SlideShare a Scribd company logo

WannaCry emulation report

Dameon Welch-Abernathy
Dameon Welch-Abernathy

The document is a malware analysis report that details malicious activity detected on a system. It found that a 3.4MB executable file behaved like known malware and displayed ransomware-like behavior, encrypting over 30 files on the system and leaving encryption extensions. The malware made modifications to the registry and spawned multiple suspicious processes during its emulated execution.

Technology
1 of 17
Download to read offline
Malware Report Emulated On: Microsoft Windows XP 32 bit, SP3, Office 2003, Office 2007, Adobe Acrobat Reader 9.0, Adobe Flash Player 9, Java SE 1.6.0 1 1/16 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c… Malicious Activity Detected Type Size MD5 SHA1 exe 3.4 MB 84c82835a5d21bbcf75a61706d8ab549 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 Download malicious file 22 Files Created 25 Files Modified 4 Files Deleted 33 Affected Files 4 Processes Created 2 Processes Terminated 0 Processes Crashed 4 Affected Processes 13 Entries Set 0 Entries Deleted 13 Affected Registry Keys 4 Suspicious Activities C:WINDOWSsystem32attrib.exe C:WINDOWSsystem32cmd.exe C:WINDOWSsystem32cscript.exe C:te_filestaskdl.exe C:$LogFile C:Documents and SettingsadminDesktop@Please_Read_Me@.txt C:Documents and SettingsadminDesktop@WanaDecryptor@.exe C:Documents and SettingsadminDesktopa glimpse into the future.bm… more Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) HKCUSoftwareMicrosoftMultimediaAudio HKCUSoftwareMicrosoftMultimediaAudio Compression Manager HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 more
Malware Report Emulation Screen Shots 2 2/16
Malware Report Emulation Screen Shots 3 3/16
Malware Report Table of Contents 4 4/16 Malware Residues 5-9 Unexpected Activities By Time 10-16
Malware Report Malware Residues ( 1 out of 5 ) 5 5/16 Suspicious Activities Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) Processes Spawned or Interacted with C:WINDOWSsystem32attrib.exe (Terminated ,Started) C:WINDOWSsystem32cmd.exe (Started) C:WINDOWSsystem32cscript.exe (Started) C:te_filestaskdl.exe (Terminated ,Started) Files Changed C:$LogFile (Modified) C:Documents and SettingsadminDesktop@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktop@WanaDecryptor@.exe (Created ,Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT (Created ,Modified)
Malware Report Malware Residues ( 2 out of 5 ) 6 6/16 Files Changed C:Documents and SettingsadminDesktopconfidential.docx (Modified) C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx (Modified)
Malware Report Malware Residues ( 3 out of 5 ) 7 7/16 Files Changed C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp (Created ,Deleted) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx (Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp (Created ,Deleted) C:Documents and SettingsadminDesktop~SD1.tmp (Created ,Deleted)
Malware Report Malware Residues ( 4 out of 5 ) 8 8/16 Files Changed C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminMy Documents~SD4.tmp (Created ,Deleted) C:te_files219161325495940.bat (Created) C:te_files@WanaDecryptor@.exe (Created) C:te_filestaskdl.exe (Created) C:te_filestaskse.exe (Created) Registry Keys Modified HKCUSoftwareMicrosoftMultimediaAudio (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression Manager (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 (Modified) HKCUSoftwareMicrosoftWindows Script HostSettings (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing (Modified) HKLMSOFTWAREMicrosoftCryptographyRNGSeed (Modified)
Malware Report Malware Residues ( 5 out of 5 ) 9 9/16 Registry Keys Modified HKLMSOFTWAREMicrosoftWindows Script HostSettings (Modified) HKLMSOFTWAREWanaCrypt0r (Modified) HKLMSOFTWAREWanaCrypt0rwd (Modified)
Malware Report Unexpected Activities By Time ( 1 out of 7 ) 10 10/16 Elapsed Time Type Action 00:00:04 Registry Create C:te_filesemulatedFile58511_1.exe Created HKLMSOFTWAREWanaCrypt0r 00:00:04 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREWanaCrypt0rwd 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskse.exe 00:00:05 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32attrib.exe 00:00:09 Registry Set C:WINDOWSsystem32attrib.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:09 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:17 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:WINDOWSsystem32attrib.exe 00:00:17 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:19 Process Creation C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:20 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:te_filestaskdl.exe 00:00:21 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32cmd.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files@WanaDecryptor@.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files219161325495940.bat
Malware Report Unexpected Activities By Time ( 2 out of 7 ) 11 11/16 Elapsed Time Type Action 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:22 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:$LogFile 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp 00:00:23 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp
Malware Report Unexpected Activities By Time ( 3 out of 7 ) 12 12/16 Elapsed Time Type Action 00:00:24 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:24 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 Process Creation C:WINDOWSsystem32cmd.exe Created C:WINDOWSsystem32cscript.exe 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp
Malware Report Unexpected Activities By Time ( 4 out of 7 ) 13 13/16 Elapsed Time Type Action 00:00:25 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx 00:00:25 Registry Set C:WINDOWSsystem32cscript.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:26 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:28 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:29 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT 00:00:29 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT
Malware Report Unexpected Activities By Time ( 5 out of 7 ) 14 14/16 Elapsed Time Type Action 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKLMSOFTWAREMicrosoftWindows Script HostSettings 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindows Script HostSettings 00:00:31 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx 00:00:32 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:32 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:33 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:33 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip 00:00:34 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT
Malware Report Unexpected Activities By Time ( 6 out of 7 ) 15 15/16 Elapsed Time Type Action 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders 00:00:37 Registry Set C:te_filesemulatedFile58511_1.exe Set HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT 00:00:37 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT
Malware Report Unexpected Activities By Time ( 7 out of 7 ) 16 16/16 Elapsed Time Type Action 00:00:37 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing 00:00:39 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx
WannaCry emulation report

