aa892cf3eb80b918469a8689eabb240b2ad50784e74885d9e277640e252bbbae

Analysis

max time kernel
61s
max time network
11651379494s
resource
win7

Sharing

Copy URL

Twitter E-mail

General

Target

TwoLayer.zip
Sample

190926-jyftrj55ss
SHA256

aa892cf3eb80b918469a8689eabb240b2ad50784e74885d9e277640e252bbbae

Score

N/A

Malware Config

Signatures

Views/modifies file attributes 1 TTPs
evasion

Suspicious use of WriteProcessMemory 17 IoCs

at	description	Process	procid_target
2356	PID 1976 wrote to memory of 1208	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	25
2574	PID 1976 wrote to memory of 880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	27
3635	PID 1976 wrote to memory of 772	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	29
3853	PID 1976 wrote to memory of 864	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	30
4321	PID 864 wrote to memory of 1280	cmd.exe	32
22917	PID 1976 wrote to memory of 880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	34
22917	PID 1976 wrote to memory of 836	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	35
23010	PID 836 wrote to memory of 2004	cmd.exe	37
27300	PID 880 wrote to memory of 1492	@[email protected]	39
33696	PID 1976 wrote to memory of 900	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	41
33759	PID 1976 wrote to memory of 1876	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	42
33759	PID 1976 wrote to memory of 1568	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	43
33759	PID 1976 wrote to memory of 836	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	44
33946	PID 836 wrote to memory of 1180	cmd.exe	46
36005	PID 2004 wrote to memory of 1324	@[email protected]	47
36130	PID 1324 wrote to memory of 864	cmd.exe	49
36426	PID 1324 wrote to memory of 280	cmd.exe	51

Modifies file permissions 1 TTPs

File and Directory Permissions Modification
T1222
Loads dropped DLL
Executes dropped EXE

Wannacry file encrypt 404 IoCs

at	description	ioc	Process
3916	File renamed	C:\Users\Admin\Desktop\RestartImport.jpeg.WNCRYT => C:\Users\Admin\Desktop\RestartImport.jpeg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
3916	File opened for modification	C:\Users\Admin\Desktop\RestartImport.jpeg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
3978	File renamed	C:\Users\Admin\Desktop\SplitResume.xls.WNCRYT => C:\Users\Admin\Desktop\SplitResume.xls.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
3978	File opened for modification	C:\Users\Admin\Desktop\SplitResume.xls.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4056	File renamed	C:\Users\Admin\Desktop\SubmitUndo.pptx.WNCRYT => C:\Users\Admin\Desktop\SubmitUndo.pptx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4056	File opened for modification	C:\Users\Admin\Desktop\SubmitUndo.pptx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4165	File renamed	C:\Users\Admin\Desktop\WaitClose.csv.WNCRYT => C:\Users\Admin\Desktop\WaitClose.csv.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4165	File opened for modification	C:\Users\Admin\Desktop\WaitClose.csv.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4274	File renamed	C:\Users\Admin\Desktop\CompareStop.zip.WNCRYT => C:\Users\Admin\Desktop\CompareStop.zip.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4274	File opened for modification	C:\Users\Admin\Desktop\CompareStop.zip.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4337	File renamed	C:\Users\Admin\Desktop\HideComplete.ppsx.WNCRYT => C:\Users\Admin\Desktop\HideComplete.ppsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4337	File opened for modification	C:\Users\Admin\Desktop\HideComplete.ppsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4368	File renamed	C:\Users\Admin\Desktop\LimitFormat.dot.WNCRYT => C:\Users\Admin\Desktop\LimitFormat.dot.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4368	File opened for modification	C:\Users\Admin\Desktop\LimitFormat.dot.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4540	File renamed	C:\Users\Admin\Desktop\PushMount.zip.WNCRYT => C:\Users\Admin\Desktop\PushMount.zip.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4540	File opened for modification	C:\Users\Admin\Desktop\PushMount.zip.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4633	File renamed	C:\Users\Admin\Desktop\RedoSearch.ppsm.WNCRYT => C:\Users\Admin\Desktop\RedoSearch.ppsm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4633	File opened for modification	C:\Users\Admin\Desktop\RedoSearch.ppsm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4883	File renamed	C:\Users\Admin\Desktop\SuspendBackup.vb.WNCRYT => C:\Users\Admin\Desktop\SuspendBackup.vb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4883	File opened for modification	C:\Users\Admin\Desktop\SuspendBackup.vb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5086	File renamed	C:\Users\Admin\Desktop\TestGrant.tiff.WNCRYT => C:\Users\Admin\Desktop\TestGrant.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5086	File opened for modification	C:\Users\Admin\Desktop\TestGrant.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5320	File renamed	C:\Users\Admin\Documents\BlockTrace.vsdx.WNCRYT => C:\Users\Admin\Documents\BlockTrace.vsdx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5320	File opened for modification	C:\Users\Admin\Documents\BlockTrace.vsdx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5694	File renamed	C:\Users\Admin\Documents\DebugSuspend.xlsx.WNCRYT => C:\Users\Admin\Documents\DebugSuspend.xlsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5694	File opened for modification	C:\Users\Admin\Documents\DebugSuspend.xlsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5850	File renamed	C:\Users\Admin\Documents\EnterAssert.pdf.WNCRYT => C:\Users\Admin\Documents\EnterAssert.pdf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5850	File opened for modification	C:\Users\Admin\Documents\EnterAssert.pdf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6037	File renamed	C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6037	File opened for modification	C:\Users\Admin\Documents\Files.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6115	File renamed	C:\Users\Admin\Documents\MergeClose.ppt.WNCRYT => C:\Users\Admin\Documents\MergeClose.ppt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6115	File opened for modification	C:\Users\Admin\Documents\MergeClose.ppt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6193	File renamed	C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6193	File opened for modification	C:\Users\Admin\Documents\Opened.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6380	File renamed	C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6380	File opened for modification	C:\Users\Admin\Documents\Recently.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6474	File renamed	C:\Users\Admin\Documents\RenameUnlock.rtf.WNCRYT => C:\Users\Admin\Documents\RenameUnlock.rtf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6474	File opened for modification	C:\Users\Admin\Documents\RenameUnlock.rtf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6614	File renamed	C:\Users\Admin\Documents\RequestRepair.rtf.WNCRYT => C:\Users\Admin\Documents\RequestRepair.rtf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6614	File opened for modification	C:\Users\Admin\Documents\RequestRepair.rtf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6708	File renamed	C:\Users\Admin\Documents\RestoreConvert.doc.WNCRYT => C:\Users\Admin\Documents\RestoreConvert.doc.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6708	File opened for modification	C:\Users\Admin\Documents\RestoreConvert.doc.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6739	File renamed	C:\Users\Admin\Documents\SearchBlock.pdf.WNCRYT => C:\Users\Admin\Documents\SearchBlock.pdf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6739	File opened for modification	C:\Users\Admin\Documents\SearchBlock.pdf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6786	File renamed	C:\Users\Admin\Documents\SearchUpdate.rtf.WNCRYT => C:\Users\Admin\Documents\SearchUpdate.rtf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6786	File opened for modification	C:\Users\Admin\Documents\SearchUpdate.rtf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6817	File renamed	C:\Users\Admin\Documents\SkipShow.pdf.WNCRYT => C:\Users\Admin\Documents\SkipShow.pdf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6817	File opened for modification	C:\Users\Admin\Documents\SkipShow.pdf.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6880	File renamed	C:\Users\Admin\Documents\CloseExpand.xlsm.WNCRYT => C:\Users\Admin\Documents\CloseExpand.xlsm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6880	File opened for modification	C:\Users\Admin\Documents\CloseExpand.xlsm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6895	File renamed	C:\Users\Admin\Documents\EnableImport.xlsb.WNCRYT => C:\Users\Admin\Documents\EnableImport.xlsb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6895	File opened for modification	C:\Users\Admin\Documents\EnableImport.xlsb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6926	File renamed	C:\Users\Admin\Documents\EnablePush.ods.WNCRYT => C:\Users\Admin\Documents\EnablePush.ods.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6926	File opened for modification	C:\Users\Admin\Documents\EnablePush.ods.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6989	File renamed	C:\Users\Admin\Documents\LockEdit.pot.WNCRYT => C:\Users\Admin\Documents\LockEdit.pot.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6989	File opened for modification	C:\Users\Admin\Documents\LockEdit.pot.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7020	File renamed	C:\Users\Admin\Documents\MergeRead.dotx.WNCRYT => C:\Users\Admin\Documents\MergeRead.dotx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7020	File opened for modification	C:\Users\Admin\Documents\MergeRead.dotx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7051	File renamed	C:\Users\Admin\Documents\ReceiveStart.dot.WNCRYT => C:\Users\Admin\Documents\ReceiveStart.dot.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7051	File opened for modification	C:\Users\Admin\Documents\ReceiveStart.dot.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7098	File renamed	C:\Users\Admin\Documents\UnblockAdd.pptm.WNCRYT => C:\Users\Admin\Documents\UnblockAdd.pptm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7098	File opened for modification	C:\Users\Admin\Documents\UnblockAdd.pptm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7129	File renamed	C:\Users\Admin\Documents\UpdateRestart.dotx.WNCRYT => C:\Users\Admin\Documents\UpdateRestart.dotx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7129	File opened for modification	C:\Users\Admin\Documents\UpdateRestart.dotx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7769	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7769	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7987	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7987	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8003	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8003	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8034	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8034	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8050	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8050	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8050	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8050	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8050	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8050	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8065	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8065	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8081	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8081	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8081	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8081	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8112	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8112	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8112	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8112	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8143	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8143	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8143	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8143	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8159	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8159	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8174	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8174	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8174	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8174	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8190	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8190	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8237	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8237	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8252	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8252	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8268	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8268	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8596	File renamed	C:\Users\Admin\AppData\Roaming\LimitRename.pptx.WNCRYT => C:\Users\Admin\AppData\Roaming\LimitRename.pptx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8596	File opened for modification	C:\Users\Admin\AppData\Roaming\LimitRename.pptx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8908	File renamed	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8908	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9001	File renamed	C:\Users\Admin\Downloads\ConvertToSend.txt.WNCRYT => C:\Users\Admin\Downloads\ConvertToSend.txt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9001	File opened for modification	C:\Users\Admin\Downloads\ConvertToSend.txt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9032	File renamed	C:\Users\Admin\Downloads\JoinConvertTo.docx.WNCRYT => C:\Users\Admin\Downloads\JoinConvertTo.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9032	File opened for modification	C:\Users\Admin\Downloads\JoinConvertTo.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9064	File renamed	C:\Users\Admin\Downloads\SkipExit.doc.WNCRYT => C:\Users\Admin\Downloads\SkipExit.doc.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9064	File opened for modification	C:\Users\Admin\Downloads\SkipExit.doc.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9095	File renamed	C:\Users\Admin\Downloads\StopRedo.xlsx.WNCRYT => C:\Users\Admin\Downloads\StopRedo.xlsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9095	File opened for modification	C:\Users\Admin\Downloads\StopRedo.xlsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9251	File renamed	C:\Users\Admin\Music\HideMeasure.vsdx.WNCRYT => C:\Users\Admin\Music\HideMeasure.vsdx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9251	File opened for modification	C:\Users\Admin\Music\HideMeasure.vsdx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9266	File renamed	C:\Users\Admin\Music\SubmitMove.vsd.WNCRYT => C:\Users\Admin\Music\SubmitMove.vsd.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9266	File opened for modification	C:\Users\Admin\Music\SubmitMove.vsd.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9282	File renamed	C:\Users\Admin\Music\UninstallOut.docx.WNCRYT => C:\Users\Admin\Music\UninstallOut.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9282	File opened for modification	C:\Users\Admin\Music\UninstallOut.docx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9344	File renamed	C:\Users\Admin\Music\WriteRepair.xls.WNCRYT => C:\Users\Admin\Music\WriteRepair.xls.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9344	File opened for modification	C:\Users\Admin\Music\WriteRepair.xls.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9391	File renamed	C:\Users\Admin\Pictures\OutSearch.dwg.WNCRYT => C:\Users\Admin\Pictures\OutSearch.dwg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9391	File opened for modification	C:\Users\Admin\Pictures\OutSearch.dwg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9422	File renamed	C:\Users\Admin\Pictures\PingCompress.jpeg.WNCRYT => C:\Users\Admin\Pictures\PingCompress.jpeg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9422	File opened for modification	C:\Users\Admin\Pictures\PingCompress.jpeg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9469	File renamed	C:\Users\Admin\Pictures\StartPop.jpg.WNCRYT => C:\Users\Admin\Pictures\StartPop.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9469	File opened for modification	C:\Users\Admin\Pictures\StartPop.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9500	File renamed	C:\Users\Admin\Pictures\SubmitFind.jpeg.WNCRYT => C:\Users\Admin\Pictures\SubmitFind.jpeg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9500	File opened for modification	C:\Users\Admin\Pictures\SubmitFind.jpeg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9532	File renamed	C:\Users\Admin\Pictures\UnprotectEnable.dwg.WNCRYT => C:\Users\Admin\Pictures\UnprotectEnable.dwg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9532	File opened for modification	C:\Users\Admin\Pictures\UnprotectEnable.dwg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9547	File renamed	C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRYT => C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
9547	File opened for modification	C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10062	File renamed	C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10062	File opened for modification	C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10327	File renamed	C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10327	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10358	File renamed	C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10358	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10374	File renamed	C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10374	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10390	File renamed	C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10390	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10405	File renamed	C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10405	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10468	File renamed	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10468	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10499	File renamed	C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10499	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10561	File renamed	C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRYT => C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10561	File opened for modification	C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10624	File renamed	C:\Users\Admin\AppData\Local\IconCache.db.WNCRYT => C:\Users\Admin\AppData\Local\IconCache.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10624	File opened for modification	C:\Users\Admin\AppData\Local\IconCache.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10639	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10639	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10655	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10655	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10655	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10655	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10686	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10686	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10686	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10686	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10686	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10686	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10717	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10717	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10733	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10733	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10826	File renamed	C:\Users\Admin\AppData\Roaming\CheckpointCopy.vb.WNCRYT => C:\Users\Admin\AppData\Roaming\CheckpointCopy.vb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10826	File opened for modification	C:\Users\Admin\AppData\Roaming\CheckpointCopy.vb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10889	File renamed	C:\Users\Admin\AppData\Roaming\ClearSync.mid.WNCRYT => C:\Users\Admin\AppData\Roaming\ClearSync.mid.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10889	File opened for modification	C:\Users\Admin\AppData\Roaming\ClearSync.mid.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10920	File renamed	C:\Users\Admin\AppData\Roaming\SetInstall.js.WNCRYT => C:\Users\Admin\AppData\Roaming\SetInstall.js.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10920	File opened for modification	C:\Users\Admin\AppData\Roaming\SetInstall.js.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10967	File renamed	C:\Users\Admin\AppData\Roaming\SplitMerge.mov.WNCRYT => C:\Users\Admin\AppData\Roaming\SplitMerge.mov.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
10967	File opened for modification	C:\Users\Admin\AppData\Roaming\SplitMerge.mov.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11014	File renamed	C:\Users\Admin\AppData\Roaming\WatchCompare.mpg.WNCRYT => C:\Users\Admin\AppData\Roaming\WatchCompare.mpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11014	File opened for modification	C:\Users\Admin\AppData\Roaming\WatchCompare.mpg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11107	File renamed	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11107	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11123	File renamed	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11123	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11138	File renamed	C:\Users\Admin\Downloads\ApproveProtect.ods.WNCRYT => C:\Users\Admin\Downloads\ApproveProtect.ods.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11138	File opened for modification	C:\Users\Admin\Downloads\ApproveProtect.ods.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11154	File renamed	C:\Users\Admin\Downloads\CheckpointGroup.rar.WNCRYT => C:\Users\Admin\Downloads\CheckpointGroup.rar.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11154	File opened for modification	C:\Users\Admin\Downloads\CheckpointGroup.rar.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11248	File renamed	C:\Users\Admin\Downloads\CloseUnregister.asp.WNCRYT => C:\Users\Admin\Downloads\CloseUnregister.asp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11248	File opened for modification	C:\Users\Admin\Downloads\CloseUnregister.asp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11372	File renamed	C:\Users\Admin\Downloads\ConfirmResolve.xltx.WNCRYT => C:\Users\Admin\Downloads\ConfirmResolve.xltx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11372	File opened for modification	C:\Users\Admin\Downloads\ConfirmResolve.xltx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11419	File renamed	C:\Users\Admin\Downloads\EditCheckpoint.odt.WNCRYT => C:\Users\Admin\Downloads\EditCheckpoint.odt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11419	File opened for modification	C:\Users\Admin\Downloads\EditCheckpoint.odt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11435	File renamed	C:\Users\Admin\Downloads\EnableTrace.mov.WNCRYT => C:\Users\Admin\Downloads\EnableTrace.mov.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11435	File opened for modification	C:\Users\Admin\Downloads\EnableTrace.mov.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11435	File renamed	C:\Users\Admin\Downloads\ExportSwitch.ps1.WNCRYT => C:\Users\Admin\Downloads\ExportSwitch.ps1.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11435	File opened for modification	C:\Users\Admin\Downloads\ExportSwitch.ps1.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11482	File renamed	C:\Users\Admin\Downloads\FormatWatch.ppsx.WNCRYT => C:\Users\Admin\Downloads\FormatWatch.ppsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11482	File opened for modification	C:\Users\Admin\Downloads\FormatWatch.ppsx.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11528	File renamed	C:\Users\Admin\Downloads\HideConvertFrom.pps.WNCRYT => C:\Users\Admin\Downloads\HideConvertFrom.pps.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11528	File opened for modification	C:\Users\Admin\Downloads\HideConvertFrom.pps.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11575	File renamed	C:\Users\Admin\Downloads\InvokeSet.m3u.WNCRYT => C:\Users\Admin\Downloads\InvokeSet.m3u.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11575	File opened for modification	C:\Users\Admin\Downloads\InvokeSet.m3u.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11591	File renamed	C:\Users\Admin\Downloads\ReadHide.mov.WNCRYT => C:\Users\Admin\Downloads\ReadHide.mov.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11591	File opened for modification	C:\Users\Admin\Downloads\ReadHide.mov.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11684	File renamed	C:\Users\Admin\Downloads\UnpublishHide.cmd.WNCRYT => C:\Users\Admin\Downloads\UnpublishHide.cmd.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11684	File opened for modification	C:\Users\Admin\Downloads\UnpublishHide.cmd.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11700	File renamed	C:\Users\Admin\Music\ClearRemove.gif.WNCRYT => C:\Users\Admin\Music\ClearRemove.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11700	File opened for modification	C:\Users\Admin\Music\ClearRemove.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11918	File renamed	C:\Users\Admin\Music\ConvertUnprotect.mp4.WNCRYT => C:\Users\Admin\Music\ConvertUnprotect.mp4.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11918	File opened for modification	C:\Users\Admin\Music\ConvertUnprotect.mp4.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11950	File renamed	C:\Users\Admin\Music\ExpandAdd.wma.WNCRYT => C:\Users\Admin\Music\ExpandAdd.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11950	File opened for modification	C:\Users\Admin\Music\ExpandAdd.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11965	File renamed	C:\Users\Admin\Music\ExportWatch.iso.WNCRYT => C:\Users\Admin\Music\ExportWatch.iso.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
11965	File opened for modification	C:\Users\Admin\Music\ExportWatch.iso.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12028	File renamed	C:\Users\Admin\Music\ImportExit.ods.WNCRYT => C:\Users\Admin\Music\ImportExit.ods.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12028	File opened for modification	C:\Users\Admin\Music\ImportExit.ods.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12121	File renamed	C:\Users\Admin\Music\RemoveOut.mp3.WNCRYT => C:\Users\Admin\Music\RemoveOut.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12121	File opened for modification	C:\Users\Admin\Music\RemoveOut.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12168	File renamed	C:\Users\Admin\Music\ResolveUnlock.zip.WNCRYT => C:\Users\Admin\Music\ResolveUnlock.zip.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12168	File opened for modification	C:\Users\Admin\Music\ResolveUnlock.zip.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12199	File renamed	C:\Users\Admin\Music\SelectOut.mp3.WNCRYT => C:\Users\Admin\Music\SelectOut.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12199	File opened for modification	C:\Users\Admin\Music\SelectOut.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12277	File renamed	C:\Users\Admin\Music\SendPush.odt.WNCRYT => C:\Users\Admin\Music\SendPush.odt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12277	File opened for modification	C:\Users\Admin\Music\SendPush.odt.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12308	File renamed	C:\Users\Admin\Music\UnprotectUninstall.sql.WNCRYT => C:\Users\Admin\Music\UnprotectUninstall.sql.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12308	File opened for modification	C:\Users\Admin\Music\UnprotectUninstall.sql.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12324	File renamed	C:\Users\Admin\Pictures\BackupMount.raw.WNCRYT => C:\Users\Admin\Pictures\BackupMount.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12324	File opened for modification	C:\Users\Admin\Pictures\BackupMount.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12355	File renamed	C:\Users\Admin\Pictures\BlockExpand.svg.WNCRYT => C:\Users\Admin\Pictures\BlockExpand.svg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12355	File opened for modification	C:\Users\Admin\Pictures\BlockExpand.svg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12386	File renamed	C:\Users\Admin\Pictures\CloseUnlock.gif.WNCRYT => C:\Users\Admin\Pictures\CloseUnlock.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12386	File opened for modification	C:\Users\Admin\Pictures\CloseUnlock.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12433	File renamed	C:\Users\Admin\Pictures\ConvertToResume.gif.WNCRYT => C:\Users\Admin\Pictures\ConvertToResume.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12433	File opened for modification	C:\Users\Admin\Pictures\ConvertToResume.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12464	File renamed	C:\Users\Admin\Pictures\DenyInstall.tif.WNCRYT => C:\Users\Admin\Pictures\DenyInstall.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12464	File opened for modification	C:\Users\Admin\Pictures\DenyInstall.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12496	File renamed	C:\Users\Admin\Pictures\ExportDisconnect.bmp.WNCRYT => C:\Users\Admin\Pictures\ExportDisconnect.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12496	File opened for modification	C:\Users\Admin\Pictures\ExportDisconnect.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12542	File renamed	C:\Users\Admin\Pictures\GetClear.bmp.WNCRYT => C:\Users\Admin\Pictures\GetClear.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12542	File opened for modification	C:\Users\Admin\Pictures\GetClear.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12558	File renamed	C:\Users\Admin\Pictures\NewUnpublish.tiff.WNCRYT => C:\Users\Admin\Pictures\NewUnpublish.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12558	File opened for modification	C:\Users\Admin\Pictures\NewUnpublish.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12605	File renamed	C:\Users\Admin\Pictures\OutConnect.svg.WNCRYT => C:\Users\Admin\Pictures\OutConnect.svg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12605	File opened for modification	C:\Users\Admin\Pictures\OutConnect.svg.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12620	File renamed	C:\Users\Admin\Pictures\OutInstall.raw.WNCRYT => C:\Users\Admin\Pictures\OutInstall.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12620	File opened for modification	C:\Users\Admin\Pictures\OutInstall.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12620	File renamed	C:\Users\Admin\Pictures\RenameUnregister.tif.WNCRYT => C:\Users\Admin\Pictures\RenameUnregister.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12620	File opened for modification	C:\Users\Admin\Pictures\RenameUnregister.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12683	File renamed	C:\Users\Admin\Pictures\ShowGroup.gif.WNCRYT => C:\Users\Admin\Pictures\ShowGroup.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12683	File opened for modification	C:\Users\Admin\Pictures\ShowGroup.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12683	File renamed	C:\Users\Admin\Pictures\UseSubmit.gif.WNCRYT => C:\Users\Admin\Pictures\UseSubmit.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12683	File opened for modification	C:\Users\Admin\Pictures\UseSubmit.gif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12698	File renamed	C:\Users\Admin\Pictures\WaitConnect.raw.WNCRYT => C:\Users\Admin\Pictures\WaitConnect.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12698	File opened for modification	C:\Users\Admin\Pictures\WaitConnect.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12792	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12792	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12839	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12839	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12839	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12839	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12917	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
12917	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13088	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13088	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13088	File renamed	C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13088	File opened for modification	C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13931	File renamed	C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT => C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13931	File opened for modification	C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13978	File renamed	C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13978	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13978	File renamed	C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13978	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13978	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
13978	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14024	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14024	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14040	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14040	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14087	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14087	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14118	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14118	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14258	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14258	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14368	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14383	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14383	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14383	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14446	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14477	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14477	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14492	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14492	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14570	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14570	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14570	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14570	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14570	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14570	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14586	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14617	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14617	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14617	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14617	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14648	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14648	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14664	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14664	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14664	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14664	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14664	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14664	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14976	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14976	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14976	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
14976	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15101	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15101	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15116	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15132	File renamed	C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15132	File opened for modification	C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15132	File renamed	C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15132	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15148	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15148	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{4E4260A4-7E39-442E-BC22-7FF751D1C161}.2.ver0x0000000000000002.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15148	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15148	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15163	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15163	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15226	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{CA6F10F7-F66D-4B30-98F4-730F0A5573AE}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{CA6F10F7-F66D-4B30-98F4-730F0A5573AE}.2.ver0x0000000000000001.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15226	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{CA6F10F7-F66D-4B30-98F4-730F0A5573AE}.2.ver0x0000000000000001.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15226	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{CF8FDC1A-AD08-4661-935E-36BFCA60C278}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{CF8FDC1A-AD08-4661-935E-36BFCA60C278}.2.ver0x0000000000000001.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15226	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{CF8FDC1A-AD08-4661-935E-36BFCA60C278}.2.ver0x0000000000000001.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15241	File renamed	C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15241	File opened for modification	C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15257	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15257	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 01.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15257	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15257	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 02.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15272	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15272	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 03.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15288	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15288	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 04.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15335	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15335	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15350	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15350	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 06.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15366	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15366	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15382	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15382	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 08.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15397	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15397	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 09.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15662	File renamed	C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRYT => C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15662	File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 10.wma.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15740	File renamed	C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
15740	File opened for modification	C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16037	File renamed	C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRYT => C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16037	File opened for modification	C:\Users\Public\Music\Sample Music\Kalimba.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16130	File renamed	C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRYT => C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16130	File opened for modification	C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16286	File renamed	C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRYT => C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16286	File opened for modification	C:\Users\Public\Music\Sample Music\Sleep Away.mp3.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File renamed	C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRYT => C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File opened for modification	C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16614	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16630	File renamed	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16630	File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16630	File opened (read-only)	C:\hiberfil.sys.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
16630	File opened (read-only)	C:\pagefile.sys.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
22480	File renamed	C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPsWW2.cab.WNCRYT => C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPsWW2.cab.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
22480	File opened for modification	C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\ProPsWW2.cab.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops Office document 18 IoCs

dropper exploiter maldoc

at	description	ioc	Process
3978	File opened for modification	C:\Users\Admin\Desktop\SplitResume.xls	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4056	File opened for modification	C:\Users\Admin\Desktop\SubmitUndo.pptx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4337	File opened for modification	C:\Users\Admin\Desktop\HideComplete.ppsx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4368	File opened for modification	C:\Users\Admin\Desktop\LimitFormat.dot	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4633	File opened for modification	C:\Users\Admin\Desktop\RedoSearch.ppsm	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
5694	File opened for modification	C:\Users\Admin\Documents\DebugSuspend.xlsx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6037	File opened for modification	C:\Users\Admin\Documents\Files.docx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6115	File opened for modification	C:\Users\Admin\Documents\MergeClose.ppt	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6209	File opened for modification	C:\Users\Admin\Documents\Opened.docx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6380	File opened for modification	C:\Users\Admin\Documents\Recently.docx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6708	File opened for modification	C:\Users\Admin\Documents\RestoreConvert.doc	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6880	File opened for modification	C:\Users\Admin\Documents\CloseExpand.xlsm	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6895	File opened for modification	C:\Users\Admin\Documents\EnableImport.xlsb	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
6989	File opened for modification	C:\Users\Admin\Documents\LockEdit.pot	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7020	File opened for modification	C:\Users\Admin\Documents\MergeRead.dotx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7051	File opened for modification	C:\Users\Admin\Documents\ReceiveStart.dot	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7098	File opened for modification	C:\Users\Admin\Documents\UnblockAdd.pptm	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
7129	File opened for modification	C:\Users\Admin\Documents\UpdateRestart.dotx	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Drops startup file 6 IoCs

at	description	ioc	Process
8892	File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC6D1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8892	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC6D1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8892	File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC6D1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8923	File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC6F4.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8923	File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC6F4.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
8923	File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC6F4.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Sets desktop wallpaper registry value 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

at	description	ioc	Process
22495	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
33883	Set value (str)	\REGISTRY\USER\S-1-5-21-2130127925-3255122776-1239856527-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses

Known Tor node 4 IoCs

ioc
131.188.40.189
95.216.137.135
31.184.198.152
188.244.43.25

Modifies registry key 1 TTPs

Modify Registry
T1112

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
34024	Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
34024	Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vobbdjxs977 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

at	description	Process
34039	Token: SeTcbPrivilege	taskse.exe
34149	Token: SeTcbPrivilege	taskse.exe
36301	Token: SeBackupPrivilege	vssvc.exe
36301	Token: SeRestorePrivilege	vssvc.exe
36301	Token: SeAuditPrivilege	vssvc.exe
36660	Token: SeIncreaseQuotaPrivilege	WMIC.exe
36660	Token: SeSecurityPrivilege	WMIC.exe
36660	Token: SeTakeOwnershipPrivilege	WMIC.exe
36660	Token: SeLoadDriverPrivilege	WMIC.exe
36660	Token: SeSystemProfilePrivilege	WMIC.exe
36660	Token: SeSystemtimePrivilege	WMIC.exe
36660	Token: SeProfSingleProcessPrivilege	WMIC.exe
36660	Token: SeIncBasePriorityPrivilege	WMIC.exe
36660	Token: SeCreatePagefilePrivilege	WMIC.exe
36660	Token: SeBackupPrivilege	WMIC.exe
36660	Token: SeRestorePrivilege	WMIC.exe
36660	Token: SeShutdownPrivilege	WMIC.exe
36660	Token: SeDebugPrivilege	WMIC.exe
36660	Token: SeSystemEnvironmentPrivilege	WMIC.exe
36660	Token: SeRemoteShutdownPrivilege	WMIC.exe
36660	Token: SeUndockPrivilege	WMIC.exe
36660	Token: SeManageVolumePrivilege	WMIC.exe
36660	Token: 33	WMIC.exe
36660	Token: 34	WMIC.exe
36660	Token: 35	WMIC.exe
37471	Token: SeIncreaseQuotaPrivilege	WMIC.exe
37471	Token: SeSecurityPrivilege	WMIC.exe
37471	Token: SeTakeOwnershipPrivilege	WMIC.exe
37471	Token: SeLoadDriverPrivilege	WMIC.exe
37471	Token: SeSystemProfilePrivilege	WMIC.exe
37471	Token: SeSystemtimePrivilege	WMIC.exe
37471	Token: SeProfSingleProcessPrivilege	WMIC.exe
37471	Token: SeIncBasePriorityPrivilege	WMIC.exe
37471	Token: SeCreatePagefilePrivilege	WMIC.exe
37471	Token: SeBackupPrivilege	WMIC.exe
37471	Token: SeRestorePrivilege	WMIC.exe
37471	Token: SeShutdownPrivilege	WMIC.exe
37471	Token: SeDebugPrivilege	WMIC.exe
37471	Token: SeSystemEnvironmentPrivilege	WMIC.exe
37471	Token: SeRemoteShutdownPrivilege	WMIC.exe
37471	Token: SeUndockPrivilege	WMIC.exe
37471	Token: SeManageVolumePrivilege	WMIC.exe
37471	Token: 33	WMIC.exe
37471	Token: 34	WMIC.exe
37471	Token: 35	WMIC.exe

Interacts with shadow copies 2 TTPs
ransomware

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

at	description	ioc	Process
36333	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
36364	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
36395	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
36411	Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Deletes shadow copies 2 TTPs
ransomware

Inhibit System Recovery
T1490
wannacry family
family

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Wannacry file encrypt
- Drops Office document
- Drops startup file
- Sets desktop wallpaper registry value
PID:1976

C:\Windows\SysWOW64\attrib.exe
attrib +h .
1⤵
PID:1208

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1005262567-1287444096183175087443968989-615150670-107780038919523734-994501506"
1⤵
PID:848

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-483413442-13104847621034489013948345003-1369318337-18109533411678536547528133237"
1⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /c 178731569506335.bat
1⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-426808712-18566710791273761319-871795283937277483-641827656-73153519-1362468543"
1⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-36881974-325030239197330569678350076021884686763741804-343312451-892284949"
1⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1142426693-854492000320945150-193821621-123288699113838640351484008132-785066967"
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
1⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
1⤵
- Sets desktop wallpaper registry value
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vobbdjxs977" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-172383260-3202013632026295438678614099323359736-675705032537360034-635504174"
1⤵
PID:1816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vobbdjxs977" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
1⤵
- Adds Run entry to start application
PID:1180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1314368239338884374-1480126229-2026551355348758018-1083251307-395748495110074215"
1⤵
PID:1280

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
PID:864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1912

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

MITRE ATT&CK Additional techniques

T1158
T1060
T1107
T1031

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads