download:

/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip

Full analysis: https://app.any.run/tasks/2115b159-3343-404c-88c1-81b387920a11
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 21, 2024, 09:41:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MIME: application/json
File info: JSON data
MD5:

FD1806CE0FCB3176B644FCBB5B7BE44C

SHA1:

6EB3FFF89876BCCCA7AAE1635D494C994D177DB8

SHA256:

9EC0E1EACD0508725A5DEDA1F2A560643434C981922EC95110BA3CCF262B17DF

SSDEEP:

768:QPiLL7/TLLfbZT5P9kykxcphXz3brr5LxnLbVnjLfNx77VvbzVvlrFjzT7HlNXbN:CiLL7/TLLzZT5P9kykxcphXzLrr5LNLj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • @WanaDecryptor@.exe (PID: 3152)

    • WannaCry Ransomware is detected

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • cmd.exe (PID: 4084)

    • Modifies files in the Chrome extension folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Wannacry exe files

      • @WanaDecryptor@.exe (PID: 3152)
      • cmd.exe (PID: 4084)
      • @WanaDecryptor@.exe (PID: 4064)
      • taskse.exe (PID: 3924)
      • @WanaDecryptor@.exe (PID: 3740)
      • @WanaDecryptor@.exe (PID: 2992)
      • @WanaDecryptor@.exe (PID: 3180)
      • @WanaDecryptor@.exe (PID: 3992)
      • @WanaDecryptor@.exe (PID: 2384)
      • taskse.exe (PID: 920)
      • @WanaDecryptor@.exe (PID: 4060)
      • taskse.exe (PID: 1492)
      • @WanaDecryptor@.exe (PID: 3460)
      • taskse.exe (PID: 2124)

    • Writes a file to the Word startup folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2128)

    • Using BCDEDIT.EXE to modify recovery options

      • cmd.exe (PID: 1392)

    • Deletes shadow copies

      • cmd.exe (PID: 1392)

    • Actions looks like stealing of personal data

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2868)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Uses ICACLS.EXE to modify access control lists

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Uses ATTRIB.EXE to modify file attributes

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Executable content was dropped or overwritten

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • @WanaDecryptor@.exe (PID: 3152)

    • Executing commands from a ".bat" file

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Creates files like ransomware instruction

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Starts CMD.EXE for commands execution

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • @WanaDecryptor@.exe (PID: 4064)

    • The process executes VB scripts

      • cmd.exe (PID: 3736)

    • Connects to unusual port

      • taskhsvc.exe (PID: 3628)

    • The executable file from the user directory is run by the CMD process

      • @WanaDecryptor@.exe (PID: 4064)

    • Executes as Windows Service

      • wbengine.exe (PID: 3816)
      • VSSVC.exe (PID: 2448)
      • vds.exe (PID: 3216)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2440)

    • Starts a Microsoft application from unusual location

      • @WanaDecryptor@.exe (PID: 2384)
      • @WanaDecryptor@.exe (PID: 3180)
      • @WanaDecryptor@.exe (PID: 3992)

    • Reads the Internet Settings

      • WMIC.exe (PID: 3360)

    • Likely accesses (executes) a file from the Public directory

      • @WanaDecryptor@.exe (PID: 3992)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 3708)
      • wmpnscfg.exe (PID: 1776)
      • WinRAR.exe (PID: 2868)
      • chrome.exe (PID: 3228)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • @WanaDecryptor@.exe (PID: 3180)
      • @WanaDecryptor@.exe (PID: 3992)
      • @WanaDecryptor@.exe (PID: 2384)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1776)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • taskdl.exe (PID: 3652)
      • taskdl.exe (PID: 3528)
      • taskdl.exe (PID: 2808)
      • taskdl.exe (PID: 3476)
      • taskhsvc.exe (PID: 3628)
      • @WanaDecryptor@.exe (PID: 3152)
      • @WanaDecryptor@.exe (PID: 4064)
      • taskse.exe (PID: 3924)
      • @WanaDecryptor@.exe (PID: 3740)
      • taskdl.exe (PID: 2344)
      • @WanaDecryptor@.exe (PID: 2992)
      • taskdl.exe (PID: 4000)
      • @WanaDecryptor@.exe (PID: 3180)
      • @WanaDecryptor@.exe (PID: 3992)
      • @WanaDecryptor@.exe (PID: 2384)
      • taskse.exe (PID: 920)
      • taskdl.exe (PID: 2648)
      • taskse.exe (PID: 1492)
      • @WanaDecryptor@.exe (PID: 3460)
      • taskse.exe (PID: 2124)
      • @WanaDecryptor@.exe (PID: 4060)
      • taskdl.exe (PID: 3464)

    • The process uses the downloaded file

      • chrome.exe (PID: 3132)
      • WinRAR.exe (PID: 2868)

    • Reads the computer name

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • wmpnscfg.exe (PID: 1776)
      • taskhsvc.exe (PID: 3628)
      • taskse.exe (PID: 3924)
      • taskse.exe (PID: 920)
      • taskse.exe (PID: 2124)
      • taskse.exe (PID: 1492)

    • Dropped object may contain TOR URL's

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • @WanaDecryptor@.exe (PID: 3152)

    • The dropped object may contain a URL to Tor Browser

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • @WanaDecryptor@.exe (PID: 3152)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2868)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2868)

    • Creates files in the program directory

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Create files in a temporary directory

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)

    • Application launched itself

      • chrome.exe (PID: 3228)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 2964)

    • Creates files or folders in the user directory

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • taskhsvc.exe (PID: 3628)

    • Reads the machine GUID from the registry

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 3284)
      • taskhsvc.exe (PID: 3628)
      • @WanaDecryptor@.exe (PID: 3740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

EXIF

JSON

PayloadAllShortcutsEnabled: -
PayloadBlobCsv: null
PayloadBlobCsvError: null
PayloadBlobDependabotInfoConfigFilePath: null
PayloadBlobDependabotInfoConfigurationNoticeDismissed: null
PayloadBlobDependabotInfoCurrentUserCanAdminRepo: -
PayloadBlobDependabotInfoDismissConfigurationNoticePath: /settings/dismiss-notice/dependabot_configuration_notice
PayloadBlobDependabotInfoNetworkDependabotPath: /ytisf/theZoo/network/updates
PayloadBlobDependabotInfoRepoAlertsPath: /ytisf/theZoo/security/dependabot
PayloadBlobDependabotInfoRepoOwnerIsOrg: -
PayloadBlobDependabotInfoRepoSecurityAndAnalysisPath: /ytisf/theZoo/settings/security_analysis
PayloadBlobDependabotInfoShowConfigurationBanner: -
PayloadBlobDiscussionTemplate: null
PayloadBlobDisplayName: Ransomware.WannaCry.zip
PayloadBlobDisplayUrl: https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip?raw=true
PayloadBlobHeaderInfoBlobSize: 3.32 MB
PayloadBlobHeaderInfoDeleteInfoDeleteTooltip: You must be signed in to make or propose changes
PayloadBlobHeaderInfoEditInfoEditTooltip: You must be signed in to make or propose changes
PayloadBlobHeaderInfoGhDesktopPath: https://desktop.github.com
PayloadBlobHeaderInfoGitLfsPath: null
PayloadBlobHeaderInfoIsCSV: -
PayloadBlobHeaderInfoIsRichtext: -
PayloadBlobHeaderInfoLineInfoTruncatedLoc: null
PayloadBlobHeaderInfoLineInfoTruncatedSloc: null
PayloadBlobHeaderInfoMode: file
PayloadBlobHeaderInfoOnBranch:
PayloadBlobHeaderInfoShortPath: 4a7b532
PayloadBlobHeaderInfoSiteNavLoginPath: /login?return_to=https%3A%2F%2Fgithub.com%2Fytisf%2FtheZoo%2Fblob%2Fmaster%2Fmalware%2FBinaries%2FRansomware.WannaCry%2FRansomware.WannaCry.zip
PayloadBlobHeaderInfoToc: null
PayloadBlobImage: -
PayloadBlobIsCodeownersFile: null
PayloadBlobIsPlain: -
PayloadBlobIsValidLegacyIssueTemplate: -
PayloadBlobIssueTemplate: null
PayloadBlobIssueTemplateHelpUrl: https://docs.github.com/articles/about-issue-and-pull-request-templates
PayloadBlobLanguage: null
PayloadBlobLanguageID: null
PayloadBlobLarge:
PayloadBlobLoggedIn: -
PayloadBlobNewDiscussionPath: /ytisf/theZoo/discussions/new
PayloadBlobNewIssuePath: /ytisf/theZoo/issues/new
PayloadBlobPlanSupportInfoRepoIsFork: null
PayloadBlobPlanSupportInfoRepoOwnedByCurrentUser: null
PayloadBlobPlanSupportInfoRequestFullPath: /ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadBlobPlanSupportInfoShowFreeOrgGatedFeatureMessage: null
PayloadBlobPlanSupportInfoShowPlanSupportBanner: null
PayloadBlobPlanSupportInfoUpgradeDataAttributes: null
PayloadBlobPlanSupportInfoUpgradePath: null
PayloadBlobPublishBannersInfoDismissActionNoticePath: /settings/dismiss-notice/publish_action_from_dockerfile
PayloadBlobPublishBannersInfoReleasePath: /ytisf/theZoo/releases/new?marketplace=true
PayloadBlobPublishBannersInfoShowPublishActionBanner: -
PayloadBlobRawBlobUrl: https://github.com/ytisf/theZoo/raw/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadBlobRawLines: null
PayloadBlobRenderImageOrRaw:
PayloadBlobRenderedFileInfo: null
PayloadBlobRichText: null
PayloadBlobShortPath: null
PayloadBlobSymbolsErrorCode: invalid_argument
PayloadBlobSymbolsErrorMsg: content required