Recommended

Hijack This
Hijack ThisHijack This
Hijack This
Kitty
 
Tenha um domínio do regedit do windows
Tenha um domínio do regedit do windowsTenha um domínio do regedit do windows
Tenha um domínio do regedit do windows
Carlos Catanejo
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Den Iir
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Freefixer log
Freefixer logFreefixer log
Freefixer log
reiryuzaki
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
David Barroso
 
Fix sshnas21.dll error
Fix sshnas21.dll errorFix sshnas21.dll error
Fix sshnas21.dll error
alisana
 
Combo fix
Combo fixCombo fix
Combo fix
Sergio Gabriel Cervantes
 

Recommended

Hijack This
Hijack ThisHijack This
Hijack This
Kitty
 
Tenha um domínio do regedit do windows
Tenha um domínio do regedit do windowsTenha um domínio do regedit do windows
Tenha um domínio do regedit do windows
Carlos Catanejo
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Den Iir
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Freefixer log
Freefixer logFreefixer log
Freefixer log
reiryuzaki
 
Ataques dirigidos contra activistas
Ataques dirigidos contra activistasAtaques dirigidos contra activistas
Ataques dirigidos contra activistas
David Barroso
 
Fix sshnas21.dll error
Fix sshnas21.dll errorFix sshnas21.dll error
Fix sshnas21.dll error
alisana
 
Combo fix
Combo fixCombo fix
Combo fix
Sergio Gabriel Cervantes
 
Zhp diag
Zhp diagZhp diag
Zhp diag
julian audouard
 
How to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideHow to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guide
Judy Halliwell
 
Users guide
Users guideUsers guide
Users guide
Horlarthunji Azeez
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Dariush Nasirpour
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
Roberto Suggi Liverani
 
Final Fantasy XIV Crashes
Final Fantasy XIV CrashesFinal Fantasy XIV Crashes
Final Fantasy XIV Crashes
Vikas Medhekar
 
Optimize Your Pc
Optimize Your PcOptimize Your Pc
Optimize Your Pc
Shan Sachwani
 
Pmlog
PmlogPmlog
Pmlog
mfsjoey
 
Windows and MacOS software to work more efficiently (2024.02.12, online)
Windows and MacOS software to work more efficiently (2024.02.12, online)Windows and MacOS software to work more efficiently (2024.02.12, online)
Windows and MacOS software to work more efficiently (2024.02.12, online)
PFA Breda Olivian-Claudiu
 
Memory Dump
Memory DumpMemory Dump
Memory Dump
niteshitimpulse
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Sergey Platonov
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
J Hartig
 
Ideal Deployment In .NET World
Ideal Deployment In .NET WorldIdeal Deployment In .NET World
Ideal Deployment In .NET World
Dima Pasko
 
When using some Sounds and Audio Devices functions you see a message.pdf
When using some Sounds and Audio Devices functions you see a message.pdfWhen using some Sounds and Audio Devices functions you see a message.pdf
When using some Sounds and Audio Devices functions you see a message.pdf
arasanmobiles
 
Adw cleaner[c0]
Adw cleaner[c0]Adw cleaner[c0]
Adw cleaner[c0]
roger alves
 
Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)
Chandra Pr. Singh
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
swapnil kapate
 
Get ntdll fixed
Get ntdll fixedGet ntdll fixed
Get ntdll fixed
alisana
 
Batch programming and Viruses
Batch programming and VirusesBatch programming and Viruses
Batch programming and Viruses
Akshay Saini
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
yogeshlabana357357
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 

More Related Content

Similar to WannaCry emulation report

Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
CTIN
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Sergey Platonov
 
When using some Sounds and Audio Devices functions you see a message.pdf
When using some Sounds and Audio Devices functions you see a message.pdfWhen using some Sounds and Audio Devices functions you see a message.pdf
When using some Sounds and Audio Devices functions you see a message.pdf
arasanmobiles
 
Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)
Chandra Pr. Singh
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
swapnil kapate
 

Similar to WannaCry emulation report (20)

Zhp diag
Zhp diagZhp diag
Zhp diag
 
How to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guideHow to remove conduit search and other toolbars — extended guide
How to remove conduit search and other toolbars — extended guide
 
Users guide
Users guideUsers guide
Users guide
 
Vista Forensics
Vista ForensicsVista Forensics
Vista Forensics
 
Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)Threat Report: Sys32.exe Trojan.Generic (Turkish)
Threat Report: Sys32.exe Trojan.Generic (Turkish)
 
Black Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysisBlack Energy18 - Russian botnet package analysis
Black Energy18 - Russian botnet package analysis
 
Final Fantasy XIV Crashes
Final Fantasy XIV CrashesFinal Fantasy XIV Crashes
Final Fantasy XIV Crashes
 
Optimize Your Pc
Optimize Your PcOptimize Your Pc
Optimize Your Pc
 
Pmlog
PmlogPmlog
Pmlog
 
Windows and MacOS software to work more efficiently (2024.02.12, online)
Windows and MacOS software to work more efficiently (2024.02.12, online)Windows and MacOS software to work more efficiently (2024.02.12, online)
Windows and MacOS software to work more efficiently (2024.02.12, online)
 
Memory Dump
Memory DumpMemory Dump
Memory Dump
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
Ideal Deployment In .NET World
Ideal Deployment In .NET WorldIdeal Deployment In .NET World
Ideal Deployment In .NET World
 
When using some Sounds and Audio Devices functions you see a message.pdf
When using some Sounds and Audio Devices functions you see a message.pdfWhen using some Sounds and Audio Devices functions you see a message.pdf
When using some Sounds and Audio Devices functions you see a message.pdf
 
Adw cleaner[c0]
Adw cleaner[c0]Adw cleaner[c0]
Adw cleaner[c0]
 
Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)Ankit Phadia Hacking tools (2)
Ankit Phadia Hacking tools (2)
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
 
Get ntdll fixed
Get ntdll fixedGet ntdll fixed
Get ntdll fixed
 
Batch programming and Viruses
Batch programming and VirusesBatch programming and Viruses
Batch programming and Viruses
 

Recently uploaded

UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
DianaGray10
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 

Recently uploaded (20)

AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 

WannaCry emulation report

  • 1. Malware Report Emulated On: Microsoft Windows XP 32 bit, SP3, Office 2003, Office 2007, Adobe Acrobat Reader 9.0, Adobe Flash Player 9, Java SE 1.6.0 1 1/16 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c… Malicious Activity Detected Type Size MD5 SHA1 exe 3.4 MB 84c82835a5d21bbcf75a61706d8ab549 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 Download malicious file 22 Files Created 25 Files Modified 4 Files Deleted 33 Affected Files 4 Processes Created 2 Processes Terminated 0 Processes Crashed 4 Affected Processes 13 Entries Set 0 Entries Deleted 13 Affected Registry Keys 4 Suspicious Activities C:WINDOWSsystem32attrib.exe C:WINDOWSsystem32cmd.exe C:WINDOWSsystem32cscript.exe C:te_filestaskdl.exe C:$LogFile C:Documents and SettingsadminDesktop@Please_Read_Me@.txt C:Documents and SettingsadminDesktop@WanaDecryptor@.exe C:Documents and SettingsadminDesktopa glimpse into the future.bm… more Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) HKCUSoftwareMicrosoftMultimediaAudio HKCUSoftwareMicrosoftMultimediaAudio Compression Manager HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 more
  • 4. Malware Report Table of Contents 4 4/16 Malware Residues 5-9 Unexpected Activities By Time 10-16
  • 5. Malware Report Malware Residues ( 1 out of 5 ) 5 5/16 Suspicious Activities Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) Processes Spawned or Interacted with C:WINDOWSsystem32attrib.exe (Terminated ,Started) C:WINDOWSsystem32cmd.exe (Started) C:WINDOWSsystem32cscript.exe (Started) C:te_filestaskdl.exe (Terminated ,Started) Files Changed C:$LogFile (Modified) C:Documents and SettingsadminDesktop@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktop@WanaDecryptor@.exe (Created ,Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT (Created ,Modified)
  • 6. Malware Report Malware Residues ( 2 out of 5 ) 6 6/16 Files Changed C:Documents and SettingsadminDesktopconfidential.docx (Modified) C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx (Modified)
  • 7. Malware Report Malware Residues ( 3 out of 5 ) 7 7/16 Files Changed C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp (Created ,Deleted) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx (Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp (Created ,Deleted) C:Documents and SettingsadminDesktop~SD1.tmp (Created ,Deleted)
  • 8. Malware Report Malware Residues ( 4 out of 5 ) 8 8/16 Files Changed C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminMy Documents~SD4.tmp (Created ,Deleted) C:te_files219161325495940.bat (Created) C:te_files@WanaDecryptor@.exe (Created) C:te_filestaskdl.exe (Created) C:te_filestaskse.exe (Created) Registry Keys Modified HKCUSoftwareMicrosoftMultimediaAudio (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression Manager (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 (Modified) HKCUSoftwareMicrosoftWindows Script HostSettings (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing (Modified) HKLMSOFTWAREMicrosoftCryptographyRNGSeed (Modified)
  • 9. Malware Report Malware Residues ( 5 out of 5 ) 9 9/16 Registry Keys Modified HKLMSOFTWAREMicrosoftWindows Script HostSettings (Modified) HKLMSOFTWAREWanaCrypt0r (Modified) HKLMSOFTWAREWanaCrypt0rwd (Modified)
  • 10. Malware Report Unexpected Activities By Time ( 1 out of 7 ) 10 10/16 Elapsed Time Type Action 00:00:04 Registry Create C:te_filesemulatedFile58511_1.exe Created HKLMSOFTWAREWanaCrypt0r 00:00:04 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREWanaCrypt0rwd 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskse.exe 00:00:05 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32attrib.exe 00:00:09 Registry Set C:WINDOWSsystem32attrib.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:09 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:17 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:WINDOWSsystem32attrib.exe 00:00:17 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:19 Process Creation C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:20 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:te_filestaskdl.exe 00:00:21 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32cmd.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files@WanaDecryptor@.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files219161325495940.bat
  • 11. Malware Report Unexpected Activities By Time ( 2 out of 7 ) 11 11/16 Elapsed Time Type Action 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:22 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:$LogFile 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp 00:00:23 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp
  • 12. Malware Report Unexpected Activities By Time ( 3 out of 7 ) 12 12/16 Elapsed Time Type Action 00:00:24 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:24 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 Process Creation C:WINDOWSsystem32cmd.exe Created C:WINDOWSsystem32cscript.exe 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp
  • 13. Malware Report Unexpected Activities By Time ( 4 out of 7 ) 13 13/16 Elapsed Time Type Action 00:00:25 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx 00:00:25 Registry Set C:WINDOWSsystem32cscript.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:26 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:28 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:29 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT 00:00:29 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT
  • 14. Malware Report Unexpected Activities By Time ( 5 out of 7 ) 14 14/16 Elapsed Time Type Action 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKLMSOFTWAREMicrosoftWindows Script HostSettings 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindows Script HostSettings 00:00:31 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx 00:00:32 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:32 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:33 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:33 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip 00:00:34 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT
  • 15. Malware Report Unexpected Activities By Time ( 6 out of 7 ) 15 15/16 Elapsed Time Type Action 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders 00:00:37 Registry Set C:te_filesemulatedFile58511_1.exe Set HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT 00:00:37 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT
  • 16. Malware Report Unexpected Activities By Time ( 7 out of 7 ) 16 16/16 Elapsed Time Type Action 00:00:37 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing 00:00:39 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx