Look for Wanna Cry encrypted files on the C: drive - v1.1
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Look for Wanna Cry encrypted files on the C: drive5/13/2017 5:52:57 PM
2Look for Wanna Cry encrypted files on the C: drive - v1.15/15/2017 6:19:33 AM


Seach for any files with .wncry extenstions that exist on the C: drive. Old school batch file, so if there are a ton of files, this will take a while and can possibly have a noticable performance impact when it runs.

This will create a file (c:\wannacry_files.txt) for the search results. There is a corresponding property (Wanna Cry Files - C: Drive) that will parse this file for any files that are found and report the results back up.

This file is expected to have the following two lines. Anymore than that is bad.

Volume in drive C has no label.
Volume Serial Number is 7A01-AEAF

There are three expected results returned by the property:

Wanna Cry Encrypted files found (this is bad)

No Encrypted Files Found (results file exists, nothing bad found, scan could still be running though)

Scan Results File Not Found (this means you have not executed this task yet)

Property Details

StatusBeta - Preliminary testing ready for more
TitleLook for Wanna Cry encrypted files on the C: drive - v1.1
SourceJason Cordell ([email protected])
Source Release Date5/15/2017 12:00:00 AM
Keywordswanna cry .wncry
Is TaskTrue
Added by on 5/15/2017 6:19:33 AM
Last Modified by on 5/15/2017 6:19:33 AM
Counters 2053 Views / 9 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.


isWindows (Relevance 1172)
Used in 1067 fixlets and 522 analyses * Results in a true/false
Show indented relevance
windows of operating system
Used in 4 fixlets * Results in a true/false
Show indented relevance
exists folder "c:\"


Action 1 (default)

Action Link Click here to deploy this action.
Script Type tdevropa-test Action Script
waithidden cmd /c if exist c:\wannacry_files.txt del c:\wannacry_files.txt /q /f
waithidden cmd /c dir c:\*.wncry /a /s >c:\wannacry_files.txt
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Log In or Register to leave comments!
jasoncordell -
I added a newer version of this task (v1.1). Only change is updated verbiage on the Description tab to indicate 3 possible results. This task goes hand in hand with a property that I uploaded to parse the results file created by this task.

Recommended Articles

microsoft chart controls for microsoft net framework 3.5 download microsoft primary interoperability assemblies 2005 download activex windows live mesh trend micro officescan uninstall tool java 8 update 51 visual c 2010 runtime windows installer 3.1 kb893803 windows live meeting 2007 internet explorer tls adobe flash update xp java runtime environment 7 update 51 seagate manager software