\Pictures\SplitBlock.tif.WNCRY wanacryptor.exe 24406 File renamed C:\Users\Admin\Pictures\SplitReset.png.WNCRYT => C:\Users\Admin\Pictures\SplitReset.png.WNCRY wanacryptor.exe 24406 File opened for modification C:\Users\Admin\Pictures\SplitReset.png.WNCRY wanacryptor.exe 24438 File renamed C:\Users\Admin\Pictures\TestBlock.bmp.WNCRYT => C:\Users\Admin\Pictures\TestBlock.bmp.WNCRY wanacryptor.exe 24438 File opened for modification C:\Users\Admin\Pictures\TestBlock.bmp.WNCRY wanacryptor.exe 24485 File renamed C:\Users\Admin\Pictures\UndoPop.raw.WNCRYT => C:\Users\Admin\Pictures\UndoPop.raw.WNCRY wanacryptor.exe 24485 File opened for modification C:\Users\Admin\Pictures\UndoPop.raw.WNCRY wanacryptor.exe 24531 File renamed C:\Users\Admin\Pictures\UpdateMerge.raw.WNCRYT => C:\Users\Admin\Pictures\UpdateMerge.raw.WNCRY wanacryptor.exe 24531 File opened for modification C:\Users\Admin\Pictures\UpdateMerge.raw.WNCRY wanacryptor.exe 24563 File renamed C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRYT => C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY wanacryptor.exe 24563 File opened for modification C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY wanacryptor.exe 24578 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY wanacryptor.exe 24578 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY wanacryptor.exe 24594 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY wanacryptor.exe 24594 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY wanacryptor.exe 24610 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY wanacryptor.exe 24610 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY wanacryptor.exe 24610 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY wanacryptor.exe 24610 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY wanacryptor.exe 24625 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY wanacryptor.exe 24625 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY wanacryptor.exe 24641 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY wanacryptor.exe 24641 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY wanacryptor.exe 24688 File renamed C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT => C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db.WNCRY wanacryptor.exe 24688 File opened for modification C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db.WNCRY wanacryptor.exe 25000 File renamed C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT => C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY wanacryptor.exe 25000 File opened for modification C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY wanacryptor.exe 25047 File renamed C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY wanacryptor.exe 25047 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY wanacryptor.exe 25063 File renamed C:\ProgramData\Microsoft\User Account Pictures\guest.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\guest.png.WNCRY wanacryptor.exe 25063 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\guest.png.WNCRY wanacryptor.exe 25078 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-192.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-192.png.WNCRY wanacryptor.exe 25078 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-192.png.WNCRY wanacryptor.exe 25125 File renamed C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY wanacryptor.exe 25125 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY wanacryptor.exe 25125 File renamed C:\ProgramData\Microsoft\User Account Pictures\user.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user.png.WNCRY wanacryptor.exe 25125 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user.png.WNCRY wanacryptor.exe 25141 File renamed C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY wanacryptor.exe 25141 File opened for modification C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY wanacryptor.exe 25141 File renamed C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRY wanacryptor.exe 25141 File opened for modification C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRY wanacryptor.exe 25172 File renamed C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY wanacryptor.exe 25172 File opened for modification C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY wanacryptor.exe 25188 File renamed C:\ProgramData\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat.WNCRYT => C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat.WNCRY wanacryptor.exe 25188 File opened for modification C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat.WNCRY wanacryptor.exe 25188 File renamed C:\ProgramData\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat.WNCRYT => C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat.WNCRY wanacryptor.exe 25188 File opened for modification C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat.WNCRY wanacryptor.exe 25203 File renamed C:\ProgramData\Microsoft\Windows Live\WLive48x48.png.WNCRYT => C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png.WNCRY wanacryptor.exe 25203 File opened for modification C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png.WNCRY wanacryptor.exe 25219 File renamed C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY wanacryptor.exe 25219 File opened for modification C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY wanacryptor.exe 25235 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRY wanacryptor.exe 25235 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRY wanacryptor.exe 25250 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\errorIcon.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\errorIcon.svg.WNCRY wanacryptor.exe 25250 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\errorIcon.svg.WNCRY wanacryptor.exe 25250 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\folder.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\folder.svg.WNCRY wanacryptor.exe 25250 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\folder.svg.WNCRY wanacryptor.exe 25250 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\loading.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\loading.svg.WNCRY wanacryptor.exe 25250 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\loading.svg.WNCRY wanacryptor.exe 25266 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRY wanacryptor.exe 25266 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRY wanacryptor.exe 25266 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRY wanacryptor.exe 25266 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRY wanacryptor.exe 25266 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY wanacryptor.exe 25266 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY wanacryptor.exe 25266 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRY wanacryptor.exe 25266 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRY wanacryptor.exe 25281 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRY wanacryptor.exe 25281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRY wanacryptor.exe 25281 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRY wanacryptor.exe 25281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRY wanacryptor.exe 25281 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRY wanacryptor.exe 25281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRY wanacryptor.exe 25281 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRY wanacryptor.exe 25281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRY wanacryptor.exe 25297 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRY wanacryptor.exe 25297 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRY wanacryptor.exe 25297 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRY wanacryptor.exe 25297 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRY wanacryptor.exe 25297 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRY wanacryptor.exe 25297 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRY wanacryptor.exe 25297 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRY wanacryptor.exe 25297 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRY wanacryptor.exe 25297 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRY wanacryptor.exe 25313 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRY wanacryptor.exe 25313 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRY wanacryptor.exe 25313 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRY wanacryptor.exe 25313 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRY wanacryptor.exe 25313 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRY wanacryptor.exe 25313 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY wanacryptor.exe 25313 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY wanacryptor.exe 25313 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRY wanacryptor.exe 25313 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRY wanacryptor.exe 25328 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRY wanacryptor.exe 25328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRY wanacryptor.exe 25328 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY wanacryptor.exe 25328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY wanacryptor.exe 25328 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRY wanacryptor.exe 25328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRY wanacryptor.exe 25328 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRY wanacryptor.exe 25328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRY wanacryptor.exe 25344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\LogSettings.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\LogSettings.txt.WNCRY wanacryptor.exe 25344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\LogSettings.txt.WNCRY wanacryptor.exe 25344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\c8d12cbe[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\c8d12cbe[1].js.WNCRY wanacryptor.exe 25344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\FTLS17MP\2\c8d12cbe[1].js.WNCRY wanacryptor.exe 25344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.1.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.1.filtertrie.intermediate.txt.WNCRY wanacryptor.exe 25344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.1.filtertrie.intermediate.txt.WNCRY wanacryptor.exe 25344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.2.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.2.filtertrie.intermediate.txt.WNCRY wanacryptor.exe 25344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0a595f9a-3fed-4acd-b57d-e0bff2ea05b3}\0.2.filtertrie.intermediate.txt.WNCRY wanacryptor.exe 25344 File opened (read-only) C:\Users\All Users\Microsoft\Diagnosis\osver.txt.WNCRY wanacryptor.exe 25360 File renamed C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRYT => C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRY wanacryptor.exe 25360 File opened for modification C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRY wanacryptor.exe 25375 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-32.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-32.png.WNCRY wanacryptor.exe 25375 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-32.png.WNCRY wanacryptor.exe 25375 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-40.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-40.png.WNCRY wanacryptor.exe 25375 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-40.png.WNCRY wanacryptor.exe 25391 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-48.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-48.png.WNCRY wanacryptor.exe 25391 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-48.png.WNCRY wanacryptor.exe 25391 File opened (read-only) C:\hiberfil.sys.WNCRY wanacryptor.exe 25391 File opened (read-only) C:\pagefile.sys.WNCRY wanacryptor.exe 25391 File opened (read-only) C:\swapfile.sys.WNCRY wanacryptor.exe 35813 File renamed C:\Recovery\WindowsRE\Winre.wim.WNCRYT => C:\Recovery\WindowsRE\Winre.wim.WNCRY wanacryptor.exe 35813 File opened for modification C:\Recovery\WindowsRE\Winre.wim.WNCRY wanacryptor.exe -
Drops startup file 4 IoCs
at description ioc Process 13766 File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3A.tmp wanacryptor.exe 13766 File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3A.tmp wanacryptor.exe 13797 File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD60.tmp wanacryptor.exe 13797 File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD60.tmp wanacryptor.exe -
Sets desktop wallpaper registry value 2 TTPs 1 IoCs
at description ioc Process 35922 Set value (str) \REGISTRY\USER\S-1-5-21-3462068340-3311567013-1947087764-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" wanacryptor.exe -
Suspicious use of SetWindowsHookEx
-
Loads dropped DLL
-
Suspicious behavior: EnumeratesProcesses
-
Known Tor node 5 IoCs
ioc 64.113.32.29 171.25.193.9 85.17.88.174 5.135.178.184 66.206.0.82 -
Interacts with shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
at description Process 50547 Token: SeBackupPrivilege vssvc.exe 50547 Token: SeRestorePrivilege vssvc.exe 50547 Token: SeAuditPrivilege vssvc.exe 50985 Token: SeIncreaseQuotaPrivilege WMIC.exe 50985 Token: SeSecurityPrivilege WMIC.exe 50985 Token: SeTakeOwnershipPrivilege WMIC.exe 50985 Token: SeLoadDriverPrivilege WMIC.exe 50985 Token: SeSystemProfilePrivilege WMIC.exe 50985 Token: SeSystemtimePrivilege WMIC.exe 50985 Token: SeProfSingleProcessPrivilege WMIC.exe 50985 Token: SeIncBasePriorityPrivilege WMIC.exe 50985 Token: SeCreatePagefilePrivilege WMIC.exe 50985 Token: SeBackupPrivilege WMIC.exe 50985 Token: SeRestorePrivilege WMIC.exe 50985 Token: SeShutdownPrivilege WMIC.exe 50985 Token: SeDebugPrivilege WMIC.exe 50985 Token: SeSystemEnvironmentPrivilege WMIC.exe 50985 Token: SeRemoteShutdownPrivilege WMIC.exe 50985 Token: SeUndockPrivilege WMIC.exe 50985 Token: SeManageVolumePrivilege WMIC.exe 50985 Token: 33 WMIC.exe 50985 Token: 34 WMIC.exe 50985 Token: 35 WMIC.exe 50985 Token: 36 WMIC.exe 52469 Token: SeIncreaseQuotaPrivilege WMIC.exe 52469 Token: SeSecurityPrivilege WMIC.exe 52469 Token: SeTakeOwnershipPrivilege WMIC.exe 52469 Token: SeLoadDriverPrivilege WMIC.exe 52469 Token: SeSystemProfilePrivilege WMIC.exe 52469 Token: SeSystemtimePrivilege WMIC.exe 52469 Token: SeProfSingleProcessPrivilege WMIC.exe 52469 Token: SeIncBasePriorityPrivilege WMIC.exe 52469 Token: SeCreatePagefilePrivilege WMIC.exe 52469 Token: SeBackupPrivilege WMIC.exe 52469 Token: SeRestorePrivilege WMIC.exe 52469 Token: SeShutdownPrivilege WMIC.exe 52469 Token: SeDebugPrivilege WMIC.exe 52469 Token: SeSystemEnvironmentPrivilege WMIC.exe 52469 Token: SeRemoteShutdownPrivilege WMIC.exe 52469 Token: SeUndockPrivilege WMIC.exe 52469 Token: SeManageVolumePrivilege WMIC.exe 52469 Token: 33 WMIC.exe 52469 Token: 34 WMIC.exe 52469 Token: 35 WMIC.exe 52469 Token: 36 WMIC.exe -
Modifies service 2 TTPs 4 IoCs
at description ioc Process 50594 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe 50688 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe 50735 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe 50735 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Deletes shadow copies 2 TTPs
-
wannacry family
Processes
-
C:\Users\Admin\AppData\Local\Temp\wanacryptor.exeC:\Users\Admin\AppData\Local\Temp\wanacryptor.exe1⤵
- Suspicious use of WriteProcessMemory
- Wannacry file encrypt
- Drops startup file
- Sets desktop wallpaper registry value
PID:3604
-
C:\Windows\SysWOW64\attrib.exeattrib +h .1⤵PID:3596
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q1⤵PID:3632
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵PID:2276
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 174381568464767.bat1⤵
- Suspicious use of WriteProcessMemory
PID:2828
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3388
-
C:\Windows\SysWOW64\cmd.exePID:3228
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3492
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe1⤵PID:2716
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet1⤵
- Suspicious use of WriteProcessMemory
PID:3632
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet1⤵PID:3164
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2280
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1158
- T1107
- T1031