Analysis
-
max time kernel
52s -
max time network
11651379494s -
resource
win10
Task
task1
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7
0 signatures
Task
task2
Sample
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10
0 signatures
Task
task3
Sample
fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win7
0 signatures
Task
task4
Sample
fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Resource
win10
0 signatures
General
-
Target
TwoLayer.zip
-
Sample
190926-jyftrj55ss
-
SHA256
aa892cf3eb80b918469a8689eabb240b2ad50784e74885d9e277640e252bbbae
Score
N/A
Malware Config
Signatures
-
Views/modifies file attributes 1 TTPs
-
Suspicious use of WriteProcessMemory 13 IoCs
at description Process procid_target 672 PID 3552 wrote to memory of 3568 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 39 688 PID 3552 wrote to memory of 3576 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 40 2000 PID 3552 wrote to memory of 3140 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 43 2172 PID 3552 wrote to memory of 2388 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 44 2359 PID 2388 wrote to memory of 3488 cmd.exe 46 32125 PID 3552 wrote to memory of 3320 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 50 36891 PID 3552 wrote to memory of 2660 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 51 36891 PID 3552 wrote to memory of 3036 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 52 36969 PID 3036 wrote to memory of 448 cmd.exe 54 39938 PID 2660 wrote to memory of 2008 @[email protected] 56 48734 PID 448 wrote to memory of 3580 @[email protected] 58 48797 PID 3580 wrote to memory of 2356 cmd.exe 60 49313 PID 3580 wrote to memory of 3856 cmd.exe 62 -
Modifies file permissions 1 TTPs
-
Executes dropped EXE
-
Wannacry file encrypt 493 IoCs
at description ioc Process 2313 File renamed C:\Users\Admin\Desktop\GrantShow.docx.WNCRYT => C:\Users\Admin\Desktop\GrantShow.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2313 File opened for modification C:\Users\Admin\Desktop\GrantShow.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2422 File renamed C:\Users\Admin\Desktop\ApproveGroup.pot.WNCRYT => C:\Users\Admin\Desktop\ApproveGroup.pot.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2422 File opened for modification C:\Users\Admin\Desktop\ApproveGroup.pot.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2609 File renamed C:\Users\Admin\Desktop\ClosePush.potm.WNCRYT => C:\Users\Admin\Desktop\ClosePush.potm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2609 File opened for modification C:\Users\Admin\Desktop\ClosePush.potm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2703 File renamed C:\Users\Admin\Desktop\ConfirmCopy.tif.WNCRYT => C:\Users\Admin\Desktop\ConfirmCopy.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2703 File opened for modification C:\Users\Admin\Desktop\ConfirmCopy.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2750 File renamed C:\Users\Admin\Desktop\ConnectRevoke.mov.WNCRYT => C:\Users\Admin\Desktop\ConnectRevoke.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2750 File opened for modification C:\Users\Admin\Desktop\ConnectRevoke.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2797 File renamed C:\Users\Admin\Desktop\DenyRestore.xltm.WNCRYT => C:\Users\Admin\Desktop\DenyRestore.xltm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2797 File opened for modification C:\Users\Admin\Desktop\DenyRestore.xltm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2844 File renamed C:\Users\Admin\Desktop\InvokeMount.bmp.WNCRYT => C:\Users\Admin\Desktop\InvokeMount.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2844 File opened for modification C:\Users\Admin\Desktop\InvokeMount.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2906 File renamed C:\Users\Admin\Desktop\RequestGet.php.WNCRYT => C:\Users\Admin\Desktop\RequestGet.php.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2906 File opened for modification C:\Users\Admin\Desktop\RequestGet.php.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2969 File renamed C:\Users\Admin\Desktop\ShowWait.mov.WNCRYT => C:\Users\Admin\Desktop\ShowWait.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2969 File opened for modification C:\Users\Admin\Desktop\ShowWait.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3000 File renamed C:\Users\Admin\Desktop\UndoFormat.mov.WNCRYT => C:\Users\Admin\Desktop\UndoFormat.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3000 File opened for modification C:\Users\Admin\Desktop\UndoFormat.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3094 File renamed C:\Users\Admin\Documents\Files.docx.WNCRYT => C:\Users\Admin\Documents\Files.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3094 File opened for modification C:\Users\Admin\Documents\Files.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3125 File renamed C:\Users\Admin\Documents\Opened.docx.WNCRYT => C:\Users\Admin\Documents\Opened.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3125 File opened for modification C:\Users\Admin\Documents\Opened.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3203 File renamed C:\Users\Admin\Documents\Recently.docx.WNCRYT => C:\Users\Admin\Documents\Recently.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3203 File opened for modification C:\Users\Admin\Documents\Recently.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3281 File renamed C:\Users\Admin\Documents\SelectReset.docx.WNCRYT => C:\Users\Admin\Documents\SelectReset.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3281 File opened for modification C:\Users\Admin\Documents\SelectReset.docx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3406 File renamed C:\Users\Admin\Documents\AssertRename.ppsm.WNCRYT => C:\Users\Admin\Documents\AssertRename.ppsm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3406 File opened for modification C:\Users\Admin\Documents\AssertRename.ppsm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3609 File renamed C:\Users\Admin\Documents\GetRestart.dotm.WNCRYT => C:\Users\Admin\Documents\GetRestart.dotm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3609 File opened for modification C:\Users\Admin\Documents\GetRestart.dotm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3719 File renamed C:\Users\Admin\Documents\PushSend.docm.WNCRYT => C:\Users\Admin\Documents\PushSend.docm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3719 File opened for modification C:\Users\Admin\Documents\PushSend.docm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3797 File renamed C:\Users\Admin\Documents\WriteExport.pps.WNCRYT => C:\Users\Admin\Documents\WriteExport.pps.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3797 File opened for modification C:\Users\Admin\Documents\WriteExport.pps.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 4172 File renamed C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 4172 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 4391 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ThirdPartyNotices.txt.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ThirdPartyNotices.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 4391 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ThirdPartyNotices.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7109 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.0.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7109 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.0.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7188 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.0.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7188 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.0.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7234 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.0.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.0.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7234 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.0.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7266 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appsconversions.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appsconversions.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7266 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appsconversions.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7281 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appsglobals.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appsglobals.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7281 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appsglobals.