WannaCryptor Sample Exhibiting EternalBlue-Style Network Propagation


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-04 08:26:35 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
gih0gzca0.exe
Type
Win32 Executable MS Visual C++ (generic)
SHA‑1
93a6ba9bd61df6b8657a1ea1526454223759a497
MD5
b77b031eb1bc3c07a690d4712a29379b
First Seen
2025-12-01 14:07:31.636414
Last Analysis
2025-12-01 21:28:47.119407
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 7+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-10-10 13:53:02 UTC First VirusTotal submission
2025-12-03 21:11:44 UTC Latest analysis snapshot 54 days, 7 hours, 18 minutes
2025-12-04 08:26:35 UTC Report generation time 54 days, 18 hours, 33 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 65. Missed: 8. Coverage: 89.0%.

Detected Vendors

  • Xcitium
  • +64 additional vendors (names not provided)

List includes Xcitium plus an additional 64 vendors per the provided summary.

Missed Vendors

  • Acronis
  • CMC
  • Google
  • google_safebrowsing
  • SUPERAntiSpyware
  • TACHYON
  • VirIT
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (62.93% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 29864 62.93%
System 12362 26.05%
Registry 3680 7.75%
Crypto 901 1.90%
Process 384 0.81%
Misc 85 0.18%
Network 51 0.11%
Device 40 0.08%
Hooking 27 0.06%
Threading 26 0.05%
Com 17 0.04%
Synchronization 11 0.02%
Windows 4 0.01%
Services 4 0.01%
__Notification__ 1 0.00%

MITRE ATT&CK Mapping

  • T1083 – check if file exists
  • T1082 – get hostname
  • T1027 – reference AES constants
  • T1027 – encrypt data using AES
  • T1129 – link many functions at runtime
  • T1543.003 – create service
  • T1569.002 – create service
  • T1543.003 – persist via Windows service
  • T1569.002 – persist via Windows service
  • T1012 – query or enumerate registry value
  • T1129 – link function at runtime on Windows
  • T1222 – set file attributes
  • T1083 – get file size
  • T1543.003 – start service
  • T1083 – get common file path
  • T1027 – encode data using XOR
  • T1027 – encrypt data using RC4 KSA
  • T1129 – parse PE header

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
13.248.169.48 Amazon Technologies Inc.
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.
dist.torproject.org 116.202.120.166 Germany The Tor Project

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A
dist.torproject.org A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 64 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 8.32158613204956 udp
192.168.56.11 224.0.0.252 49563 5355 8.458757162094116 udp
192.168.56.11 224.0.0.252 51690 5355 12.510980129241943 udp
192.168.56.11 224.0.0.252 54650 5355 8.460438013076782 udp
192.168.56.11 224.0.0.252 55601 5355 11.321628093719482 udp
192.168.56.11 224.0.0.252 60205 5355 9.14637017250061 udp
192.168.56.11 239.255.255.250 62184 3702 9.396624088287354 udp
192.168.56.11 8.8.4.4 50586 53 184.22455716133118 udp
192.168.56.11 8.8.4.4 51569 53 220.5054051876068 udp
192.168.56.11 8.8.4.4 51628 53 63.39663314819336 udp
192.168.56.11 8.8.4.4 51663 53 92.50552701950073 udp
192.168.56.11 8.8.4.4 51880 53 110.77185702323914 udp
192.168.56.11 8.8.4.4 51899 53 11.904967069625854 udp
192.168.56.11 8.8.4.4 52464 53 169.412348985672 udp
192.168.56.11 8.8.4.4 53480 53 125.25542902946472 udp
192.168.56.11 8.8.4.4 54684 53 154.97434520721436 udp
192.168.56.11 8.8.4.4 54823 53 206.11530208587646 udp
192.168.56.11 8.8.4.4 55183 53 187.3969931602478 udp
192.168.56.11 8.8.4.4 56007 53 217.14599514007568 udp
192.168.56.11 8.8.4.4 56213 53 27.349430084228516 udp
192.168.56.11 8.8.4.4 56473 53 60.02082109451294 udp
192.168.56.11 8.8.4.4 56666 53 121.95856714248657 udp
192.168.56.11 8.8.4.4 58090 53 140.08394598960876 udp
192.168.56.11 8.8.4.4 58800 53 172.78676319122314 udp
192.168.56.11 8.8.4.4 58917 53 45.099961042404175 udp
192.168.56.11 8.8.4.4 59770 53 30.708991050720215 udp
192.168.56.11 8.8.4.4 59945 53 231.59921503067017 udp
192.168.56.11 8.8.4.4 60054 53 136.34902501106262 udp
192.168.56.11 8.8.4.4 60141 53 235.55214500427246 udp
192.168.56.11 8.8.4.4 60334 53 74.39658498764038 udp
192.168.56.11 8.8.4.4 61467 53 202.52090907096863 udp
192.168.56.11 8.8.4.4 61507 53 77.88058304786682 udp
192.168.56.11 8.8.4.4 62120 53 88.92747521400452 udp
192.168.56.11 8.8.4.4 62329 53 41.70855212211609 udp
192.168.56.11 8.8.4.4 62798 53 11.904826164245605 udp
192.168.56.11 8.8.4.4 63439 53 15.333256006240845 udp
192.168.56.11 8.8.4.4 63550 53 107.4277241230011 udp
192.168.56.11 8.8.4.4 64563 53 158.34924507141113 udp
192.168.56.11 8.8.8.8 49299 53 245.95553517341614 udp
192.168.56.11 8.8.8.8 50586 53 183.23059821128845 udp
192.168.56.11 8.8.8.8 51569 53 219.50624299049377 udp
192.168.56.11 8.8.8.8 51628 53 62.408841133117676 udp
192.168.56.11 8.8.8.8 51663 53 91.51149606704712 udp
192.168.56.11 8.8.8.8 51880 53 109.7743752002716 udp
192.168.56.11 8.8.8.8 51899 53 12.895963191986084 udp
192.168.56.11 8.8.8.8 52464 53 168.42306113243103 udp
192.168.56.11 8.8.8.8 53480 53 124.26422715187073 udp
192.168.56.11 8.8.8.8 54684 53 153.98919010162354 udp
192.168.56.11 8.8.8.8 54823 53 205.12564516067505 udp
192.168.56.11 8.8.8.8 55183 53 186.40449404716492 udp
192.168.56.11 8.8.8.8 56007 53 216.15310621261597 udp
192.168.56.11 8.8.8.8 56213 53 26.360722064971924 udp
192.168.56.11 8.8.8.8 56473 53 59.03382205963135 udp
192.168.56.11 8.8.8.8 56666 53 120.97096014022827 udp
192.168.56.11 8.8.8.8 58090 53 139.09321403503418 udp
192.168.56.11 8.8.8.8 58800 53 171.79258608818054 udp
192.168.56.11 8.8.8.8 58917 53 44.099534034729004 udp
192.168.56.11 8.8.8.8 59770 53 29.70967411994934 udp
192.168.56.11 8.8.8.8 59945 53 230.60404300689697 udp
192.168.56.11 8.8.8.8 60054 53 135.35890412330627 udp
192.168.56.11 8.8.8.8 60141 53 234.55460619926453 udp
192.168.56.11 8.8.8.8 60334 53 73.39946103096008 udp
192.168.56.11 8.8.8.8 61332 53 246.58903312683105 udp
192.168.56.11 8.8.8.8 61467 53 201.53014516830444 udp
192.168.56.11 8.8.8.8 61507 53 76.89330315589905 udp
192.168.56.11 8.8.8.8 62120 53 87.93854999542236 udp
192.168.56.11 8.8.8.8 62329 53 40.71128010749817 udp
192.168.56.11 8.8.8.8 62798 53 12.895974159240723 udp
192.168.56.11 8.8.8.8 63439 53 16.31858801841736 udp
192.168.56.11 8.8.8.8 63550 53 106.43527698516846 udp
192.168.56.11 8.8.8.8 64563 53 157.35894918441772 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

143

Registry Set

13

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
52-54-00-75-e2-ef\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextLockCount
Software\Microsoft\Windows Script Host\Settings\DisplayLogo
52-54-00-75-e2-ef\WpadDetectedUrl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ProcessID
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
Software\Microsoft\Windows Script Host\Settings\Timeout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\https
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
52-54-00-75-e2-ef\WpadDecision
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4D1AA67-346C-4D8D-BF3A-D3A8BAF56563}
Show all (143 total)
Key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
52-54-00-75-e2-ef\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_WEAK_ENCRYPTION
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\users\S-1-5-21-4270068108-2931534202-3907561125-1001
52-54-00-75-e2-ef\WpadDns
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\WanaCrypt0r
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Log File Max Size
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine\0x0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F4D1AA67-346C-4D8D-BF3A-D3A8BAF56563}\52-54-00-75-e2-ef
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
52-54-00-75-e2-ef\WpadDecisionReason
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FILEPROTOCOL_NOFINDFIRST_KB947853
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CLASSES_ROOT\.vbs\0x0
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/xml
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextListCount
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\file
HKEY_CLASSES_ROOT\.vbs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_HSTS
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-75-e2-ef
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service

Registry Set (Top 25)

Key Value
Software\WanaCrypt0r\wd C:\Users\<USER>\Downloads
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix Cookie:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix Visited:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable 0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings F
{F4D1AA67-346C-4D8D-BF3A-D3A8BAF56563}\WpadDecisionReason 1
{F4D1AA67-346C-4D8D-BF3A-D3A8BAF56563}\WpadDecisionTime ♪䛒ǜD
{F4D1AA67-346C-4D8D-BF3A-D3A8BAF56563}\WpadDecision 0
{F4D1AA67-346C-4D8D-BF3A-D3A8BAF56563}\WpadNetworkName Network 2
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ED50FC29-B964-48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF Binary Data
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C7657C4A-9F68-40FA-A4DF-96BC08EB3551} {E357FCCD-A995-4576-B01F-234630154E96} 0xFFFF Binary Data
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile Binary Data
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqzejaezr591 “C:\Users\<USER>\Downloads\tasksche.exe”

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top