PayloadBlobSymbolsNot_Analyzed:
PayloadBlobSymbolsTimed_Out:
PayloadBlobSymbolsEnabled:
PayloadBlobTabSize: 8
PayloadBlobTopBannersInfoActionsOnboardingTip: null
PayloadBlobTopBannersInfoCitationHelpUrl: https://docs.github.com/github/creating-cloning-and-archiving-repositories/creating-a-repository-on-github/about-citation-files
PayloadBlobTopBannersInfoGlobalPreferredFundingPath: null
PayloadBlobTopBannersInfoOverridingGlobalFundingFile: -
PayloadBlobTopBannersInfoRepoName: theZoo
PayloadBlobTopBannersInfoRepoOwner: ytisf
PayloadBlobTopBannersInfoShowDependabotConfigurationBanner: -
PayloadBlobTopBannersInfoShowInvalidCitationWarning: -
PayloadBlobTruncated:
PayloadBlobViewable: -
PayloadBlobWorkflowRedirectUrl: null
PayloadCopilotAccessAllowed: -
PayloadCopilotInfo: null
PayloadCsrf_TokensReposPreferencesPost: 2VZ7UsFlZELZsBhFY52OgTKsC2EEydf3p06_KHPhvbIsW93fHIVXxunvX991dC_mqV7yjL8eVs8XJ8inRVPAdQ
PayloadCsrf_TokensYtisfTheZooBranchesPost: 19J02LbJBhX8LyAPy42aiXx4l9IsPQVcsHm2SX0xMHLqDGUKhX5D43E2aoBFTaaLJ6p8_h-wG1o8oX7R8UBOTQ
PayloadCurrentUser: null
PayloadFileTreeItemsContentType:
  • directory
  • directory
  • directory
  • file
  • file
  • file
  • file
  • file
  • file
  • file
  • file
  • file
PayloadFileTreeItemsName:
  • conf
  • imports
  • malware
  • .gitattributes
  • .gitignore
  • CODE-OF-CONDUCT.md
  • CONTRIBUTING.md
  • LICENSE.md
  • README.md
  • prep_file.py
  • requirements.txt
  • theZoo.py
PayloadFileTreeItemsPath:
  • conf
  • imports
  • malware
  • .gitattributes
  • .gitignore
  • CODE-OF-CONDUCT.md
  • CONTRIBUTING.md
  • LICENSE.md
  • README.md
  • prep_file.py
  • requirements.txt
  • theZoo.py
PayloadFileTreeTotalCount: 12
PayloadFileTreeMalwareItemsContentType:
  • directory
  • directory
PayloadFileTreeMalwareItemsName:
  • Binaries
  • Source
PayloadFileTreeMalwareItemsPath:
  • malware/Binaries
  • malware/Source
PayloadFileTreeMalwareTotalCount: 2
PayloadFileTreeMalwareBinariesItemsContentType:
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
  • directory
PayloadFileTreeMalwareBinariesItemsName:
  • All.ElectroRAT
  • AndroRat_6Dec2013
  • Android.PegasusB
  • Android.Skygofree
  • Android.Spy.49_iBanking_Feb2014
  • Android.VikingHorde
  • AntiExe.A
  • Artemis
  • BAT.Drop
  • BAT.Pot.A
  • BAT.Skul
  • Backdoor.MSIL.Tyupkin
  • BlackEnergy2.1
  • Brain.A
  • Careto_Feb2014
  • Cascade.1701.W
  • Catapillar.E
  • Civil_War.282
  • Coll.CozyBear
  • Coll.DarkHydrus
  • CryptoLocker_10Sep2013
  • CryptoLocker_20Nov2013
  • CryptoLocker_22Jan2014
  • DOS.Yesmile
  • Dino
  • Dropper.Taleret
  • Duqu2
  • Dyre
  • EquationGroup.DoubleFantasy
  • EquationGroup.EquationDrug
  • EquationGroup.EquationLaser
  • EquationGroup.Fanny
  • EquationGroup.GROK
  • EquationGroup.GrayFish
  • EquationGroup.TripleFantasy
  • EquationGroup
  • FancyBear.GermanParliament
  • Form.A
  • Friday_the_13th.408
  • Friday_the_13th.416.A
  • Friday_the_13th.416.B
  • Friday_the_13th.540.A
  • Green_Caterpillar.1575.A
  • INTC.A
  • IllusionBot_May2007
  • JS.JScript.A
  • JS.Lame
  • Jumper.B
  • Junkie
  • KRBanker
  • Kampana.A
  • Kelihos
  • Keylogger.Ardamax
  • Linux.Chapros.A
  • Linux.Encoder.1
  • Linux.Mirai.B
  • Linux.Snoopy.A
  • Linux.Snoopy.B
  • Linux.Snoopy.C
  • Linux.Wirenet
  • Michelangelo
  • NOBELIUM
  • NYB.B
  • Net-Worm.Win32.Kido
  • Neurevt.1.7.0.1
  • Nitlove
  • Nivdort
  • OSX.Backdoor.iWorm
  • OSX.HellRaiser
  • OSX.JacksBot
  • OSX.Lazarus
  • OSX.MacSecurity
  • OSX.OceanLotus
  • OSX.Wirenet
  • OSX.XAgent
  • Parity_Boot.B
  • Phoenix.2000
  • PlugX
  • PotaoExpress
  • Poweliks
  • Proteus
  • Quax.A
  • Raccoon.Stealer.v2
  • Ransomware.Cerber
  • Ransomware.Cryptowall
  • Ransomware.Hive
  • Ransomware.Jigsaw
  • Ransomware.Locky
  • Ransomware.Mamba
  • Ransomware.Matsnu
  • Ransomware.Petrwrap
  • Ransomware.Petya
  • Ransomware.Radamant
  • Ransomware.RedBoot
  • Ransomware.Rex
  • Ransomware.Satana
  • Ransomware.TeslaCrypt
  • Ransomware.Thanos
  • Ransomware.Unnamed_0
  • Ransomware.Vipasana
  • Ransomware.WannaCry
  • Ransomware.WannaCry_Plus
  • Ransomware.XData
  • Rombertik
  • Rustock
  • Sampo.A
  • Shamoon
  • SheHas.A
  • SillyC.160.B
  • Skywiper-A.Flame
  • Slow_Format.705
  • Somoto
  • SpyEye
  • Surtr
  • SymbOS.Lasco
  • Telefonica.3784
  • Trivial.881
  • Trivial.Html.883
  • Trivial.LSD
  • Trojan.AlienSpy
  • Trojan.Asprox
  • Trojan.Bladabindi
  • Trojan.Destover-SonySigned
  • Trojan.Dropper.Gen
  • Trojan.Kovter
  • Trojan.Loadmoney
  • Trojan.NSIS.Win32
  • Trojan.Ransom.Hells
  • Trojan.Ransom.Petya
  • Trojan.Regin
  • Trojan.Shylock.Skype
  • Trojan.Sinowal
  • Trojan.Stabuniq
  • Trojan.Tapaoux
  • Trojan.Win32.Bechiro.BCD
  • TrojanWin32.Duqu.Stuxnet
  • VBS.Carnival
  • VBS.Hopper
  • VBS.LoveLetter
  • VBS.NewLove.A
  • VBS.NoMercy.B
  • VBS.NoWarning.A
  • VBS.Redinal
  • VBS.RunScript
  • VBS.Vquest.ow
  • Variant.Kazy
  • VolatileCedar.Explosion
  • W32.Beagle
  • W32.CodeRed.Worm.C
  • W32.Duni.A
  • W32.Elkern.B
  • W32.HLLP.Hantaner.A
  • W32.Hybris.Worm.B
  • W32.Klez.E
  • W32.Klez.H
  • W32.MyDoom.A
  • W32.Mytob_EJ
  • W32.NetSky
  • W32.Nimda.A
  • W32.Nimda.E
  • W32.Slammer
  • W32.Swen
  • W97M.Class.AU
  • W97M.Melissa.A
  • W97M.Pri.A
  • W97M.Pri.AB
  • WM.Alliance.A
  • WM.Cap.A
  • WM.Concept.A
  • WM.Concept.S
  • WM.Minimal.AB
  • WM.NJ_WMVCK2_T
  • WM.Npad.A
  • WMIGhost
  • Waski.Upatre
  • Win32.APT28.SekoiaRootkit
  • Win32.APT32.Windshield
  • Win32.AgentTesla
  • Win32.Alina.3.4.B
  • Win32.Avatar
  • Win32.BigBang
  • Win32.Boaxxe.BB
  • Win32.Cainxpii
  • Win32.Caphaw.Shylock
  • Win32.Carberp
  • Win32.Cridex
  • Win32.Cutwail
  • Win32.DarkTequila
  • Win32.Emotet
  • Win32.EternalRocks
  • Win32.FASTCash
  • Win32.FamousSparrow
  • Win32.Fareit
  • Win32.GravityRat
  • Win32.GreenBug
  • Win32.Hupigon
  • Win32.Infostealer.Dexter
  • Win32.Invicea_Tunnel
  • Win32.Ixeshe
  • Win32.Jerusalem
  • Win32.KerrDown
  • Win32.KeyPass
  • Win32.Lephic
  • Win32.LuckyCat
  • Win32.MyLobot
  • Win32.Narilam
  • Win32.OnionDuke.B
  • Win32.Pay2Key.B
  • Win32.Powerstats
  • Win32.RedDelta
  • Win32.Reveton
  • Win32.Sality
  • Win32.ShadowHammer
  • Win32.Sofacy.A
  • Win32.SofacyCarberp
  • Win32.StrongPity
  • Win32.Stuxnet.A.Duqu-C-Media
  • Win32.Stuxnet.B.Duqu-Realtek
  • Win32.Taleret
  • Win32.TransparentTribe.B
  • Win32.Triton
  • Win32.Turla.V1
  • Win32.Turla
  • Win32.Unclassified
  • Win32.Unknown_SpectreMeltdown
  • Win32.Unnamed_SpecMelt
  • Win32.VBS.APT34Dropper
  • Win32.ValeforBeta
  • Win32.Vobfus
  • Win32.WannaPeace
  • Win32.XAgent
  • Win32.ZeroCleare
  • Win32.ZeusVM
  • Win32.Zurgop
  • Win32Dircrypt.Trojan.Ransom.ABZ
  • Win64.NukeSped
  • Win64.Trojan.GreenBug
  • WinX.HiddenCobra.Supply
  • WinX.OperationDianxun
  • WinX.SUNBURST
  • WinX.SignSight
  • X97M.Sugar.A
  • X97M.Sugar_Poppy.II
  • Yankee_Doodle.2881.A
  • Yankee_Doodle.2997
  • Yankee_Login.3052
  • Yaunch.2537
  • Yeke.1204
  • ZeroAccess
  • ZeroLocker
  • ZeusBankingVersion_26Nov2013
  • ZeusGameover_Feb2014
  • Zherkov.1958
  • Zherkov.2970
  • njRAT-v0.6.4
PayloadFileTreeMalwareBinariesItemsPath:
  • malware/Binaries/All.ElectroRAT
  • malware/Binaries/AndroRat_6Dec2013
  • malware/Binaries/Android.PegasusB
  • malware/Binaries/Android.Skygofree
  • malware/Binaries/Android.Spy.49_iBanking_Feb2014
  • malware/Binaries/Android.VikingHorde
  • malware/Binaries/AntiExe.A
  • malware/Binaries/Artemis
  • malware/Binaries/BAT.Drop
  • malware/Binaries/BAT.Pot.A
  • malware/Binaries/BAT.Skul
  • malware/Binaries/Backdoor.MSIL.Tyupkin
  • malware/Binaries/BlackEnergy2.1
  • malware/Binaries/Brain.A
  • malware/Binaries/Careto_Feb2014
  • malware/Binaries/Cascade.1701.W
  • malware/Binaries/Catapillar.E
  • malware/Binaries/Civil_War.282
  • malware/Binaries/Coll.CozyBear
  • malware/Binaries/Coll.DarkHydrus
  • malware/Binaries/CryptoLocker_10Sep2013
  • malware/Binaries/CryptoLocker_20Nov2013
  • malware/Binaries/CryptoLocker_22Jan2014
  • malware/Binaries/DOS.Yesmile
  • malware/Binaries/Dino
  • malware/Binaries/Dropper.Taleret
  • malware/Binaries/Duqu2
  • malware/Binaries/Dyre
  • malware/Binaries/EquationGroup.DoubleFantasy
  • malware/Binaries/EquationGroup.EquationDrug
  • malware/Binaries/EquationGroup.EquationLaser
  • malware/Binaries/EquationGroup.Fanny
  • malware/Binaries/EquationGroup.GROK
  • malware/Binaries/EquationGroup.GrayFish
  • malware/Binaries/EquationGroup.TripleFantasy
  • malware/Binaries/EquationGroup
  • malware/Binaries/FancyBear.GermanParliament
  • malware/Binaries/Form.A
  • malware/Binaries/Friday_the_13th.408
  • malware/Binaries/Friday_the_13th.416.A
  • malware/Binaries/Friday_the_13th.416.B
  • malware/Binaries/Friday_the_13th.540.A
  • malware/Binaries/Green_Caterpillar.1575.A
  • malware/Binaries/INTC.A
  • malware/Binaries/IllusionBot_May2007
  • malware/Binaries/JS.JScript.A
  • malware/Binaries/JS.Lame
  • malware/Binaries/Jumper.B
  • malware/Binaries/Junkie
  • malware/Binaries/KRBanker
  • malware/Binaries/Kampana.A
  • malware/Binaries/Kelihos
  • malware/Binaries/Keylogger.Ardamax
  • malware/Binaries/Linux.Chapros.A
  • malware/Binaries/Linux.Encoder.1
  • malware/Binaries/Linux.Mirai.B
  • malware/Binaries/Linux.Snoopy.A
  • malware/Binaries/Linux.Snoopy.B
  • malware/Binaries/Linux.Snoopy.C
  • malware/Binaries/Linux.Wirenet
  • malware/Binaries/Michelangelo
  • malware/Binaries/NOBELIUM
  • malware/Binaries/NYB.B
  • malware/Binaries/Net-Worm.Win32.Kido
  • malware/Binaries/Neurevt.1.7.0.1
  • malware/Binaries/Nitlove
  • malware/Binaries/Nivdort
  • malware/Binaries/OSX.Backdoor.iWorm
  • malware/Binaries/OSX.HellRaiser
  • malware/Binaries/OSX.JacksBot
  • malware/Binaries/OSX.Lazarus
  • malware/Binaries/OSX.MacSecurity
  • malware/Binaries/OSX.OceanLotus
  • malware/Binaries/OSX.Wirenet
  • malware/Binaries/OSX.XAgent
  • malware/Binaries/Parity_Boot.B
  • malware/Binaries/Phoenix.2000
  • malware/Binaries/PlugX
  • malware/Binaries/PotaoExpress
  • malware/Binaries/Poweliks
  • malware/Binaries/Proteus
  • malware/Binaries/Quax.A
  • malware/Binaries/Raccoon.Stealer.v2
  • malware/Binaries/Ransomware.Cerber
  • malware/Binaries/Ransomware.Cryptowall
  • malware/Binaries/Ransomware.Hive
  • malware/Binaries/Ransomware.Jigsaw
  • malware/Binaries/Ransomware.Locky
  • malware/Binaries/Ransomware.Mamba
  • malware/Binaries/Ransomware.Matsnu
  • malware/Binaries/Ransomware.Petrwrap
  • malware/Binaries/Ransomware.Petya
  • malware/Binaries/Ransomware.Radamant
  • malware/Binaries/Ransomware.RedBoot
  • malware/Binaries/Ransomware.Rex
  • malware/Binaries/Ransomware.Satana
  • malware/Binaries/Ransomware.TeslaCrypt
  • malware/Binaries/Ransomware.Thanos
  • malware/Binaries/Ransomware.Unnamed_0
  • malware/Binaries/Ransomware.Vipasana
  • malware/Binaries/Ransomware.WannaCry
  • malware/Binaries/Ransomware.WannaCry_Plus
  • malware/Binaries/Ransomware.XData
  • malware/Binaries/Rombertik
  • malware/Binaries/Rustock
  • malware/Binaries/Sampo.A
  • malware/Binaries/Shamoon
  • malware/Binaries/SheHas.A
  • malware/Binaries/SillyC.160.B
  • malware/Binaries/Skywiper-A.Flame
  • malware/Binaries/Slow_Format.705
  • malware/Binaries/Somoto
  • malware/Binaries/SpyEye
  • malware/Binaries/Surtr
  • malware/Binaries/SymbOS.Lasco
  • malware/Binaries/Telefonica.3784
  • malware/Binaries/Trivial.881
  • malware/Binaries/Trivial.Html.883
  • malware/Binaries/Trivial.LSD
  • malware/Binaries/Trojan.AlienSpy
  • malware/Binaries/Trojan.Asprox
  • malware/Binaries/Trojan.Bladabindi
  • malware/Binaries/Trojan.Destover-SonySigned
  • malware/Binaries/Trojan.Dropper.Gen
  • malware/Binaries/Trojan.Kovter
  • malware/Binaries/Trojan.Loadmoney
  • malware/Binaries/Trojan.NSIS.Win32
  • malware/Binaries/Trojan.Ransom.Hells
  • malware/Binaries/Trojan.Ransom.Petya
  • malware/Binaries/Trojan.Regin
  • malware/Binaries/Trojan.Shylock.Skype
  • malware/Binaries/Trojan.Sinowal
  • malware/Binaries/Trojan.Stabuniq
  • malware/Binaries/Trojan.Tapaoux
  • malware/Binaries/Trojan.Win32.Bechiro.BCD
  • malware/Binaries/TrojanWin32.Duqu.Stuxnet
  • malware/Binaries/VBS.Carnival
  • malware/Binaries/VBS.Hopper
  • malware/Binaries/VBS.LoveLetter
  • malware/Binaries/VBS.NewLove.A
  • malware/Binaries/VBS.NoMercy.B
  • malware/Binaries/VBS.NoWarning.A
  • malware/Binaries/VBS.Redinal
  • malware/Binaries/VBS.RunScript
  • malware/Binaries/VBS.Vquest.ow
  • malware/Binaries/Variant.Kazy
  • malware/Binaries/VolatileCedar.Explosion
  • malware/Binaries/W32.Beagle
  • malware/Binaries/W32.CodeRed.Worm.C
  • malware/Binaries/W32.Duni.A
  • malware/Binaries/W32.Elkern.B
  • malware/Binaries/W32.HLLP.Hantaner.A
  • malware/Binaries/W32.Hybris.Worm.B
  • malware/Binaries/W32.Klez.E
  • malware/Binaries/W32.Klez.H
  • malware/Binaries/W32.MyDoom.A
  • malware/Binaries/W32.Mytob_EJ
  • malware/Binaries/W32.NetSky
  • malware/Binaries/W32.Nimda.A
  • malware/Binaries/W32.Nimda.E
  • malware/Binaries/W32.Slammer
  • malware/Binaries/W32.Swen
  • malware/Binaries/W97M.Class.AU
  • malware/Binaries/W97M.Melissa.A
  • malware/Binaries/W97M.Pri.A
  • malware/Binaries/W97M.Pri.AB
  • malware/Binaries/WM.Alliance.A
  • malware/Binaries/WM.Cap.A
  • malware/Binaries/WM.Concept.A
  • malware/Binaries/WM.Concept.S
  • malware/Binaries/WM.Minimal.AB
  • malware/Binaries/WM.NJ_WMVCK2_T
  • malware/Binaries/WM.Npad.A
  • malware/Binaries/WMIGhost
  • malware/Binaries/Waski.Upatre
  • malware/Binaries/Win32.APT28.SekoiaRootkit
  • malware/Binaries/Win32.APT32.Windshield
  • malware/Binaries/Win32.AgentTesla
  • malware/Binaries/Win32.Alina.3.4.B
  • malware/Binaries/Win32.Avatar
  • malware/Binaries/Win32.BigBang
  • malware/Binaries/Win32.Boaxxe.BB
  • malware/Binaries/Win32.Cainxpii
  • malware/Binaries/Win32.Caphaw.Shylock
  • malware/Binaries/Win32.Carberp
  • malware/Binaries/Win32.Cridex
  • malware/Binaries/Win32.Cutwail
  • malware/Binaries/Win32.DarkTequila
  • malware/Binaries/Win32.Emotet
  • malware/Binaries/Win32.EternalRocks
  • malware/Binaries/Win32.FASTCash
  • malware/Binaries/Win32.FamousSparrow
  • malware/Binaries/Win32.Fareit
  • malware/Binaries/Win32.GravityRat
  • malware/Binaries/Win32.GreenBug
  • malware/Binaries/Win32.Hupigon
  • malware/Binaries/Win32.Infostealer.Dexter
  • malware/Binaries/Win32.Invicea_Tunnel
  • malware/Binaries/Win32.Ixeshe
  • malware/Binaries/Win32.Jerusalem
  • malware/Binaries/Win32.KerrDown
  • malware/Binaries/Win32.KeyPass
  • malware/Binaries/Win32.Lephic
  • malware/Binaries/Win32.LuckyCat
  • malware/Binaries/Win32.MyLobot
  • malware/Binaries/Win32.Narilam
  • malware/Binaries/Win32.OnionDuke.B
  • malware/Binaries/Win32.Pay2Key.B
  • malware/Binaries/Win32.Powerstats
  • malware/Binaries/Win32.RedDelta
  • malware/Binaries/Win32.Reveton
  • malware/Binaries/Win32.Sality
  • malware/Binaries/Win32.ShadowHammer
  • malware/Binaries/Win32.Sofacy.A
  • malware/Binaries/Win32.SofacyCarberp
  • malware/Binaries/Win32.StrongPity
  • malware/Binaries/Win32.Stuxnet.A.Duqu-C-Media
  • malware/Binaries/Win32.Stuxnet.B.Duqu-Realtek
  • malware/Binaries/Win32.Taleret
  • malware/Binaries/Win32.TransparentTribe.B
  • malware/Binaries/Win32.Triton
  • malware/Binaries/Win32.Turla.V1
  • malware/Binaries/Win32.Turla
  • malware/Binaries/Win32.Unclassified
  • malware/Binaries/Win32.Unknown_SpectreMeltdown
  • malware/Binaries/Win32.Unnamed_SpecMelt
  • malware/Binaries/Win32.VBS.APT34Dropper
  • malware/Binaries/Win32.ValeforBeta
  • malware/Binaries/Win32.Vobfus
  • malware/Binaries/Win32.WannaPeace
  • malware/Binaries/Win32.XAgent
  • malware/Binaries/Win32.ZeroCleare
  • malware/Binaries/Win32.ZeusVM
  • malware/Binaries/Win32.Zurgop
  • malware/Binaries/Win32Dircrypt.Trojan.Ransom.ABZ
  • malware/Binaries/Win64.NukeSped
  • malware/Binaries/Win64.Trojan.GreenBug
  • malware/Binaries/WinX.HiddenCobra.Supply
  • malware/Binaries/WinX.OperationDianxun
  • malware/Binaries/WinX.SUNBURST
  • malware/Binaries/WinX.SignSight
  • malware/Binaries/X97M.Sugar.A
  • malware/Binaries/X97M.Sugar_Poppy.II
  • malware/Binaries/Yankee_Doodle.2881.A
  • malware/Binaries/Yankee_Doodle.2997
  • malware/Binaries/Yankee_Login.3052
  • malware/Binaries/Yaunch.2537
  • malware/Binaries/Yeke.1204
  • malware/Binaries/ZeroAccess
  • malware/Binaries/ZeroLocker
  • malware/Binaries/ZeusBankingVersion_26Nov2013
  • malware/Binaries/ZeusGameover_Feb2014
  • malware/Binaries/Zherkov.1958
  • malware/Binaries/Zherkov.2970
  • malware/Binaries/njRAT-v0.6.4
PayloadFileTreeMalwareBinariesTotalCount: 255
PayloadFileTreeMalwareBinariesRansomwareWannaCryItemsContentType:
  • file
  • file
  • file
  • file
PayloadFileTreeMalwareBinariesRansomwareWannaCryItemsName:
  • Ransomware.WannaCry.md5
  • Ransomware.WannaCry.pass
  • Ransomware.WannaCry.sha256
  • Ransomware.WannaCry.zip
PayloadFileTreeMalwareBinariesRansomwareWannaCryItemsPath:
  • malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.md5
  • malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.pass
  • malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.sha256
  • malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadFileTreeMalwareBinariesRansomwareWannaCryTotalCount: 4
PayloadFileTreeProcessingTime: 13.110586
PayloadPath: malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip
PayloadRefInfoCanEdit: -
PayloadRefInfoCurrentOid: 398d83938838ae6f92117d9dbcd07833dd1dcaaf
PayloadRefInfoListCacheKey: v0:1392814024.0
PayloadRefInfoName: master
PayloadRefInfoRefType: branch
PayloadRepoCreatedAt: 2014-01-09T18:55:35.000Z
PayloadRepoCurrentUserCanPush: -
PayloadRepoDefaultBranch: master
PayloadRepoId: 15776012
PayloadRepoIsEmpty: -
PayloadRepoIsFork: -
PayloadRepoIsOrgOwned: -
PayloadRepoName: theZoo
PayloadRepoOwnerAvatar: https://avatars.githubusercontent.com/u/5548594?v=4
PayloadRepoOwnerLogin: ytisf
PayloadRepoPrivate: -
PayloadRepoPublic:
PayloadSymbolsExpanded: -
PayloadTreeExpanded:
Title: theZoo/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip at master · ytisf/theZoo
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
64
Malicious processes
16
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs wmpnscfg.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs #WANNACRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs cscript.exe no specs PhotoViewer.dll no specs taskdl.exe no specs taskdl.exe no specs taskdl.exe no specs #WANNACRY @wanadecryptor@.exe #WANNACRY cmd.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskhsvc.exe cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs cmd.exe no specs #WANNACRY @wanadecryptor@.exe no specs #WANNACRY taskse.exe no specs reg.exe taskdl.exe no specs #WANNACRY @wanadecryptor@.exe #WANNACRY taskse.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs #WANNACRY @wanadecryptor@.exe no specs #WANNACRY @wanadecryptor@.exe #WANNACRY taskse.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs #WANNACRY taskse.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
796"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
920taskse.exe C:\Users\admin\Downloads\@WanaDecryptor@.exeC:\Users\admin\Downloads\taskse.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
waitfor - wait/send a signal over a network
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\downloads\taskse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=4092 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1392cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietC:\Windows\System32\cmd.exe@WanaDecryptor@.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1492taskse.exe C:\Users\admin\Downloads\@WanaDecryptor@.exeC:\Users\admin\Downloads\taskse.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
waitfor - wait/send a signal over a network
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\downloads\taskse.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1624"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --mojo-platform-channel-handle=3920 --field-trial-handle=1136,i,15991369097646669928,7662073835212389991,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\109.0.5414.120\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1696C:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
1776"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2000C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
23 258
Read events
22 529
Write events
722
Delete events
7

Modification events

(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(4052) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_0
Value:
38000000730100000402000000000000D4D0C8000000000000000000000000008C0110000000000039000000B40200000000000001000000
(PID) Process:(4052) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Operation:writeName:Band56_1
Value:
38000000730100000500000000000000D4D0C8000000000000000000000000003A01110000000000160000002A0000000000000002000000
Executable files
22
Suspicious files
1 015
Text files
587
Unknown types
451

Dropped files

PID
Process
Filename
Type
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF183bdb.TMP
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datbinary
MD5:9C016064A1F864C8140915D77CF3389A
SHA256:0E7265D4A8C16223538EDD8CD620B8820611C74538E420A88E333BE7F62AC787
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF183bfa.TMPtext
MD5:ADB669AB4CD1C63883C64FB0DBA2C7DA
SHA256:18BFF89047EC5B122573D089B3DC7A7DD14A5A7A515B2D8141584B41E723253F
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:358570F689377CE6838812643E03734B
SHA256:5B41FCC2E1A843AEAB9437B06E27B798870FF10D86A51B163BF48862BCD32590
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:9F941EA08DBDCA2EB3CFA1DBBBA6F5DC
SHA256:127F71DF0D2AD895D4F293E62284D85971AE047CA15F90B87BF6335898B0B655
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF184002.TMP
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.oldtext
MD5:E53573A93829681410D5E7DBB1B61C78
SHA256:A82D28F2C1E22A2AE0ABC5F5AF0CC8EE7AD913BAB3A0BF84CE6D8D23F67E06A3
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
37
DNS requests
41
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
856
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
unknown
unknown
856
svchost.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYTBmQUFZUHRkSkgtb01uSGNvRHZ2Tm5HQQ/1.0.0.15_llkgjffcdpffmhiakmfcdcblohccpfmo.crx
unknown
binary
3.07 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3228
chrome.exe
239.255.255.250:1900
unknown
3964
chrome.exe
142.250.186.163:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
3964
chrome.exe
66.102.1.84:443
accounts.google.com
GOOGLE
US
unknown
3964
chrome.exe
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted
3228
chrome.exe
224.0.0.251:5353
unknown
3964
chrome.exe
172.217.18.3:443
update.googleapis.com
GOOGLE
US
whitelisted
3964
chrome.exe
142.250.186.74:443
www.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 142.250.186.163
whitelisted
accounts.google.com
  • 66.102.1.84
shared
www.google.com
  • 142.250.186.132
whitelisted
update.googleapis.com
  • 172.217.18.3
  • 142.250.186.163
whitelisted
www.googleapis.com
  • 142.250.186.74
  • 142.250.186.138
  • 142.250.74.202
  • 216.58.206.42
  • 172.217.18.10
  • 142.250.186.106
  • 172.217.16.202
  • 216.58.212.170
  • 142.250.186.42
  • 172.217.18.106
  • 172.217.23.106
  • 142.250.185.74
  • 142.250.185.106
  • 142.250.185.138
  • 142.250.185.170
  • 142.250.185.202
whitelisted
github.com
  • 140.82.121.4
shared
github.githubassets.com
  • 185.199.110.154
  • 185.199.109.154
  • 185.199.111.154
  • 185.199.108.154
whitelisted
safebrowsing.googleapis.com
  • 142.250.184.234
whitelisted
avatars.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted
github-cloud.s3.amazonaws.com
  • 52.216.33.209
  • 3.5.17.174
  • 52.216.214.185
  • 52.216.211.233
  • 3.5.28.181
  • 52.217.122.201
  • 3.5.8.148
  • 52.216.60.73
shared

Threats

PID
Process
Class
Message
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218
3628
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
3628
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3628
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 806
3628
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
3628
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip