wanncry

关键行为
行为描述: 修改注册表_修改桌面背景注册表
详情信息: \REGISTRY\USER\S-\Control Panel\Desktop\Wallpaper
行为描述: 设置特殊文件夹属性
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%*
**.exe_7zdump\Wana
C:\DiskD$RECYCLE
行为描述: 在桌面创建文件
详情信息: C:\Documents and Settings\Administrator\桌面~SD51.tmp
C:\Documents and Settings\Administrator\桌面\money.doc.WNCRYT
C:\Documents and Settings\Administrator\桌面@Please_Read_Me@.txt
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.exe
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.bmp
C:\Documents and Settings\All Users\桌面~SD55.tmp
C:\Documents and Settings\Default User\桌面~SD56.tmp
C:\Documents and Settings\root\桌面~SD57.tmp
行为描述: 获取TickCount值
详情信息: TickCount = 5475593, SleepMilliseconds = 30000.
行为描述: 屏蔽窗口关闭消息
详情信息: hWnd = 0x0008036e, Text = Wana Decrypt0r 2.0, ClassName = #32770.
hWnd = 0x00210324, Text = Wana Decrypt0r 2.0, ClassName = #32770.
进程行为
行为描述: 隐藏窗口创建进程
详情信息: ImagePath = , CmdLine = attrib +h .
ImagePath = , CmdLine = icacls . /grant Everyone:F /T /C /Q
ImagePath = , CmdLine = taskdl.exe
ImagePath = , CmdLine = taskse.exe C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe
ImagePath = , CmdLine = attrib +h +s D:$RECYCLE
行为描述: 创建进程
详情信息: [0x00000d4c]ImagePath = C:\WINDOWS\system32\attrib.exe, CmdLine = attrib +h .
[0x00000d64]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe, CmdLine = taskdl.exe
[0x00000d7c]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe, CmdLine = taskse.exe C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe
[0x00000d88]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe, CmdLine = @WanaDecryptor@.exe
[0x00000d90]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe, CmdLine = taskdl.exe
[0x00000d98]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe, CmdLine = taskse.exe C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe
[0x00000da4]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe, CmdLine = @WanaDecryptor@.exe
[0x00000db0]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe, CmdLine = taskdl.exe
[0x00000db8]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe, CmdLine = taskse.exe C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe
[0x00000dc0]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe, CmdLine = @WanaDecryptor@.exe
[0x00000dcc]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe, CmdLine = taskdl.exe
[0x00000dd4]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe, CmdLine = taskse.exe C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe
[0x00000de8]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe, CmdLine = @WanaDecryptor@.exe
[0x00000df4]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe, CmdLine = taskse.exe C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana@WanaDecryptor@.exe
[0x00000dfc]ImagePath = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe, CmdLine = taskdl.exe
行为描述: 创建本地线程
详情信息: TargetProcess: tasksche.exe, InheritedFromPID = 1944, ProcessID = 3328, ThreadID = 3412, StartAddress = 10004790, Parameter = 00000000
TargetProcess: tasksche.exe, InheritedFromPID = 1944, ProcessID = 3328, ThreadID = 3416, StartAddress = 100045C0, Parameter = 00000000
TargetProcess: tasksche.exe, InheritedFromPID = 1944, ProcessID = 3328, ThreadID = 3420, StartAddress = 10005730, Parameter = 00000000
TargetProcess: tasksche.exe, InheritedFromPID = 1944, ProcessID = 3328, ThreadID = 3424, StartAddress = 10005300, Parameter = 00000000
TargetProcess: tasksche.exe, InheritedFromPID = 1944, ProcessID = 3328, ThreadID = 3436, StartAddress = 10004990, Parameter = 00000000
TargetProcess: tasksche.exe, InheritedFromPID = 1944, ProcessID = 3328, ThreadID = 3460, StartAddress = 100029E0, Parameter = 0012ECCC
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3464, ThreadID = 3488, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3492, ThreadID = 3528, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3520, ThreadID = 3564, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3560, ThreadID = 3600, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3588, ThreadID = 3680, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3644, ThreadID = 3696, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3692, ThreadID = 3740, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3724, ThreadID = 3776, StartAddress = 77DC845A, Parameter = 00000000
TargetProcess: @WanaDecryptor@.exe, InheritedFromPID = 3328, ProcessID = 3752, ThreadID = 3876, StartAddress = 77DC845A, Parameter = 00000000
文件行为
行为描述: 创建文件
详情信息: C:\Documents and Settings\Administrator\My Documents~SD52.tmp
C:\Documents and Settings\Administrator\My Documents\money.doc.WNCRYT
C:\Documents and Settings\Administrator\My Documents@Please_Read_Me@.txt
C:\Documents and Settings\Administrator\My Documents@WanaDecryptor@.exe
C:\Documents and Settings\Administrator\My Documents\My Music~SD53.tmp
C:\Documents and Settings\Administrator\My Documents\My Pictures~SD54.tmp
C:\Documents and Settings\All Users\Documents~SD58.tmp
C:\Documents and Settings\All Users\Documents\My Music~SD59.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists~SD5A.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0006B2C8~SD5B.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists~SD5C.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0006B2C8~SD5D.tmp
C:\Documents and Settings\All Users\Documents\My Music\我的播放列表~SD5E.tmp
C:\Documents and Settings\All Users\Documents\My Pictures~SD5F.tmp
C:\Documents and Settings\All Users\Documents\Tencent~SD60.tmp
行为描述: 创建可执行文件
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\u.wnry
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.exe
C:\Documents and Settings\Administrator\My Documents@WanaDecryptor@.exe
C:@WanaDecryptor@.exe
C:\222c25ed@WanaDecryptor@.exe
C:\222c25ed\IE8-Setup-Full@WanaDecryptor@.exe
C:\Documents and Settings\Administrator@WanaDecryptor@.exe
行为描述: 覆盖已有文件
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\b.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_bulgarian.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (simplified).wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (traditional).wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_croatian.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_czech.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_danish.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_dutch.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_english.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_filipino.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_finnish.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_french.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_german.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_greek.wnry
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_indonesian.wnry
行为描述: 查找文件
详情信息: FileName = C:\WINDOWS
FileName = C:\WINDOWS\system32
FileName = C:\WINDOWS\system32\attrib.exe
FileName = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump
FileName = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana
FileName = C:\Documents and Settings\Administrator\Local Settings\Temp
FileName = C:\Documents and Settings\Administrator\Local Settings%temp%
FileName = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe
FileName = C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe
FileName = X:$RECYCLE*.WNCRYT
FileName = H:$RECYCLE*.WNCRYT
FileName = D:$RECYCLE*.WNCRYT
FileName = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp*.WNCRYT
FileName = C:\Documents and Settings\Administrator\桌面*
FileName = C:\Documents and Settings\Administrator\My Documents*
行为描述: 复制文件
详情信息: @Please_Read_Me@.txt ---> C:\Documents and Settings\Administrator\桌面@Please_Read_Me@.txt
@WanaDecryptor@.exe ---> C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.exe
b.wnry ---> C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.bmp
@Please_Read_Me@.txt ---> C:\Documents and Settings\Administrator\My Documents@Please_Read_Me@.txt
@WanaDecryptor@.exe ---> C:\Documents and Settings\Administrator\My Documents@WanaDecryptor@.exe
@Please_Read_Me@.txt ---> C:@Please_Read_Me@.txt
@WanaDecryptor@.exe ---> C:@WanaDecryptor@.exe
@Please_Read_Me@.txt ---> C:\222c25ed@Please_Read_Me@.txt
@WanaDecryptor@.exe ---> C:\222c25ed@WanaDecryptor@.exe
@Please_Read_Me@.txt ---> C:\222c25ed\IE8-Setup-Full@Please_Read_Me@.txt
@WanaDecryptor@.exe ---> C:\222c25ed\IE8-Setup-Full@WanaDecryptor@.exe
@Please_Read_Me@.txt ---> C:\Documents and Settings\Administrator@Please_Read_Me@.txt
@WanaDecryptor@.exe ---> C:\Documents and Settings\Administrator@WanaDecryptor@.exe
行为描述: 删除文件
详情信息: C:\Documents and Settings\Administrator\桌面~SD51.tmp
C:\Documents and Settings\Administrator\My Documents~SD52.tmp
C:\Documents and Settings\Administrator\My Documents\My Music~SD53.tmp
C:\Documents and Settings\Administrator\My Documents\My Pictures~SD54.tmp
C:\Documents and Settings\All Users\桌面~SD55.tmp
C:\Documents and Settings\Default User\桌面~SD56.tmp
C:\Documents and Settings\root\桌面~SD57.tmp
C:\Documents and Settings\All Users\Documents~SD58.tmp
C:\Documents and Settings\All Users\Documents\My Music~SD59.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists~SD5A.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0006B2C8~SD5B.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists~SD5C.tmp
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0006B2C8~SD5D.tmp
C:\Documents and Settings\All Users\Documents\My Music\我的播放列表~SD5E.tmp
C:\Documents and Settings\All Users\Documents\My Pictures~SD5F.tmp
行为描述: 在桌面创建文件
详情信息: C:\Documents and Settings\Administrator\桌面~SD51.tmp
C:\Documents and Settings\Administrator\桌面\money.doc.WNCRYT
C:\Documents and Settings\Administrator\桌面@Please_Read_Me@.txt
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.exe
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.bmp
C:\Documents and Settings\All Users\桌面~SD55.tmp
C:\Documents and Settings\Default User\桌面~SD56.tmp
C:\Documents and Settings\root\桌面~SD57.tmp
行为描述: 重命名文件
详情信息: C:\Documents and Settings\Administrator\桌面\money.doc.WNCRYT ---> C:\Documents and Settings\Administrator\桌面\money.doc.WNCRY
C:\Documents and Settings\Administrator\My Documents\money.doc.WNCRYT ---> C:\Documents and Settings\Administrator\My Documents\money.doc.WNCRY
C:\eula.2052.txt.WNCRYT ---> C:\eula.2052.txt.WNCRY
C:\money.doc.WNCRYT ---> C:\money.doc.WNCRY
C:\eula.2052.txt ---> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3.WNCRYT
C:\Documents and Settings\Administrator\money.doc.WNCRYT ---> C:\Documents and Settings\Administrator\money.doc.WNCRY
行为描述: 设置特殊文件夹属性
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana
C:\DiskD$RECYCLE
行为描述: 修改文件内容
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\b.wnry ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\b.wnry ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\b.wnry ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\b.wnry ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\b.wnry ---> Offset = 65536
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_bulgarian.wnry ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_bulgarian.wnry ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_bulgarian.wnry ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (simplified).wnry ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (simplified).wnry ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (simplified).wnry ---> Offset = 32768
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (simplified).wnry ---> Offset = 49152
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\msg\m_chinese (traditional).wnry ---> Offset = 0
C:\Documents and Settings\Administrator\Local Settings%temp%*.exe_7zdump\Wana\msg\m_chinese (traditional).wnry ---> Offset = 16384
C:\Documents and Settings\Administrator\Local Settings%temp%*.exe_7zdump\Wana\msg\m_chinese (traditional).wnry ---> Offset = 32768
注册表行为
行为描述: 修改注册表
详情信息: \REGISTRY\MACHINE\SOFTWARE\WanaCrypt0r\wd
行为描述: 修改注册表_修改桌面背景注册表
详情信息: \REGISTRY\USER\S-
\Control Panel\Desktop\Wallpaper
行为描述: 修改注册表_延迟重命名项
详情信息: \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations
其他行为
行为描述: 创建互斥体
详情信息: MsWinZonesCacheCounterMutexA
Global\MsWinZonesCacheCounterMutexA0
CTF.LBES.MutexDefaultS-

CTF.Compart.MutexDefaultS-

CTF.Asm.MutexDefaultS-

CTF.Layouts.MutexDefaultS-

CTF.TMD.MutexDefaultS-

CTF.TimListCache.FMPDefaultS-MUTEX.DefaultS-
MSCTF.Shared.MUTEX.ELH
MSCTF.Shared.MUTEX.IKN
行为描述: 创建事件对象
详情信息: EventName = Global\userenv: User Profile setup event
EventName = MSCTF.SendReceive.Event.IKN.IC
EventName = MSCTF.SendReceiveConection.Event.IKN.IC
行为描述: 查找指定窗口
详情信息: NtUserFindWindowEx: [Class,Window] = [,Wana Decrypt0r 2.0]
NtUserFindWindowEx: [Class,Window] = [Shell_TrayWnd,]
NtUserFindWindowEx: [Class,Window] = [CicLoaderWndClass,]
行为描述: 打开事件
详情信息: HookSwitchHookEnabledEvent
\SECURITY\LSA_AUTHENTICATION_INITIALIZED
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000053
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000053
MSCTF.SendReceiveConection.Event.ELH.IC
MSCTF.SendReceive.Event.ELH.IC
CTF.ThreadMIConnectionEvent.000007B4.00000000.00000055
CTF.ThreadMarshalInterfaceEvent.000007B4.00000000.00000055
行为描述: 获取TickCount值
详情信息: TickCount = 5475593, SleepMilliseconds = 30000.
行为描述: 调整进程token权限
详情信息: SE_TCB_PRIVILEGE
行为描述: 屏蔽窗口关闭消息
详情信息: hWnd = 0x0008036e, Text = Wana Decrypt0r 2.0, ClassName = #32770.
hWnd = 0x00210324, Text = Wana Decrypt0r 2.0, ClassName = #32770.
行为描述: 窗口信息
详情信息: Pid = 3492, Hwnd=0x130334, Text = 00:00:00:00, ClassName = Static.
Pid = 3492, Hwnd=0x2902f0, Text = 00:00:00:00, ClassName = Static.
Pid = 3492, Hwnd=0x703bc, Text = Check &Payment, ClassName = Button.
Pid = 3492, Hwnd=0x503de, Text = &Decrypt, ClassName = Button.
Pid = 3492, Hwnd=0x13035e, Text = What Happened to My Computer? Your important files are encrypted. Many of your documents, photos, videos, databases and other fi, ClassName = RICHEDIT.
Pid = 3492, Hwnd=0x1502c8, Text = 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, ClassName = Edit.
Pid = 3492, Hwnd=0x903a2, Text = Copy, ClassName = Button.
Pid = 3492, Hwnd=0xa03c4, Text = QR Code, ClassName = Static.
Pid = 3492, Hwnd=0x50374, Text = About bitcoin, ClassName = Static.
Pid = 3492, Hwnd=0x8038c, Text = How to buy bitcoins?, ClassName = Static.
Pid = 3492, Hwnd=0x1203a8, Text = Contact Us, ClassName = Static.
Pid = 3492, Hwnd=0x703aa, Text = Ooops, your files have been encrypted!, ClassName = Static.
Pid = 3492, Hwnd=0x1e02ce, Text = Your files will be lost on, ClassName = Static.
Pid = 3492, Hwnd=0x1402f2, Text = 5/19/2017 21:39:18, ClassName = Static.
Pid = 3492, Hwnd=0xe0316, Text = Progress1, ClassName = msctls_progress32.
行为描述: 可执行文件签名信息
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\u.wnry(签名验证: 未通过)
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator\My Documents@WanaDecryptor@.exe(签名验证: 未通过)
C:@WanaDecryptor@.exe(签名验证: 未通过)
C:\222c25ed@WanaDecryptor@.exe(签名验证: 未通过)
C:\222c25ed\IE8-Setup-Full@WanaDecryptor@.exe(签名验证: 未通过)
C:\Documents and Settings\Administrator@WanaDecryptor@.exe(签名验证: 未通过)
行为描述: 调用Sleep函数
详情信息: [1]: MilliSeconds = 100.
[2]: MilliSeconds = 1000.
[3]: MilliSeconds = 100.
[4]: MilliSeconds = 5000.
[5]: MilliSeconds = 100.
[6]: MilliSeconds = 3000.
[7]: MilliSeconds = 1000.
[8]: MilliSeconds = 100.
[9]: MilliSeconds = 5000.
[10]: MilliSeconds = 100.
行为描述: 隐藏指定窗口
详情信息: [Window,Class] = [,ComboLBox]
[Window,Class] = [Wana Decrypt0r 2.0,#32770]
行为描述: 可执行文件MD5
详情信息: C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskdl.exe ---> 4fef5e34143e646dbf9907c4374276f5
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\taskse.exe ---> 8495400f199ac77853c53b5a3f278f3e
C:\Documents and Settings\Administrator\Local Settings%temp%****.exe_7zdump\Wana\u.wnry ---> 7bf2b57f2a205768755c07f238fb32cc
C:\Documents and Settings\Administrator\桌面@WanaDecryptor@.exe ---> 7bf2b57f2a205768755c07f238fb32cc
C:\Documents and Settings\Administrator\My Documents@WanaDecryptor@.exe ---> 7bf2b57f2a205768755c07f238fb32cc
C:@WanaDecryptor@.exe ---> 7bf2b57f2a205768755c07f238fb32cc
C:\222c25ed@WanaDecryptor@.exe ---> 7bf2b57f2a205768755c07f238fb32cc
C:\222c25ed\IE8-Setup-Full@WanaDecryptor@.exe ---> 7bf2b57f2a205768755c07f238fb32cc
C:\Documents and Settings\Administrator@WanaDecryptor@.exe ---> 7bf2b57f2a205768755c07f238fb32cc
行为描述: 打开互斥体
详情信息: ShimCacheMutex
Global\MsWinZonesCacheCounterMutexW