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appssynonyms.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appssynonyms.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\appssynonyms.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7438 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingsconversions.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingsconversions.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7438 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingsconversions.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7469 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingsglobals.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingsglobals.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7469 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingsglobals.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7484 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingssynonyms.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingssynonyms.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7484 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{10b4f3b4-ea76-44f4-b8f1-396136fae914}\settingssynonyms.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7516 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126903943457770.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126903943457770.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7516 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126903943457770.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7531 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126903962996781.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126903962996781.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7531 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126903962996781.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7547 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126904711149380.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126904711149380.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7547 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126904711149380.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7547 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126905126163766.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126905126163766.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7547 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126905126163766.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7609 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126905473347905.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126905473347905.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7609 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126905473347905.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7625 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126906209034905.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126906209034905.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7625 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126906209034905.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7672 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126907072953257.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126907072953257.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7672 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126907072953257.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7703 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126909812049938.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126909812049938.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7703 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126909812049938.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7734 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910133209462.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910133209462.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7734 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910133209462.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7766 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910407445632.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910407445632.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7766 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910407445632.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7813 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910707349367.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910707349367.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7813 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126910707349367.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126911008717876.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126911008717876.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126911008717876.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7875 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126912227428053.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126912227428053.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7875 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126912227428053.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7891 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126912519965683.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126912519965683.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7891 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126912519965683.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7922 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126916416269747.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126916416269747.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7922 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126916416269747.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7938 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126916715300711.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126916715300711.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7938 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126916715300711.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7953 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126917276194984.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126917276194984.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 7953 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132126917276194984.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8750 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\image[1].jpg.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\image[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8750 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\image[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8766 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.43133.13510798886747090.fe902ccd-e93c-48a0-9d6c-4b9c9bc13db2[1].jpg.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.43133.13510798886747090.fe902ccd-e93c-48a0-9d6c-4b9c9bc13db2[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8766 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.43133.13510798886747090.fe902ccd-e93c-48a0-9d6c-4b9c9bc13db2[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.26034.acentoprodimg.bf16ed3e-1d38-4d0f-98e2-b1c17370ba4f[1].jpg.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.26034.acentoprodimg.bf16ed3e-1d38-4d0f-98e2-b1c17370ba4f[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.26034.acentoprodimg.bf16ed3e-1d38-4d0f-98e2-b1c17370ba4f[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.29127.acentoprodimg.9251d64d-5f40-47d6-a8b2-9d4836518937[1].jpg.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.29127.acentoprodimg.9251d64d-5f40-47d6-a8b2-9d4836518937[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.29127.acentoprodimg.9251d64d-5f40-47d6-a8b2-9d4836518937[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8844 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.46798.acentoprodimg.f42214e5-9022-4423-b28b-a59853cb38b6[1].jpg.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.46798.acentoprodimg.f42214e5-9022-4423-b28b-a59853cb38b6[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 8844 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\global.46798.acentoprodimg.f42214e5-9022-4423-b28b-a59853cb38b6[1].jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9625 File renamed C:\Users\Admin\AppData\Roaming\ResumeTest.jpeg.WNCRYT => C:\Users\Admin\AppData\Roaming\ResumeTest.jpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9625 File opened for modification C:\Users\Admin\AppData\Roaming\ResumeTest.jpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9688 File renamed C:\Users\Admin\AppData\Roaming\RevokeSync.vsd.WNCRYT => C:\Users\Admin\AppData\Roaming\RevokeSync.vsd.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9688 File opened for modification C:\Users\Admin\AppData\Roaming\RevokeSync.vsd.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9953 File renamed C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9953 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10078 File renamed C:\Users\Admin\Downloads\BlockRename.dwg.WNCRYT => C:\Users\Admin\Downloads\BlockRename.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10078 File opened for modification C:\Users\Admin\Downloads\BlockRename.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10125 File renamed C:\Users\Admin\Downloads\UnregisterWatch.txt.WNCRYT => C:\Users\Admin\Downloads\UnregisterWatch.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10125 File opened for modification C:\Users\Admin\Downloads\UnregisterWatch.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10203 File renamed C:\Users\Admin\Music\ApproveTrace.pptx.WNCRYT => C:\Users\Admin\Music\ApproveTrace.pptx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10203 File opened for modification C:\Users\Admin\Music\ApproveTrace.pptx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10250 File renamed C:\Users\Admin\Music\ApproveUpdate.dwg.WNCRYT => C:\Users\Admin\Music\ApproveUpdate.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10250 File opened for modification C:\Users\Admin\Music\ApproveUpdate.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10359 File renamed C:\Users\Admin\Music\ClearInvoke.vsd.WNCRYT => C:\Users\Admin\Music\ClearInvoke.vsd.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10359 File opened for modification C:\Users\Admin\Music\ClearInvoke.vsd.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10453 File renamed C:\Users\Admin\Music\EnableWatch.jpeg.WNCRYT => C:\Users\Admin\Music\EnableWatch.jpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10453 File opened for modification C:\Users\Admin\Music\EnableWatch.jpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10531 File renamed C:\Users\Admin\Music\ShowNew.txt.WNCRYT => C:\Users\Admin\Music\ShowNew.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10531 File opened for modification C:\Users\Admin\Music\ShowNew.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10641 File renamed C:\Users\Admin\Pictures\ExpandRequest.dwg.WNCRYT => C:\Users\Admin\Pictures\ExpandRequest.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10641 File opened for modification C:\Users\Admin\Pictures\ExpandRequest.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10781 File renamed C:\Users\Admin\Pictures\InstallMove.dwg.WNCRYT => C:\Users\Admin\Pictures\InstallMove.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10781 File opened for modification C:\Users\Admin\Pictures\InstallMove.dwg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10844 File renamed C:\Users\Admin\Pictures\LimitGroup.jpg.WNCRYT => C:\Users\Admin\Pictures\LimitGroup.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10844 File opened for modification C:\Users\Admin\Pictures\LimitGroup.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10953 File renamed C:\Users\Admin\Pictures\OpenOptimize.jpeg.WNCRYT => C:\Users\Admin\Pictures\OpenOptimize.jpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 10953 File opened for modification C:\Users\Admin\Pictures\OpenOptimize.jpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 11000 File renamed C:\Users\Admin\Pictures\UninstallMeasure.jpg.WNCRYT => C:\Users\Admin\Pictures\UninstallMeasure.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 11000 File opened for modification C:\Users\Admin\Pictures\UninstallMeasure.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 11000 File renamed C:\Users\Admin\Pictures\UpdateExit.jpg.WNCRYT => C:\Users\Admin\Pictures\UpdateExit.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 11000 File opened for modification C:\Users\Admin\Pictures\UpdateExit.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 11078 File renamed C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRYT => C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 11078 File opened for modification C:\Users\Admin\Pictures\Wallpaper.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 15781 File renamed C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt.WNCRYT => C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 15781 File opened for modification C:\Users\All Users\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16031 File renamed C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16031 File opened for modification C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16234 File renamed C:\BOOTSECT.BAK.WNCRYT => C:\BOOTSECT.BAK.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16234 File opened for modification C:\BOOTSECT.BAK.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16234 File renamed C:\Users\Admin\AppData\Local\IconCache.db.WNCRYT => C:\Users\Admin\AppData\Local\IconCache.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16234 File opened for modification C:\Users\Admin\AppData\Local\IconCache.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16266 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppBlue.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16266 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16281 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppWhite.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16281 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16375 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16375 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16375 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16375 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\AutoPlayOptIn.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16391 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppBlue.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16391 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16422 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppWhite.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16422 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\ElevatedAppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16500 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Error.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Error.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16500 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\Error.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16516 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\iceBucket.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\iceBucket.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16516 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\images\iceBucket.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16547 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AppBlue.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16547 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16578 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AppWhite.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16578 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16625 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AutoPlayOptIn.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AutoPlayOptIn.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16625 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AutoPlayOptIn.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16625 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AutoPlayOptIn.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AutoPlayOptIn.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16625 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\AutoPlayOptIn.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16641 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ElevatedAppBlue.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ElevatedAppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16641 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ElevatedAppBlue.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16656 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ElevatedAppWhite.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ElevatedAppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16656 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ElevatedAppWhite.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16672 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\Error.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\Error.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16672 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\Error.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16688 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\OneDriveLogo.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\OneDriveLogo.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16688 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\OneDriveLogo.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16734 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaCritical.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaCritical.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16734 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaCritical.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16750 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaError.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaError.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16750 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaError.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16781 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaNearing.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaNearing.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16781 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\QuotaNearing.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16859 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ScreenshotOptIn.gif.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ScreenshotOptIn.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16859 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\ScreenshotOptIn.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16969 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\Warning.png.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\Warning.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16969 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\Warning.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16984 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\cloud.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\cloud.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16984 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\cloud.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16984 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\iceBucket.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\iceBucket.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 16984 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\iceBucket.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17000 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\onedrivePremium.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\onedrivePremium.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17000 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\onedrivePremium.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17047 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\partiallyFreezing.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\partiallyFreezing.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17047 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\partiallyFreezing.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17063 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\settings.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\settings.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17063 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\settings.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17094 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\settingsdisabled.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\settingsdisabled.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17094 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\settingsdisabled.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17109 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\stackedIceCubes.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\stackedIceCubes.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17109 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\stackedIceCubes.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17125 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\waterGlass.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\waterGlass.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17125 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\waterGlass.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17156 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17156 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17156 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17156 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17188 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17188 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17188 File opened (read-only) C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000019.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17188 File opened (read-only) C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001a.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17203 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17203 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17203 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17203 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17266 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17266 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17297 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17297 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17328 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17328 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17328 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17344 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17344 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17391 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17391 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17422 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17422 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17438 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17438 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17453 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17453 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17469 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17469 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17516 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.edb.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.edb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17516 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.edb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17563 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\045d3532[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\045d3532[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17563 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\045d3532[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17609 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\049fdf74[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\049fdf74[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17609 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\049fdf74[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17766 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\0c3a2f0b[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\0c3a2f0b[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17766 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\0c3a2f0b[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17797 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\359d2aee[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\359d2aee[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 17797 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\359d2aee[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18031 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\38817ca5[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\38817ca5[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18031 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\38817ca5[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18063 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\3c8600a8[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\3c8600a8[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18063 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\3c8600a8[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18094 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\4276cfeb[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\4276cfeb[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18094 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\4276cfeb[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18094 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\53c747e0[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\53c747e0[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18094 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\53c747e0[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18109 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\665f5f09[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\665f5f09[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18109 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\665f5f09[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18125 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\68cf2f48[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\68cf2f48[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18125 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\68cf2f48[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18188 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\8636b4dd[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\8636b4dd[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18188 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\8636b4dd[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18219 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\8c9625fb[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\8c9625fb[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18219 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\8c9625fb[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18234 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\a811f440[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\a811f440[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18234 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\a811f440[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18234 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cca0c2d7[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cca0c2d7[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18234 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cca0c2d7[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18281 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cdd4b693[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cdd4b693[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18281 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cdd4b693[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18313 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cf9fad16[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cf9fad16[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18313 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\cf9fad16[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18313 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\d4857707[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\d4857707[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18313 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\d4857707[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18344 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\d9fc7a9b[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\d9fc7a9b[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18344 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\d9fc7a9b[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18406 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\dbef2181[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\dbef2181[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18406 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\dbef2181[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18438 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\apps.27955.13571498826857201.72bf04b7-b580-4b22-84f8-2e7de08ae569[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\apps.27955.13571498826857201.72bf04b7-b580-4b22-84f8-2e7de08ae569[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18438 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\apps.27955.13571498826857201.72bf04b7-b580-4b22-84f8-2e7de08ae569[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18453 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\apps.51598.9007199266246365.9538e419-4ced-4bb5-b027-e23a78887cd2[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\apps.51598.9007199266246365.9538e419-4ced-4bb5-b027-e23a78887cd2[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18453 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\apps.51598.9007199266246365.9538e419-4ced-4bb5-b027-e23a78887cd2[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18500 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\jquery.min[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\jquery.min[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18500 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\94741TQ8\jquery.min[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18563 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.10042.13981634997965175.2000000000007770802[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.10042.13981634997965175.2000000000007770802[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18563 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.10042.13981634997965175.2000000000007770802[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18625 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.26408.13510798883386282.717ac203-6bf9-4dd4-ae93-278dc8017d37[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.26408.13510798883386282.717ac203-6bf9-4dd4-ae93-278dc8017d37[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18625 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.26408.13510798883386282.717ac203-6bf9-4dd4-ae93-278dc8017d37[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18625 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.40518.14127333176902609.7be7b901-15fe-4c27-863c-7c0dbfc26c5c[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.40518.14127333176902609.7be7b901-15fe-4c27-863c-7c0dbfc26c5c[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18625 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\DEOZHZSO\apps.40518.14127333176902609.7be7b901-15fe-4c27-863c-7c0dbfc26c5c[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18672 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.15787.14250143021821984.9e0e8e63-c517-4011-bce1-7a85b1795eb3[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.15787.14250143021821984.9e0e8e63-c517-4011-bce1-7a85b1795eb3[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18672 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.15787.14250143021821984.9e0e8e63-c517-4011-bce1-7a85b1795eb3[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.16066.13510798887490103.d0e6da26-e8bf-4903-9a6e-d66e8874573e[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.16066.13510798887490103.d0e6da26-e8bf-4903-9a6e-d66e8874573e[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.16066.13510798887490103.d0e6da26-e8bf-4903-9a6e-d66e8874573e[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18844 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.32923.14057089750840870.c94e36f1-a906-4cb3-85be-2ae70470349a[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.32923.14057089750840870.c94e36f1-a906-4cb3-85be-2ae70470349a[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18844 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.32923.14057089750840870.c94e36f1-a906-4cb3-85be-2ae70470349a[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18844 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.49106.13631407595462306.ed885596-da3d-4e81-8aac-9683fd1b1d78[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.49106.13631407595462306.ed885596-da3d-4e81-8aac-9683fd1b1d78[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18844 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.49106.13631407595462306.ed885596-da3d-4e81-8aac-9683fd1b1d78[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18906 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.65133.14399229184264701.37d46750-81c7-45ad-869e-9aad634e12d6[1].png.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.65133.14399229184264701.37d46750-81c7-45ad-869e-9aad634e12d6[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18906 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\LDZSDQJI\apps.65133.14399229184264701.37d46750-81c7-45ad-869e-9aad634e12d6[1].png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18953 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\ember.min[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\ember.min[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 18953 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\ember.min[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19016 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\vendor[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\vendor[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19016 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\AC\INetCache\OO2NV5ZV\vendor[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19016 File opened (read-only) C:\Users\Admin\AppData\Local\TileDataLayer\Database\vedatamodel.edb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19141 File renamed C:\Users\Admin\AppData\Roaming\ApproveUnpublish.ppsm.WNCRYT => C:\Users\Admin\AppData\Roaming\ApproveUnpublish.ppsm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19141 File opened for modification C:\Users\Admin\AppData\Roaming\ApproveUnpublish.ppsm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19250 File renamed C:\Users\Admin\AppData\Roaming\CloseUpdate.raw.WNCRYT => C:\Users\Admin\AppData\Roaming\CloseUpdate.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19250 File opened for modification C:\Users\Admin\AppData\Roaming\CloseUpdate.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19297 File renamed C:\Users\Admin\AppData\Roaming\PopRestart.mov.WNCRYT => C:\Users\Admin\AppData\Roaming\PopRestart.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19297 File opened for modification C:\Users\Admin\AppData\Roaming\PopRestart.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19344 File renamed C:\Users\Admin\AppData\Roaming\StopFind.vb.WNCRYT => C:\Users\Admin\AppData\Roaming\StopFind.vb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19344 File opened for modification C:\Users\Admin\AppData\Roaming\StopFind.vb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19359 File renamed C:\Users\Admin\AppData\Roaming\UseRegister.tif.WNCRYT => C:\Users\Admin\AppData\Roaming\UseRegister.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19359 File opened for modification C:\Users\Admin\AppData\Roaming\UseRegister.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19453 File renamed C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19453 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19453 File renamed C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRYT => C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19453 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19516 File renamed C:\Users\Admin\Downloads\AddEnter.wma.WNCRYT => C:\Users\Admin\Downloads\AddEnter.wma.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19516 File opened for modification C:\Users\Admin\Downloads\AddEnter.wma.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19641 File renamed C:\Users\Admin\Downloads\ClearOptimize.avi.WNCRYT => C:\Users\Admin\Downloads\ClearOptimize.avi.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19641 File opened for modification C:\Users\Admin\Downloads\ClearOptimize.avi.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19719 File renamed C:\Users\Admin\Downloads\DenyCompress.tif.WNCRYT => C:\Users\Admin\Downloads\DenyCompress.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19719 File opened for modification C:\Users\Admin\Downloads\DenyCompress.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19922 File renamed C:\Users\Admin\Downloads\EnableConvertFrom.vb.WNCRYT => C:\Users\Admin\Downloads\EnableConvertFrom.vb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 19922 File opened for modification C:\Users\Admin\Downloads\EnableConvertFrom.vb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20031 File renamed C:\Users\Admin\Downloads\EnableCopy.gif.WNCRYT => C:\Users\Admin\Downloads\EnableCopy.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20031 File opened for modification C:\Users\Admin\Downloads\EnableCopy.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20156 File renamed C:\Users\Admin\Downloads\JoinConvertFrom.mp4.WNCRYT => C:\Users\Admin\Downloads\JoinConvertFrom.mp4.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20156 File opened for modification C:\Users\Admin\Downloads\JoinConvertFrom.mp4.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20297 File renamed C:\Users\Admin\Downloads\SwitchResolve.mpg.WNCRYT => C:\Users\Admin\Downloads\SwitchResolve.mpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20297 File opened for modification C:\Users\Admin\Downloads\SwitchResolve.mpg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20500 File renamed C:\Users\Admin\Downloads\UnblockMount.xltx.WNCRYT => C:\Users\Admin\Downloads\UnblockMount.xltx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20500 File opened for modification C:\Users\Admin\Downloads\UnblockMount.xltx.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20609 File renamed C:\Users\Admin\Music\ConvertFromOptimize.gif.WNCRYT => C:\Users\Admin\Music\ConvertFromOptimize.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20609 File opened for modification C:\Users\Admin\Music\ConvertFromOptimize.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20672 File renamed C:\Users\Admin\Music\ConvertFromUnblock.avi.WNCRYT => C:\Users\Admin\Music\ConvertFromUnblock.avi.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20672 File opened for modification C:\Users\Admin\Music\ConvertFromUnblock.avi.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20719 File renamed C:\Users\Admin\Music\ExportRequest.php.WNCRYT => C:\Users\Admin\Music\ExportRequest.php.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20719 File opened for modification C:\Users\Admin\Music\ExportRequest.php.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20750 File renamed C:\Users\Admin\Music\FindSwitch.3gp.WNCRYT => C:\Users\Admin\Music\FindSwitch.3gp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20750 File opened for modification C:\Users\Admin\Music\FindSwitch.3gp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20859 File renamed C:\Users\Admin\Music\JoinUndo.pptm.WNCRYT => C:\Users\Admin\Music\JoinUndo.pptm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20859 File opened for modification C:\Users\Admin\Music\JoinUndo.pptm.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20922 File renamed C:\Users\Admin\Music\MoveSkip.mpeg.WNCRYT => C:\Users\Admin\Music\MoveSkip.mpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 20922 File opened for modification C:\Users\Admin\Music\MoveSkip.mpeg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21031 File renamed C:\Users\Admin\Music\PingComplete.rar.WNCRYT => C:\Users\Admin\Music\PingComplete.rar.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21031 File opened for modification C:\Users\Admin\Music\PingComplete.rar.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21031 File renamed C:\Users\Admin\Music\SendClear.js.WNCRYT => C:\Users\Admin\Music\SendClear.js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21031 File opened for modification C:\Users\Admin\Music\SendClear.js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21109 File renamed C:\Users\Admin\Music\SetAdd.mov.WNCRYT => C:\Users\Admin\Music\SetAdd.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21109 File opened for modification C:\Users\Admin\Music\SetAdd.mov.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21141 File renamed C:\Users\Admin\Music\TestClose.gif.WNCRYT => C:\Users\Admin\Music\TestClose.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21141 File opened for modification C:\Users\Admin\Music\TestClose.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21219 File renamed C:\Users\Admin\Music\UpdateConvertFrom.bmp.WNCRYT => C:\Users\Admin\Music\UpdateConvertFrom.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21219 File opened for modification C:\Users\Admin\Music\UpdateConvertFrom.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21281 File renamed C:\Users\Admin\Pictures\CompleteDismount.png.WNCRYT => C:\Users\Admin\Pictures\CompleteDismount.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21281 File opened for modification C:\Users\Admin\Pictures\CompleteDismount.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21328 File renamed C:\Users\Admin\Pictures\ConvertToConfirm.bmp.WNCRYT => C:\Users\Admin\Pictures\ConvertToConfirm.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21328 File opened for modification C:\Users\Admin\Pictures\ConvertToConfirm.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21438 File renamed C:\Users\Admin\Pictures\ConvertToExit.bmp.WNCRYT => C:\Users\Admin\Pictures\ConvertToExit.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21438 File opened for modification C:\Users\Admin\Pictures\ConvertToExit.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21516 File renamed C:\Users\Admin\Pictures\DisableSet.tiff.WNCRYT => C:\Users\Admin\Pictures\DisableSet.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21516 File opened for modification C:\Users\Admin\Pictures\DisableSet.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21531 File renamed C:\Users\Admin\Pictures\PingWatch.gif.WNCRYT => C:\Users\Admin\Pictures\PingWatch.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21531 File opened for modification C:\Users\Admin\Pictures\PingWatch.gif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21609 File renamed C:\Users\Admin\Pictures\ReadSelect.svg.WNCRYT => C:\Users\Admin\Pictures\ReadSelect.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21609 File opened for modification C:\Users\Admin\Pictures\ReadSelect.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21672 File renamed C:\Users\Admin\Pictures\ReadStop.tiff.WNCRYT => C:\Users\Admin\Pictures\ReadStop.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21672 File opened for modification C:\Users\Admin\Pictures\ReadStop.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21688 File renamed C:\Users\Admin\Pictures\RenameClose.png.WNCRYT => C:\Users\Admin\Pictures\RenameClose.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21688 File opened for modification C:\Users\Admin\Pictures\RenameClose.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21719 File renamed C:\Users\Admin\Pictures\UnblockDebug.raw.WNCRYT => C:\Users\Admin\Pictures\UnblockDebug.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 21719 File opened for modification C:\Users\Admin\Pictures\UnblockDebug.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22031 File renamed C:\Users\Admin\Pictures\UnlockStop.tif.WNCRYT => C:\Users\Admin\Pictures\UnlockStop.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22031 File opened for modification C:\Users\Admin\Pictures\UnlockStop.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22234 File renamed C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRYT => C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22234 File opened for modification C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22250 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22250 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22297 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22297 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22422 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22422 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22469 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22469 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22594 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22594 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22609 File renamed C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT => C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22609 File opened for modification C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22672 File renamed C:\ProgramData\Microsoft\Network\Downloader\qmgr.db.WNCRYT => C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22672 File opened for modification C:\Users\All Users\Microsoft\Network\Downloader\qmgr.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22797 File renamed C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT => C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 22813 File opened for modification C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23094 File renamed C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23094 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23172 File renamed C:\ProgramData\Microsoft\User Account Pictures\guest.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\guest.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23172 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\guest.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23188 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-192.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-192.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23203 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-192.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23281 File renamed C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23281 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23328 File renamed C:\ProgramData\Microsoft\User Account Pictures\user.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23328 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23328 File renamed C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23344 File opened for modification C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23344 File renamed C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23344 File opened for modification C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23375 File renamed C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT => C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23375 File opened for modification C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23641 File renamed C:\ProgramData\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat.WNCRYT => C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23641 File opened for modification C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23688 File renamed C:\ProgramData\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat.WNCRYT => C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23688 File opened for modification C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23703 File renamed C:\ProgramData\Microsoft\Windows Live\WLive48x48.png.WNCRYT => C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23703 File opened for modification C:\Users\All Users\Microsoft\Windows Live\WLive48x48.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23734 File renamed C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRYT => C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23734 File opened for modification C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23734 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23734 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrivePersonal.cmd.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\errorIcon.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\errorIcon.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\errorIcon.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\folder.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\folder.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\folder.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File renamed C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\loading.svg.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\loading.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_1\images\loading.svg.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23766 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23781 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23797 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRYT => C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\c8d12cbe[1].js.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\c8d12cbe[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\9JPT1MWA\2\c8d12cbe[1].js.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.1.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.1.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23813 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.1.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.2.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.2.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4e4088c7-2f50-4609-b6a0-a170ff30714c}\0.2.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.1.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.1.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.1.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.2.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.2.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{7a8ee637-a988-452b-badd-4a7bac7f10fe}\0.2.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.1.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.1.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.1.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File renamed C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.2.filtertrie.intermediate.txt.WNCRYT => C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.2.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a125166a-6d49-41fc-81c4-a19cf77c428e}\0.2.filtertrie.intermediate.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23828 File opened (read-only) C:\Users\All Users\Microsoft\Diagnosis\osver.txt.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File renamed C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRYT => C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened for modification C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-32.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-32.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-32.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-40.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-40.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-40.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File renamed C:\ProgramData\Microsoft\User Account Pictures\user-48.png.WNCRYT => C:\Users\All Users\Microsoft\User Account Pictures\user-48.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened for modification C:\Users\All Users\Microsoft\User Account Pictures\user-48.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened (read-only) C:\hiberfil.sys.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened (read-only) C:\pagefile.sys.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 23922 File opened (read-only) C:\swapfile.sys.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 36594 File renamed C:\Recovery\WindowsRE\Winre.wim.WNCRYT => C:\Recovery\WindowsRE\Winre.wim.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 36766 File opened for modification C:\Recovery\WindowsRE\Winre.wim.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
at description ioc Process 2313 File opened for modification C:\Users\Admin\Desktop\GrantShow.docx ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2422 File opened for modification C:\Users\Admin\Desktop\ApproveGroup.pot ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2609 File opened for modification C:\Users\Admin\Desktop\ClosePush.potm ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2797 File opened for modification C:\Users\Admin\Desktop\DenyRestore.xltm ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3094 File opened for modification C:\Users\Admin\Documents\Files.docx ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3125 File opened for modification C:\Users\Admin\Documents\Opened.docx ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3203 File opened for modification C:\Users\Admin\Documents\Recently.docx ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3281 File opened for modification C:\Users\Admin\Documents\SelectReset.docx ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3406 File opened for modification C:\Users\Admin\Documents\AssertRename.ppsm ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3609 File opened for modification C:\Users\Admin\Documents\GetRestart.dotm ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3719 File opened for modification C:\Users\Admin\Documents\PushSend.docm ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 3797 File opened for modification C:\Users\Admin\Documents\WriteExport.pps ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Drops startup file 6 IoCs
at description ioc Process 9938 File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCA77.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9938 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCA77.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9938 File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCA77.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9953 File created (read-only) C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCA8D.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9953 File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCA8D.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 9953 File deleted C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCA8D.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Sets desktop wallpaper registry value 2 TTPs 1 IoCs
at description ioc Process 36875 Set value (str) \REGISTRY\USER\S-1-5-21-1582453539-3709319398-2561783890-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Suspicious use of SetWindowsHookEx
-
Loads dropped DLL
-
Suspicious behavior: EnumeratesProcesses
-
Known Tor node 4 IoCs
ioc 81.7.16.182 159.89.156.215 51.77.140.69 51.77.72.200 -
Interacts with shadow copies 2 TTPs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
at description Process 49109 Token: SeBackupPrivilege vssvc.exe 49109 Token: SeRestorePrivilege vssvc.exe 49109 Token: SeAuditPrivilege vssvc.exe 49438 Token: SeIncreaseQuotaPrivilege WMIC.exe 49438 Token: SeSecurityPrivilege WMIC.exe 49438 Token: SeTakeOwnershipPrivilege WMIC.exe 49438 Token: SeLoadDriverPrivilege WMIC.exe 49438 Token: SeSystemProfilePrivilege WMIC.exe 49438 Token: SeSystemtimePrivilege WMIC.exe 49438 Token: SeProfSingleProcessPrivilege WMIC.exe 49438 Token: SeIncBasePriorityPrivilege WMIC.exe 49438 Token: SeCreatePagefilePrivilege WMIC.exe 49438 Token: SeBackupPrivilege WMIC.exe 49438 Token: SeRestorePrivilege WMIC.exe 49438 Token: SeShutdownPrivilege WMIC.exe 49438 Token: SeDebugPrivilege WMIC.exe 49438 Token: SeSystemEnvironmentPrivilege WMIC.exe 49438 Token: SeRemoteShutdownPrivilege WMIC.exe 49438 Token: SeUndockPrivilege WMIC.exe 49438 Token: SeManageVolumePrivilege WMIC.exe 49438 Token: 33 WMIC.exe 49438 Token: 34 WMIC.exe 49438 Token: 35 WMIC.exe 49438 Token: 36 WMIC.exe 49797 Token: SeIncreaseQuotaPrivilege WMIC.exe 49797 Token: SeSecurityPrivilege WMIC.exe 49797 Token: SeTakeOwnershipPrivilege WMIC.exe 49797 Token: SeLoadDriverPrivilege WMIC.exe 49797 Token: SeSystemProfilePrivilege WMIC.exe 49797 Token: SeSystemtimePrivilege WMIC.exe 49797 Token: SeProfSingleProcessPrivilege WMIC.exe 49797 Token: SeIncBasePriorityPrivilege WMIC.exe 49797 Token: SeCreatePagefilePrivilege WMIC.exe 49797 Token: SeBackupPrivilege WMIC.exe 49797 Token: SeRestorePrivilege WMIC.exe 49797 Token: SeShutdownPrivilege WMIC.exe 49797 Token: SeDebugPrivilege WMIC.exe 49797 Token: SeSystemEnvironmentPrivilege WMIC.exe 49797 Token: SeRemoteShutdownPrivilege WMIC.exe 49797 Token: SeUndockPrivilege WMIC.exe 49797 Token: SeManageVolumePrivilege WMIC.exe 49797 Token: 33 WMIC.exe 49797 Token: 34 WMIC.exe 49797 Token: 35 WMIC.exe 49797 Token: 36 WMIC.exe -
Modifies service 2 TTPs 4 IoCs
at description ioc Process 49188 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe 49203 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe 49234 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe 49266 Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Deletes shadow copies 2 TTPs
-
wannacry family
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Suspicious use of WriteProcessMemory
- Wannacry file encrypt
- Drops Office document
- Drops startup file
- Sets desktop wallpaper registry value
PID:3552
-
C:\Windows\SysWOW64\attrib.exeattrib +h .1⤵PID:3568
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q1⤵PID:3576
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵PID:3140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 81091569506326.bat1⤵
- Suspicious use of WriteProcessMemory
PID:2388
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs1⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe1⤵PID:3320
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2660
-
C:\Windows\SysWOW64\cmd.exePID:3036
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:448
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe1⤵PID:2008
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet1⤵
- Suspicious use of WriteProcessMemory
PID:3580
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet1⤵PID:2356
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3740
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3856
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1158
- T1107
- T1031