URL:

https://github.com/ytisf/theZoo/blob/master/malwares/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip

Full analysis: https://app.any.run/tasks/74012adf-922c-4302-8106-37331b57104e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 10, 2019, 15:22:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
wannacry
wannacryptor
Indicators:
MD5:

7B28057A910FF9DFE6698C8A2E71194D

SHA1:

2BD53EDCA876F9EB6D32A44E95B1F345004C175C

SHA256:

D54214046B336D57BCEFB71B9689EBE283D6E0E028F9E5675EE969C29F249ECA

SSDEEP:

3:N8tEdsxHuJKqIEHD9KzzumLLEg7yNmmLLEg6kVn:2u6tuJKz+xKzy8HR8xVn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)
      • taskdl.exe (PID: 3020)
      • @WanaDecryptor@.exe (PID: 3424)
      • @WanaDecryptor@.exe (PID: 2472)
      • taskhsvc.exe (PID: 3976)
      • taskdl.exe (PID: 2288)
      • @WanaDecryptor@.exe (PID: 2456)
      • @WanaDecryptor@.exe (PID: 3900)
      • taskdl.exe (PID: 3640)
      • taskdl.exe (PID: 3084)
      • @WanaDecryptor@.exe (PID: 2840)
      • taskdl.exe (PID: 3992)
      • @WanaDecryptor@.exe (PID: 3384)

    • Modifies files in Chrome extension folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Dropped file may contain instructions of ransomware

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Writes file to Word startup folder

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • WannaCry Ransomware was detected

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)
      • cmd.exe (PID: 3452)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 840)
      • taskhsvc.exe (PID: 3976)

    • Actions looks like stealing of personal data

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Deletes shadow copies

      • cmd.exe (PID: 2856)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2856)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 4040)

    • Changes the autorun value in the registry

      • reg.exe (PID: 3888)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)
      • @WanaDecryptor@.exe (PID: 3424)

    • Uses ICACLS.EXE to modify access control list

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Creates files like Ransomware instruction

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Starts CMD.EXE for commands execution

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)
      • @WanaDecryptor@.exe (PID: 2472)

    • Creates files in the program directory

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Uses ATTRIB.EXE to modify file attributes

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Executes scripts

      • cmd.exe (PID: 3812)

    • Creates files in the user directory

      • taskhsvc.exe (PID: 3976)
      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Creates files in the Windows directory

      • wbadmin.exe (PID: 2320)

    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 4040)
      • vds.exe (PID: 2640)

    • Connects to unusual port

      • taskhsvc.exe (PID: 3976)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2428)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)
      • taskhsvc.exe (PID: 3976)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 3036)

    • Reads settings of System Certificates

      • chrome.exe (PID: 3036)

    • Application launched itself

      • chrome.exe (PID: 3036)

    • Dropped object may contain TOR URL's

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)

    • Dropped object may contain URL to Tor Browser

      • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe (PID: 792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
42
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs winrar.exe no specs #WANNACRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs cscript.exe no specs @wanadecryptor@.exe #WANNACRY cmd.exe no specs @wanadecryptor@.exe no specs taskhsvc.exe searchprotocolhost.exe no specs cmd.exe vssadmin.exe no specs vssvc.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @wanadecryptor@.exe no specs cmd.exe no specs reg.exe taskdl.exe no specs @wanadecryptor@.exe no specs taskdl.exe no specs @wanadecryptor@.exe no specs taskdl.exe no specs @wanadecryptor@.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
760"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
792"C:\Users\admin\Downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe" C:\Users\admin\Downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\downloads\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
840"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1208bcdedit /set {default} recoveryenabled no C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2212"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=972,17444853492580365003,16415105173962533014,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=4B055729F50864C4B67A71B9795109DE --mojo-platform-channel-handle=980 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2288taskdl.exeC:\Users\admin\Downloads\taskdl.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\downloads\taskdl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\msvcrt.dll
2320"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=972,17444853492580365003,16415105173962533014,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=29E07AC61C3D92D0563CA6808ABDF506 --mojo-platform-channel-handle=3796 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
2320wbadmin delete catalog -quietC:\Windows\system32\wbadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\google\chrome\application\68.0.3440.106\swiftshader\libglesv2.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dxva2.dll
c:\windows\system32\sqmapi.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msmpeg2vdec.dll
c:\windows\system32\avrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
2428cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yyibsxxiapw107" /t REG_SZ /d "\"C:\Users\admin\Downloads\tasksche.exe\"" /fC:\Windows\system32\cmd.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2456@WanaDecryptor@.exeC:\Users\admin\Downloads\@WanaDecryptor@.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\downloads\@wanadecryptor@.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 578
Read events
1 489
Write events
86
Delete events
3

Modification events

(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3024) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:3036-13191607390806250
Value:
259
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3516-13180984670829101
Value:
0
(PID) Process:(3036) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3036-13191607390806250
Value:
259
(PID) Process:(3036) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
17
Suspicious files
592
Text files
552
Unknown types
30

Dropped files

PID
Process
Filename
Type
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\f9e973b2-8844-4b5d-8cef-b52fb5e0d688.tmp
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000016.dbtmp
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3b7f4b65-79e2-423d-b857-54f7c2702a2b.tmp
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF20e95a.TMPtext
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Temp\CabECC5.tmp
MD5:
SHA256:
3036chrome.exeC:\Users\admin\AppData\Local\Temp\TarECC6.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
25
DNS requests
19
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3036
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAoGMEJ%2FW7ztaVc5ZZO2RR8%3D
US
der
471 b
whitelisted
3036
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3036
chrome.exe
172.217.23.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3036
chrome.exe
192.30.253.113:443
github.com
GitHub, Inc.
US
shared
3036
chrome.exe
185.199.108.154:443
github.githubassets.com
GitHub, Inc.
NL
suspicious
3036
chrome.exe
172.217.23.163:443
www.gstatic.com
Google Inc.
US
whitelisted
3036
chrome.exe
52.7.247.121:443
collector.githubapp.com
Amazon.com, Inc.
US
unknown
3036
chrome.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3036
chrome.exe
172.217.21.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3036
chrome.exe
216.58.206.14:443
www.google-analytics.com
Google Inc.
US
whitelisted
3036
chrome.exe
151.101.0.133:443
avatars2.githubusercontent.com
Fastly
US
malicious
3036
chrome.exe
192.30.253.117:443
api.github.com
GitHub, Inc.
US
shared

DNS requests

Domain
IP
Reputation
www.gstatic.com
  • 172.217.23.163
whitelisted
github.com
  • 192.30.253.113
  • 192.30.253.112
malicious
clientservices.googleapis.com
  • 172.217.23.131
whitelisted
accounts.google.com
  • 216.58.207.77
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
github.githubassets.com
  • 185.199.108.154
  • 185.199.110.154
  • 185.199.111.154
  • 185.199.109.154
whitelisted
avatars2.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
whitelisted
avatars0.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
whitelisted
avatars1.githubusercontent.com
  • 151.101.0.133
  • 151.101.64.133
  • 151.101.128.133
  • 151.101.192.133
whitelisted
safebrowsing.googleapis.com
  • 172.217.21.202
whitelisted

Threats

PID
Process
Class
Message
3976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 621
3976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153
3976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485
3976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 653
3976
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 479
3976
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
3976
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/ytisf/theZoo/blob/master/malwares/Binaries/Ransomware.WannaCry/Ransomware.WannaCry.zip