Malware analysis /ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip Malicious activity

Add for printing

download:	/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
Full analysis:	https://app.any.run/tasks/2115b159-3343-404c-88c1-81b387920a11
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat. WannaCry ist eine bekannte Ransomware, die die EternalBlue-Schwachstelle nutzt. Diese Malware ist dafür bekannt, dass sie mindestens 200.000 Computer weltweit infiziert hat, und sie ist weiterhin eine aktive und gefährliche Bedrohung. Malware Trends Tracker >>>
Analysis date:	February 21, 2024, 09:41:09
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	ransomware wannacry wannacryptor
Indicators:
MIME:	application/json
File info:	JSON data
MD5:	FD1806CE0FCB3176B644FCBB5B7BE44C
SHA1:	6EB3FFF89876BCCCA7AAE1635D494C994D177DB8
SHA256:	9EC0E1EACD0508725A5DEDA1F2A560643434C981922EC95110BA3CCF262B17DF
SSDEEP:	768:QPiLL7/TLLfbZT5P9kykxcphXz3brr5LxnLbVnjLfNx77VvbzVvlrFjzT7HlNXbN:CiLL7/TLLzZT5P9kykxcphXzLrr5LNLj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - @WanaDecryptor@.exe (PID: 3152)
- Modifies files in the Chrome extension folder
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- Writes a file to the Word startup folder
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- WannaCry Ransomware is detected
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - cmd.exe (PID: 4084)
- Wannacry exe files
  - @WanaDecryptor@.exe (PID: 3152)
  - cmd.exe (PID: 4084)
  - @WanaDecryptor@.exe (PID: 4064)
  - taskse.exe (PID: 3924)
  - @WanaDecryptor@.exe (PID: 3740)
  - @WanaDecryptor@.exe (PID: 2384)
  - @WanaDecryptor@.exe (PID: 2992)
  - @WanaDecryptor@.exe (PID: 3180)
  - @WanaDecryptor@.exe (PID: 3992)
  - @WanaDecryptor@.exe (PID: 4060)
  - taskse.exe (PID: 920)
  - taskse.exe (PID: 1492)
  - taskse.exe (PID: 2124)
  - @WanaDecryptor@.exe (PID: 3460)
- Deletes shadow copies
  - cmd.exe (PID: 1392)
- Using BCDEDIT.EXE to modify recovery options
  - cmd.exe (PID: 1392)
- Changes the autorun value in the registry
  - reg.exe (PID: 2128)
- Actions looks like stealing of personal data
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
SUSPICIOUS
- Uses ICACLS.EXE to modify access control lists
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 2868)
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- Uses ATTRIB.EXE to modify file attributes
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- Executable content was dropped or overwritten
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - @WanaDecryptor@.exe (PID: 3152)
- Executing commands from a ".bat" file
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- The process executes VB scripts
  - cmd.exe (PID: 3736)
- Starts CMD.EXE for commands execution
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - @WanaDecryptor@.exe (PID: 4064)
- Connects to unusual port
  - taskhsvc.exe (PID: 3628)
- The executable file from the user directory is run by the CMD process
  - @WanaDecryptor@.exe (PID: 4064)
- Reads the Internet Settings
  - WMIC.exe (PID: 3360)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2440)
- Starts a Microsoft application from unusual location
  - @WanaDecryptor@.exe (PID: 2384)
  - @WanaDecryptor@.exe (PID: 3992)
  - @WanaDecryptor@.exe (PID: 3180)
- Executes as Windows Service
  - VSSVC.exe (PID: 2448)
  - wbengine.exe (PID: 3816)
  - vds.exe (PID: 3216)
- Likely accesses (executes) a file from the Public directory
  - @WanaDecryptor@.exe (PID: 3992)
- Creates files like ransomware instruction
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
INFO
- Manual execution by a user
  - wmpnscfg.exe (PID: 1776)
  - WinRAR.exe (PID: 3708)
  - chrome.exe (PID: 3228)
  - WinRAR.exe (PID: 2868)
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - @WanaDecryptor@.exe (PID: 2384)
  - @WanaDecryptor@.exe (PID: 3180)
  - @WanaDecryptor@.exe (PID: 3992)
- Reads the computer name
  - wmpnscfg.exe (PID: 1776)
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - taskhsvc.exe (PID: 3628)
  - taskse.exe (PID: 3924)
  - taskse.exe (PID: 920)
  - taskse.exe (PID: 1492)
  - taskse.exe (PID: 2124)
- Checks supported languages
  - wmpnscfg.exe (PID: 1776)
  - taskdl.exe (PID: 3652)
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - taskdl.exe (PID: 3476)
  - taskdl.exe (PID: 3528)
  - taskdl.exe (PID: 2808)
  - @WanaDecryptor@.exe (PID: 4064)
  - @WanaDecryptor@.exe (PID: 3152)
  - taskhsvc.exe (PID: 3628)
  - taskse.exe (PID: 3924)
  - @WanaDecryptor@.exe (PID: 3740)
  - taskdl.exe (PID: 2344)
  - @WanaDecryptor@.exe (PID: 2384)
  - taskse.exe (PID: 920)
  - taskdl.exe (PID: 4000)
  - @WanaDecryptor@.exe (PID: 3180)
  - @WanaDecryptor@.exe (PID: 3992)
  - taskse.exe (PID: 2124)
  - @WanaDecryptor@.exe (PID: 2992)
  - taskdl.exe (PID: 2648)
  - taskse.exe (PID: 1492)
  - @WanaDecryptor@.exe (PID: 3460)
  - @WanaDecryptor@.exe (PID: 4060)
  - taskdl.exe (PID: 3464)
- The process uses the downloaded file
  - chrome.exe (PID: 3132)
  - WinRAR.exe (PID: 2868)
- Reads the machine GUID from the registry
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - taskhsvc.exe (PID: 3628)
  - @WanaDecryptor@.exe (PID: 3740)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2868)
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 2868)
- Dropped object may contain TOR URL's
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - @WanaDecryptor@.exe (PID: 3152)
- The dropped object may contain a URL to Tor Browser
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - @WanaDecryptor@.exe (PID: 3152)
- Creates files or folders in the user directory
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
  - taskhsvc.exe (PID: 3628)
- Application launched itself
  - chrome.exe (PID: 3228)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 2964)
- Creates files in the program directory
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
- Create files in a temporary directory
  - ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

EXIF

JSON

PayloadAllShortcutsEnabled:	-
PayloadBlobCsv:	null
PayloadBlobCsvError:	null
PayloadBlobDependabotInfoConfigFilePath:	null
PayloadBlobDependabotInfoConfigurationNoticeDismissed:	null
PayloadBlobDependabotInfoCurrentUserCanAdminRepo:	-
PayloadBlobDependabotInfoDismissConfigurationNoticePath:	/settings/dismiss-notice/dependabot_configuration_notice
PayloadBlobDependabotInfoNetworkDependabotPath:	/ytisf/theZoo/network/updates
PayloadBlobDependabotInfoRepoAlertsPath:	/ytisf/theZoo/security/dependabot
PayloadBlobDependabotInfoRepoOwnerIsOrg:	-
PayloadBlobDependabotInfoRepoSecurityAndAnalysisPath:	/ytisf/theZoo/settings/security_analysis
PayloadBlobDependabotInfoShowConfigurationBanner:	-
PayloadBlobDiscussionTemplate:	null
PayloadBlobDisplayName:	Ransomware.WannaCry.zip
PayloadBlobDisplayUrl:	https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip?raw=true
PayloadBlobHeaderInfoBlobSize:	3.32 MB
PayloadBlobHeaderInfoDeleteInfoDeleteTooltip:	You must be signed in to make or propose changes
PayloadBlobHeaderInfoEditInfoEditTooltip:	You must be signed in to make or propose changes
PayloadBlobHeaderInfoGhDesktopPath:	https://desktop.github.com
PayloadBlobHeaderInfoGitLfsPath:	null
PayloadBlobHeaderInfoIsCSV:	-
PayloadBlobHeaderInfoIsRichtext:	-
PayloadBlobHeaderInfoLineInfoTruncatedLoc:	null
PayloadBlobHeaderInfoLineInfoTruncatedSloc:	null
PayloadBlobHeaderInfoMode:	file
PayloadBlobHeaderInfoOnBranch:
PayloadBlobHeaderInfoShortPath:	4a7b532
PayloadBlobHeaderInfoSiteNavLoginPath:	/login?return_to=https%3A%2F%2Fgithub.com%2Fytisf%2FtheZoo%2Fblob%2Fmaster%2Fmalware%2FBinaries%2FRansomware.WannaCry%2FRansomware.WannaCry.zip
PayloadBlobHeaderInfoToc:	null
PayloadBlobImage:	-
PayloadBlobIsCodeownersFile:	null
PayloadBlobIsPlain:	-
PayloadBlobIsValidLegacyIssueTemplate:	-
PayloadBlobIssueTemplate:	null
PayloadBlobIssueTemplateHelpUrl:	https://docs.github.com/articles/about-issue-and-pull-request-templates
PayloadBlobLanguage:	null
PayloadBlobLanguageID:	null
PayloadBlobLarge:
PayloadBlobLoggedIn:	-
PayloadBlobNewDiscussionPath:	/ytisf/theZoo/discussions/new
PayloadBlobNewIssuePath:	/ytisf/theZoo/issues/new
PayloadBlobPlanSupportInfoRepoIsFork:	null
PayloadBlobPlanSupportInfoRepoOwnedByCurrentUser:	null
PayloadBlobPlanSupportInfoRequestFullPath:	/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadBlobPlanSupportInfoShowFreeOrgGatedFeatureMessage:	null
PayloadBlobPlanSupportInfoShowPlanSupportBanner:	null
PayloadBlobPlanSupportInfoUpgradeDataAttributes:	null
PayloadBlobPlanSupportInfoUpgradePath:	null
PayloadBlobPublishBannersInfoDismissActionNoticePath:	/settings/dismiss-notice/publish_action_from_dockerfile
PayloadBlobPublishBannersInfoReleasePath:	/ytisf/theZoo/releases/new?marketplace=true
PayloadBlobPublishBannersInfoShowPublishActionBanner:	-
PayloadBlobRawBlobUrl:	https://github.com/ytisf/theZoo/raw/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadBlobRawLines:	null
PayloadBlobRenderImageOrRaw:
PayloadBlobRenderedFileInfo:	null
PayloadBlobRichText:	null
PayloadBlobShortPath:	null
PayloadBlobSymbolsErrorCode:	invalid_argument
PayloadBlobSymbolsErrorMsg:	content required
PayloadBlobSymbolsNot_Analyzed:
PayloadBlobSymbolsTimed_Out:
PayloadBlobSymbolsEnabled:
PayloadBlobTabSize:	8
PayloadBlobTopBannersInfoActionsOnboardingTip:	null
PayloadBlobTopBannersInfoCitationHelpUrl:	https://docs.github.com/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-citation-files
PayloadBlobTopBannersInfoGlobalPreferredFundingPath:	null
PayloadBlobTopBannersInfoOverridingGlobalFundingFile:	-
PayloadBlobTopBannersInfoRepoName:	theZoo
PayloadBlobTopBannersInfoRepoOwner:	ytisf
PayloadBlobTopBannersInfoShowDependabotConfigurationBanner:	-
PayloadBlobTopBannersInfoShowInvalidCitationWarning:	-
PayloadBlobTruncated:
PayloadBlobViewable:	-
PayloadBlobWorkflowRedirectUrl:	null
PayloadCopilotAccessAllowed:	-
PayloadCopilotInfo:	null
PayloadCsrf_TokensReposPreferencesPost:	2VZ7UsFlZELZsBhFY52OgTKsC2EEydf3p06_KHPhvbIsW93fHIVXxunvX991dC_mqV7yjL8eVs8XJ8inRVPAdQ
PayloadCsrf_TokensYtisfTheZooBranchesPost:	19J02LbJBhX8LyAPy42aiXx4l9IsPQVcsHm2SX0xMHLqDGUKhX5D43E2aoBFTaaLJ6p8_h-wG1o8oX7R8UBOTQ
PayloadCurrentUser:	null
PayloadFileTreeItemsContentType:	directory directory directory file file file file file file file file file
PayloadFileTreeItemsName:	conf imports malware .gitattributes .gitignore CODE-OF-CONDUCT.md CONTRIBUTING.md LICENSE.md README.md prep_file.py requirements.txt theZoo.py
PayloadFileTreeItemsPath:	conf imports malware .gitattributes .gitignore CODE-OF-CONDUCT.md CONTRIBUTING.md LICENSE.md README.md prep_file.py requirements.txt theZoo.py
PayloadFileTreeTotalCount:	12
PayloadFileTreeMalwareItemsContentType:	directory directory
PayloadFileTreeMalwareItemsName:	Binaries Source
PayloadFileTreeMalwareItemsPath:	malware/Binaries malware/Source
PayloadFileTreeMalwareTotalCount:	2
PayloadFileTreeMalwareBinariesItemsContentType:	directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory directory
PayloadFileTreeMalwareBinariesItemsName:	All.ElectroRAT AndroRat_6Dec2013 Android.PegasusB Android.Skygofree Android.Spy.49_iBanking_Feb2014 Android.VikingHorde AntiExe.A Artemis BAT.Drop BAT.Pot.A BAT.Skul Backdoor.MSIL.Tyupkin BlackEnergy2.1 Brain.A Careto_Feb2014 Cascade.1701.W Catapillar.E Civil_War.282 Coll.CozyBear Coll.DarkHydrus CryptoLocker_10Sep2013 CryptoLocker_20Nov2013 CryptoLocker_22Jan2014 DOS.Yesmile Dino Dropper.Taleret Duqu2 Dyre EquationGroup.DoubleFantasy EquationGroup.EquationDrug EquationGroup.EquationLaser EquationGroup.Fanny EquationGroup.GROK EquationGroup.GrayFish EquationGroup.TripleFantasy EquationGroup FancyBear.GermanParliament Form.A Friday_the_13th.408 Friday_the_13th.416.A Friday_the_13th.416.B Friday_the_13th.540.A Green_Caterpillar.1575.A INTC.A IllusionBot_May2007 JS.JScript.A JS.Lame Jumper.B Junkie KRBanker Kampana.A Kelihos Keylogger.Ardamax Linux.Chapros.A Linux.Encoder.1 Linux.Mirai.B Linux.Snoopy.A Linux.Snoopy.B Linux.Snoopy.C Linux.Wirenet Michelangelo NOBELIUM NYB.B Net-Worm.Win32.Kido Neurevt.1.7.0.1 Nitlove Nivdort OSX.Backdoor.iWorm OSX.HellRaiser OSX.JacksBot OSX.Lazarus OSX.MacSecurity OSX.OceanLotus OSX.Wirenet OSX.XAgent Parity_Boot.B Phoenix.2000 PlugX PotaoExpress Poweliks Proteus Quax.A Raccoon.Stealer.v2 Ransomware.Cerber Ransomware.Cryptowall Ransomware.Hive Ransomware.Jigsaw Ransomware.Locky Ransomware.Mamba Ransomware.Matsnu Ransomware.Petrwrap Ransomware.Petya Ransomware.Radamant Ransomware.RedBoot Ransomware.Rex Ransomware.Satana Ransomware.TeslaCrypt Ransomware.Thanos Ransomware.Unnamed_0 Ransomware.Vipasana Ransomware.WannaCry Ransomware.WannaCry_Plus Ransomware.XData Rombertik Rustock Sampo.A Shamoon SheHas.A SillyC.160.B Skywiper-A.Flame Slow_Format.705 Somoto SpyEye Surtr SymbOS.Lasco Telefonica.3784 Trivial.881 Trivial.Html.883 Trivial.LSD Trojan.AlienSpy Trojan.Asprox Trojan.Bladabindi Trojan.Destover-SonySigned Trojan.Dropper.Gen Trojan.Kovter Trojan.Loadmoney Trojan.NSIS.Win32 Trojan.Ransom.Hells Trojan.Ransom.Petya Trojan.Regin Trojan.Shylock.Skype Trojan.Sinowal Trojan.Stabuniq Trojan.Tapaoux Trojan.Win32.Bechiro.BCD TrojanWin32.Duqu.Stuxnet VBS.Carnival VBS.Hopper VBS.LoveLetter VBS.NewLove.A VBS.NoMercy.B VBS.NoWarning.A VBS.Redinal VBS.RunScript VBS.Vquest.ow Variant.Kazy VolatileCedar.Explosion W32.Beagle W32.CodeRed.Worm.C W32.Duni.A W32.Elkern.B W32.HLLP.Hantaner.A W32.Hybris.Worm.B W32.Klez.E W32.Klez.H W32.MyDoom.A W32.Mytob_EJ W32.NetSky W32.Nimda.A W32.Nimda.E W32.Slammer W32.Swen W97M.Class.AU W97M.Melissa.A W97M.Pri.A W97M.Pri.AB WM.Alliance.A WM.Cap.A WM.Concept.A WM.Concept.S WM.Minimal.AB WM.NJ_WMVCK2_T WM.Npad.A WMIGhost Waski.Upatre Win32.APT28.SekoiaRootkit Win32.APT32.Windshield Win32.AgentTesla Win32.Alina.3.4.B Win32.Avatar Win32.BigBang Win32.Boaxxe.BB Win32.Cainxpii Win32.Caphaw.Shylock Win32.Carberp Win32.Cridex Win32.Cutwail Win32.DarkTequila Win32.Emotet Win32.EternalRocks Win32.FASTCash Win32.FamousSparrow Win32.Fareit Win32.GravityRat Win32.GreenBug Win32.Hupigon Win32.Infostealer.Dexter Win32.Invicea_Tunnel Win32.Ixeshe Win32.Jerusalem Win32.KerrDown Win32.KeyPass Win32.Lephic Win32.LuckyCat Win32.MyLobot Win32.Narilam Win32.OnionDuke.B Win32.Pay2Key.B Win32.Powerstats Win32.RedDelta Win32.Reveton Win32.Sality Win32.ShadowHammer Win32.Sofacy.A Win32.SofacyCarberp Win32.StrongPity Win32.Stuxnet.A.Duqu-C-Media Win32.Stuxnet.B.Duqu-Realtek Win32.Taleret Win32.TransparentTribe.B Win32.Triton Win32.Turla.V1 Win32.Turla Win32.Unclassified Win32.Unknown_SpectreMeltdown Win32.Unnamed_SpecMelt Win32.VBS.APT34Dropper Win32.ValeforBeta Win32.Vobfus Win32.WannaPeace Win32.XAgent Win32.ZeroCleare Win32.ZeusVM Win32.Zurgop Win32Dircrypt.Trojan.Ransom.ABZ Win64.NukeSped Win64.Trojan.GreenBug WinX.HiddenCobra.Supply WinX.OperationDianxun WinX.SUNBURST WinX.SignSight X97M.Sugar.A X97M.Sugar_Poppy.II Yankee_Doodle.2881.A Yankee_Doodle.2997 Yankee_Login.3052 Yaunch.2537 Yeke.1204 ZeroAccess ZeroLocker ZeusBankingVersion_26Nov2013 ZeusGameover_Feb2014 Zherkov.1958 Zherkov.2970 njRAT-v0.6.4
PayloadFileTreeMalwareBinariesItemsPath:	malware/Binaries/All.ElectroRAT malware/Binaries/AndroRat_6Dec2013 malware/Binaries/Android.PegasusB malware/Binaries/Android.Skygofree malware/Binaries/Android.Spy.49_iBanking_Feb2014 malware/Binaries/Android.VikingHorde malware/Binaries/AntiExe.A malware/Binaries/Artemis malware/Binaries/BAT.Drop malware/Binaries/BAT.Pot.A malware/Binaries/BAT.Skul malware/Binaries/Backdoor.MSIL.Tyupkin malware/Binaries/BlackEnergy2.1 malware/Binaries/Brain.A malware/Binaries/Careto_Feb2014 malware/Binaries/Cascade.1701.W malware/Binaries/Catapillar.E malware/Binaries/Civil_War.282 malware/Binaries/Coll.CozyBear malware/Binaries/Coll.DarkHydrus malware/Binaries/CryptoLocker_10Sep2013 malware/Binaries/CryptoLocker_20Nov2013 malware/Binaries/CryptoLocker_22Jan2014 malware/Binaries/DOS.Yesmile malware/Binaries/Dino malware/Binaries/Dropper.Taleret malware/Binaries/Duqu2 malware/Binaries/Dyre malware/Binaries/EquationGroup.DoubleFantasy malware/Binaries/EquationGroup.EquationDrug malware/Binaries/EquationGroup.EquationLaser malware/Binaries/EquationGroup.Fanny malware/Binaries/EquationGroup.GROK malware/Binaries/EquationGroup.GrayFish malware/Binaries/EquationGroup.TripleFantasy malware/Binaries/EquationGroup malware/Binaries/FancyBear.GermanParliament malware/Binaries/Form.A malware/Binaries/Friday_the_13th.408 malware/Binaries/Friday_the_13th.416.A malware/Binaries/Friday_the_13th.416.B malware/Binaries/Friday_the_13th.540.A malware/Binaries/Green_Caterpillar.1575.A malware/Binaries/INTC.A malware/Binaries/IllusionBot_May2007 malware/Binaries/JS.JScript.A malware/Binaries/JS.Lame malware/Binaries/Jumper.B malware/Binaries/Junkie malware/Binaries/KRBanker malware/Binaries/Kampana.A malware/Binaries/Kelihos malware/Binaries/Keylogger.Ardamax malware/Binaries/Linux.Chapros.A malware/Binaries/Linux.Encoder.1 malware/Binaries/Linux.Mirai.B malware/Binaries/Linux.Snoopy.A malware/Binaries/Linux.Snoopy.B malware/Binaries/Linux.Snoopy.C malware/Binaries/Linux.Wirenet malware/Binaries/Michelangelo malware/Binaries/NOBELIUM malware/Binaries/NYB.B malware/Binaries/Net-Worm.Win32.Kido malware/Binaries/Neurevt.1.7.0.1 malware/Binaries/Nitlove malware/Binaries/Nivdort malware/Binaries/OSX.Backdoor.iWorm malware/Binaries/OSX.HellRaiser malware/Binaries/OSX.JacksBot malware/Binaries/OSX.Lazarus malware/Binaries/OSX.MacSecurity malware/Binaries/OSX.OceanLotus malware/Binaries/OSX.Wirenet malware/Binaries/OSX.XAgent malware/Binaries/Parity_Boot.B malware/Binaries/Phoenix.2000 malware/Binaries/PlugX malware/Binaries/PotaoExpress malware/Binaries/Poweliks malware/Binaries/Proteus malware/Binaries/Quax.A malware/Binaries/Raccoon.Stealer.v2 malware/Binaries/Ransomware.Cerber malware/Binaries/Ransomware.Cryptowall malware/Binaries/Ransomware.Hive malware/Binaries/Ransomware.Jigsaw malware/Binaries/Ransomware.Locky malware/Binaries/Ransomware.Mamba malware/Binaries/Ransomware.Matsnu malware/Binaries/Ransomware.Petrwrap malware/Binaries/Ransomware.Petya malware/Binaries/Ransomware.Radamant malware/Binaries/Ransomware.RedBoot malware/Binaries/Ransomware.Rex malware/Binaries/Ransomware.Satana malware/Binaries/Ransomware.TeslaCrypt malware/Binaries/Ransomware.Thanos malware/Binaries/Ransomware.Unnamed_0 malware/Binaries/Ransomware.Vipasana malware/Binaries/Ransomware.WannaCry malware/Binaries/Ransomware.WannaCry_Plus malware/Binaries/Ransomware.XData malware/Binaries/Rombertik malware/Binaries/Rustock malware/Binaries/Sampo.A malware/Binaries/Shamoon malware/Binaries/SheHas.A malware/Binaries/SillyC.160.B malware/Binaries/Skywiper-A.Flame malware/Binaries/Slow_Format.705 malware/Binaries/Somoto malware/Binaries/SpyEye malware/Binaries/Surtr malware/Binaries/SymbOS.Lasco malware/Binaries/Telefonica.3784 malware/Binaries/Trivial.881 malware/Binaries/Trivial.Html.883 malware/Binaries/Trivial.LSD malware/Binaries/Trojan.AlienSpy malware/Binaries/Trojan.Asprox malware/Binaries/Trojan.Bladabindi malware/Binaries/Trojan.Destover-SonySigned malware/Binaries/Trojan.Dropper.Gen malware/Binaries/Trojan.Kovter malware/Binaries/Trojan.Loadmoney malware/Binaries/Trojan.NSIS.Win32 malware/Binaries/Trojan.Ransom.Hells malware/Binaries/Trojan.Ransom.Petya malware/Binaries/Trojan.Regin malware/Binaries/Trojan.Shylock.Skype malware/Binaries/Trojan.Sinowal malware/Binaries/Trojan.Stabuniq malware/Binaries/Trojan.Tapaoux malware/Binaries/Trojan.Win32.Bechiro.BCD malware/Binaries/TrojanWin32.Duqu.Stuxnet malware/Binaries/VBS.Carnival malware/Binaries/VBS.Hopper malware/Binaries/VBS.LoveLetter malware/Binaries/VBS.NewLove.A malware/Binaries/VBS.NoMercy.B malware/Binaries/VBS.NoWarning.A malware/Binaries/VBS.Redinal malware/Binaries/VBS.RunScript malware/Binaries/VBS.Vquest.ow malware/Binaries/Variant.Kazy malware/Binaries/VolatileCedar.Explosion malware/Binaries/W32.Beagle malware/Binaries/W32.CodeRed.Worm.C malware/Binaries/W32.Duni.A malware/Binaries/W32.Elkern.B malware/Binaries/W32.HLLP.Hantaner.A malware/Binaries/W32.Hybris.Worm.B malware/Binaries/W32.Klez.E malware/Binaries/W32.Klez.H malware/Binaries/W32.MyDoom.A malware/Binaries/W32.Mytob_EJ malware/Binaries/W32.NetSky malware/Binaries/W32.Nimda.A malware/Binaries/W32.Nimda.E malware/Binaries/W32.Slammer malware/Binaries/W32.Swen malware/Binaries/W97M.Class.AU malware/Binaries/W97M.Melissa.A malware/Binaries/W97M.Pri.A malware/Binaries/W97M.Pri.AB malware/Binaries/WM.Alliance.A malware/Binaries/WM.Cap.A malware/Binaries/WM.Concept.A malware/Binaries/WM.Concept.S malware/Binaries/WM.Minimal.AB malware/Binaries/WM.NJ_WMVCK2_T malware/Binaries/WM.Npad.A malware/Binaries/WMIGhost malware/Binaries/Waski.Upatre malware/Binaries/Win32.APT28.SekoiaRootkit malware/Binaries/Win32.APT32.Windshield malware/Binaries/Win32.AgentTesla malware/Binaries/Win32.Alina.3.4.B malware/Binaries/Win32.Avatar malware/Binaries/Win32.BigBang malware/Binaries/Win32.Boaxxe.BB malware/Binaries/Win32.Cainxpii malware/Binaries/Win32.Caphaw.Shylock malware/Binaries/Win32.Carberp malware/Binaries/Win32.Cridex malware/Binaries/Win32.Cutwail malware/Binaries/Win32.DarkTequila malware/Binaries/Win32.Emotet malware/Binaries/Win32.EternalRocks malware/Binaries/Win32.FASTCash malware/Binaries/Win32.FamousSparrow malware/Binaries/Win32.Fareit malware/Binaries/Win32.GravityRat malware/Binaries/Win32.GreenBug malware/Binaries/Win32.Hupigon malware/Binaries/Win32.Infostealer.Dexter malware/Binaries/Win32.Invicea_Tunnel malware/Binaries/Win32.Ixeshe malware/Binaries/Win32.Jerusalem malware/Binaries/Win32.KerrDown malware/Binaries/Win32.KeyPass malware/Binaries/Win32.Lephic malware/Binaries/Win32.LuckyCat malware/Binaries/Win32.MyLobot malware/Binaries/Win32.Narilam malware/Binaries/Win32.OnionDuke.B malware/Binaries/Win32.Pay2Key.B malware/Binaries/Win32.Powerstats malware/Binaries/Win32.RedDelta malware/Binaries/Win32.Reveton malware/Binaries/Win32.Sality malware/Binaries/Win32.ShadowHammer malware/Binaries/Win32.Sofacy.A malware/Binaries/Win32.SofacyCarberp malware/Binaries/Win32.StrongPity malware/Binaries/Win32.Stuxnet.A.Duqu-C-Media malware/Binaries/Win32.Stuxnet.B.Duqu-Realtek malware/Binaries/Win32.Taleret malware/Binaries/Win32.TransparentTribe.B malware/Binaries/Win32.Triton malware/Binaries/Win32.Turla.V1 malware/Binaries/Win32.Turla malware/Binaries/Win32.Unclassified malware/Binaries/Win32.Unknown_SpectreMeltdown malware/Binaries/Win32.Unnamed_SpecMelt malware/Binaries/Win32.VBS.APT34Dropper malware/Binaries/Win32.ValeforBeta malware/Binaries/Win32.Vobfus malware/Binaries/Win32.WannaPeace malware/Binaries/Win32.XAgent malware/Binaries/Win32.ZeroCleare malware/Binaries/Win32.ZeusVM malware/Binaries/Win32.Zurgop malware/Binaries/Win32Dircrypt.Trojan.Ransom.ABZ malware/Binaries/Win64.NukeSped malware/Binaries/Win64.Trojan.GreenBug malware/Binaries/WinX.HiddenCobra.Supply malware/Binaries/WinX.OperationDianxun malware/Binaries/WinX.SUNBURST malware/Binaries/WinX.SignSight malware/Binaries/X97M.Sugar.A malware/Binaries/X97M.Sugar_Poppy.II malware/Binaries/Yankee_Doodle.2881.A malware/Binaries/Yankee_Doodle.2997 malware/Binaries/Yankee_Login.3052 malware/Binaries/Yaunch.2537 malware/Binaries/Yeke.1204 malware/Binaries/ZeroAccess malware/Binaries/ZeroLocker malware/Binaries/ZeusBankingVersion_26Nov2013 malware/Binaries/ZeusGameover_Feb2014 malware/Binaries/Zherkov.1958 malware/Binaries/Zherkov.2970 malware/Binaries/njRAT-v0.6.4
PayloadFileTreeMalwareBinariesTotalCount:	255
PayloadFileTreeMalwareBinariesRansomwareWannaCryItemsContentType:	file file file file
PayloadFileTreeMalwareBinariesRansomwareWannaCryItemsName:	Ransomware.WannaCry.md5 Ransomware.WannaCry.pass Ransomware.WannaCry.sha256 Ransomware.WannaCry.zip
PayloadFileTreeMalwareBinariesRansomwareWannaCryItemsPath:	malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.md5 malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.pass malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.sha256 malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadFileTreeMalwareBinariesRansomwareWannaCryTotalCount:	4
PayloadFileTreeProcessingTime:	13.110586
PayloadPath:	malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadRefInfoCanEdit:	-
PayloadRefInfoCurrentOid:	398d83938838ae6f92117d9dbcd07833dd1dcaaf
PayloadRefInfoListCacheKey:	v0:1392814024.0
PayloadRefInfoName:	master
PayloadRefInfoRefType:	branch
PayloadRepoCreatedAt:	2014-01-09T18:55:35.000Z
PayloadRepoCurrentUserCanPush:	-
PayloadRepoDefaultBranch:	master
PayloadRepoId:	15776012
PayloadRepoIsEmpty:	-
PayloadRepoIsFork:	-
PayloadRepoIsOrgOwned:	-
PayloadRepoName:	theZoo
PayloadRepoOwnerAvatar:	https://avatars.githubusercontent.com/u/5548594?v=4
PayloadRepoOwnerLogin:	ytisf
PayloadRepoPrivate:	-
PayloadRepoPublic:
PayloadSymbolsExpanded:	-
PayloadTreeExpanded:
Title:	theZoo/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip at master · ytisf/theZoo

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

796

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

848

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

920

taskse.exe C:\Users\admin\Downloads\@WanaDecryptor@.exe

C:\Users\admin\Downloads\taskse.exe

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

waitfor - wait/send a signal over a network

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\users\admin\downloads\taskse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1216

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=4092 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1392

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\System32\cmd.exe

—

@WanaDecryptor@.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1492

taskse.exe C:\Users\admin\Downloads\@WanaDecryptor@.exe

C:\Users\admin\Downloads\taskse.exe

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

waitfor - wait/send a signal over a network

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\users\admin\downloads\taskse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1624

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3920 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

109.0.5414.120

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1696

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vdsldr.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Virtual Disk Service Loader

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll

1776

"C:\Program Files\Windows Media Player\wmpnscfg.exe"

C:\Program Files\Windows Media Player\wmpnscfg.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Media Player Network Sharing Service Configuration Application

Exit code:

Version:

12.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2000

C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

23 258

Read events

22 529

Write events

722

Delete events

Modification events


(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\Desktop
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band56_0
Value: 38000000730100000402000000000000D4D0C8000000000000000000000000008C0110000000000039000000B40200000000000001000000
(PID) Process:	(4052) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:	write	Name:	Band56_1
Value: 38000000730100000500000000000000D4D0C8000000000000000000000000003A01110000000000160000002A0000000000000002000000

Add for printing

Executable files

Suspicious files

1 015

Text files

587

Unknown types

451

Dropped files

PID	Process	Filename		Type
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF183bdb.TMP		—
		MD5:—	SHA256:—
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old~RF183d62.TMP		text
		MD5:C383FD120B14BB0E98E99C1BCC9B43F6	SHA256:56A3A5EACBD28BEE1CF8C1D0052321A5C27EE858BEF7B2FA1DE20806A0823CC1
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\44537c27-6ce5-4cc7-96cd-81316e1e9d57.tmp		binary
		MD5:5058F1AF8388633F609CADB75A75DC9D	SHA256:—
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF183beb.TMP		text
		MD5:05CF4C3C5148DA6355D3561A9EAA5E8A	SHA256:8D720243F6876898E4F197C8867C4CEE69F1C7335C55B8A29C120B1028D93E41
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF183bfa.TMP		text
		MD5:ADB669AB4CD1C63883C64FB0DBA2C7DA	SHA256:18BFF89047EC5B122573D089B3DC7A7DD14A5A7A515B2D8141584B41E723253F
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF184002.TMP		—
		MD5:—	SHA256:—
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old		text
		MD5:358570F689377CE6838812643E03734B	SHA256:5B41FCC2E1A843AEAB9437B06E27B798870FF10D86A51B163BF48862BCD32590
3228	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old		text
		MD5:AD0DB8476493577A67FA94A162B646C4	SHA256:304FB5B4FD83D4A9FF1EF4CF20232A1783169C148297BFE37ED24A1D22A74F2B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
856	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx	unknown	—	—	unknown
856	svchost.exe	GET	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx	unknown	binary	3.07 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3228	chrome.exe	239.255.255.250:1900	—	—	—	unknown
3964	chrome.exe	142.250.186.163:443	clientservices.googleapis.com	GOOGLE	US	whitelisted
3964	chrome.exe	66.102.1.84:443	accounts.google.com	GOOGLE	US	unknown
3964	chrome.exe	142.250.186.132:443	www.google.com	GOOGLE	US	whitelisted
3228	chrome.exe	224.0.0.251:5353	—	—	—	unknown
3964	chrome.exe	172.217.18.3:443	update.googleapis.com	GOOGLE	US	whitelisted
3964	chrome.exe	142.250.186.74:443	www.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
clientservices.googleapis.com	142.250.186.163	whitelisted
accounts.google.com	66.102.1.84	shared
www.google.com	142.250.186.132	whitelisted
update.googleapis.com	172.217.18.3 142.250.186.163	whitelisted
www.googleapis.com	142.250.186.74 142.250.186.138 142.250.74.202 216.58.206.42 172.217.18.10 142.250.186.106 172.217.16.202 216.58.212.170 142.250.186.42 172.217.18.106 172.217.23.106 142.250.185.74 142.250.185.106 142.250.185.138 142.250.185.170 142.250.185.202	whitelisted
github.com	140.82.121.4	shared
github.githubassets.com	185.199.110.154 185.199.109.154 185.199.111.154 185.199.108.154	whitelisted
safebrowsing.googleapis.com	142.250.184.234	whitelisted
avatars.githubusercontent.com	185.199.109.133 185.199.110.133 185.199.108.133 185.199.111.133	whitelisted
github-cloud.s3.amazonaws.com	52.216.33.209 3.5.17.174 52.216.214.185 52.216.211.233 3.5.28.181 52.217.122.201 3.5.8.148 52.216.60.73	shared

Threats

PID	Process	Class	Message
—	—	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218
3628	taskhsvc.exe	Unknown Traffic	ET JA3 Hash - Possible Malware - Malspam
3628	taskhsvc.exe	Misc activity	ET POLICY TLS possible TOR SSL traffic
3628	taskhsvc.exe	Misc Attack	ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 806
3628	taskhsvc.exe	Unknown Traffic	ET JA3 Hash - Possible Malware - Malspam
3628	taskhsvc.exe	Misc activity	ET POLICY TLS possible TOR SSL traffic

Add for printing

No debug info

General Info

/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip

FD1806CE0FCB3176B644FCBB5B7BE44C

6EB3FFF89876BCCCA7AAE1635D494C994D177DB8

9EC0E1EACD0508725A5DEDA1F2A560643434C981922EC95110BA3CCF262B17DF

768:QPiLL7/TLLfbZT5P9kykxcphXz3brr5LxnLbVnjLfNx77VvbzVvlrFjzT7HlNXbN:CiLL7/TLLzZT5P9kykxcphXzLrr5LNLj

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Modifies files in the Chrome extension folder

Writes a file to the Word startup folder

WannaCry Ransomware is detected

Wannacry exe files

Deletes shadow copies

Using BCDEDIT.EXE to modify recovery options

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Uses ICACLS.EXE to modify access control lists

Process drops legitimate windows executable

Uses ATTRIB.EXE to modify file attributes

Executable content was dropped or overwritten

Executing commands from a ".bat" file

The process executes VB scripts

Starts CMD.EXE for commands execution

Connects to unusual port

The executable file from the user directory is run by the CMD process

Reads the Internet Settings

Uses REG/REGEDIT.EXE to modify registry

Starts a Microsoft application from unusual location

Executes as Windows Service

Likely accesses (executes) a file from the Public directory

Creates files like ransomware instruction

INFO

Manual execution by a user

Reads the computer name

Checks supported languages

The process uses the downloaded file

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Dropped object may contain TOR URL's

The dropped object may contain a URL to Tor Browser

Creates files or folders in the user directory

Application launched itself

Reads security settings of Internet Explorer

Creates files in the program directory

Create files in a temporary directory

Malware configuration

Static information

EXIF

JSON

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules