To be honest, cat is just to con-_cat_-enate files, grep can read the file just fine without cat: grep -E -o 'regex' strings.txt But the command in the video works just as well.
Why would anyone down vote this very well constructed video... finally proper analysis and explanation... Does this variant operate similar to cryptowall other than the stand alone features and better tor integration or does it have additional payload to traverse the network and further penetrate (I have seen several variants that will not only hit mapped drives but also scan the network for accessible shares to further the number of effected files)? Is there evidence that the virus is looking to spread via SMB 1.0 packet exploits like most "experts" are claiming? I didn't notice any scans in the wireshark log looking for vulnerable systems?
the sample in my video is just the ransomware, it was being propagated as part of a 'parent' which would look for the kill switch, and look to further infect other connected devices via SMB. This was an extracted sample. Similar to other ransomware variant in that it doesn't need a C2 to get the key to encrypt. The crypto on this sample is well formed in my view. See my other video for a brief look at the dropper which drops this kind of sample.
Hey Colin, great videos! I happened upon them today by chance. Most of the malware analysis videos I find are 45 minutes of "uuuhhh, and then uhhh wait no that's not right". You do a great job of quickly and efficiently communicating what's going on. As an applications programmer, I've been toying with cyber security as kind of a hobby, and it's really awesome to finally find some content on TH-cam that's as good as a lot of the programming content has gotten. I was wondering if you'd consider doing a video that does a rundown of all the tools you use in these videos. Not, like, full-length tutorials on all of them, but maybe a quick description of the one's you've used the most in your videos so far, and a nice list in the description for people who are interested. Anyway, keep up the great work!
It's not very often I come across a video where I learn as much as I did in this one. It's interesting to see what happens with the infection. I usually end up seeing the results, as I work mainly with backups.
I am starting learning cyber security, I took the following: CCNA Security, CCNA CyberOps, Certified Ethical Hacker, Comptia Linux+, and I understand pretty much what he did, but a LOT slower, because I don't have job experience, just do it for fun. I really like when I start understand complex stuff.
Hello Colin, Are the network indicator string dinamic ? that is if an update varient is expected with the infection like change in MD5 key with dinamic key generation ?
if you are using a window os ,then put your bitlocker on for your harddisk ,the ramsomware will not affect ,because when bit locker is enable/on it already encrypted your harddisk data.so ramsomware cant enfect your data
Amazing video, very informative. I am obsessed with writing and studying malware. The spreading mechanisms is what interests me the most. Do you have any videos of showing the pcap files on this spreading via SMB 1?
I've seen so many videos of educated techies discussing the virus but none of them going so far to understand what it actually does. Thanks mate! If you could clarify, when it encrypts your files, what sorts of files are encrypted? Standard document extensions? Music and pictures, maybe? I noticed you freely operated with all of your executables (and naturally they wouldn't want to cripple your machine prior to "paying").
thanks for the comments. there is a config which the ransomware operates to which includes the filetypes its set to encrypt. in this case exe's were not being encrypted, which is usual as i imagine the malware would then likely encrypt itself.
network shares u mean shared folders? or this means if a friend live with me in same local network it would affect my computer even if did not run the ramsomware?
Yes, if you have shared folders and mapped drives that are accessible then they will be encrypted as well. The malware will encrypt anything that is directly accessible through your computer. If your friend has no shared drives that are visible to your computer or no mapped network drives from his computer to yours then it should be safe.
m.vbs was written to your desktop, it just had some extension on it (.WIN something). It is right in the middle next to the Burp Suite Free Edition orange/black icon. It would have been interesting to take a look at that being a console script it should be far easier to inspect than some random binary code...
yeh i missed it at first glance, it wasnt anything special if i recall and you can actually pull the contents of the file from the binary strings in memory.
Dear all , precautions is your should take daily backup for other place on cloud if in ceca your system is infected can immediately restore your backup i am doing the same and our data is secure 100% Thanks Ankush It Admin
At around 08:42 you mention some Network indicators that should be investigated for impact and subsequently blocked, I'm curious what exactly you mean by blocking. Do you mean we should create a firewall wall rule for a specific port or application then block it or something else entirely?
Okay, explain to me like I'm five. The list of IP Addresses in 'ips.txt' file are sketchy, Tor-related hosts that I want to block to protect my computer from WannaCry? And if so, how would I go about doing that? Thanks a bunch.
What makes me wonder is, if the IP addresses where the virus is contacting are known, why it is such a mistery for IANA to determine its location? Would that not mean that the virus is originated from there?
Are files on macs in danger too? Or is it windows only? Because it can spread via ip's on the same network. And is it treath for linux? Sorry for the bad english btw
Best way to protect your files save them all to an external storage device like an External Hard Drive that must be plugged in if you want to access them. So the only things that are on the local disk drive is the basic files that are needed to run the PC, Laptop and etc... Everything else like personal photos, videos, and etc should be saved to the external hard drives or flash drives. And you should also have a back of your system before it was infected by any viruses. So that way if you're ever locked out of your files by something like a ransomware virus then you can simply restore your PC, laptop or etc. to the factory default and wipe that virus from your local hard drive that comes installed on the PC, laptop, or etc. And I learned that lesson the hard way when my old Laptop's original hard drive fried itself and I had to get a new one to replace it. And after I got the new hard drive out in I went and bought myself a 1TB External Hard drive.
this ransomware at the same time of encrypting files scans the internet for hosts with the SMB port (445) open and then if it finds any it will remotely execute the payload using the vulnerability in the SMB protocol. (this has now been patched in Windows update) the communication to those IPs you are seeing is simply your infected host trying to make connections over the internet to spread the payload and hence blocking these IPs would have no impact. the easiest and most effective way at the moment to protect yourself is to simply download the Windows update which includes the patch for the SMB vulnerability. this will prevent you from getting the ransomware by getting code remotely executed on your machine.
actually the sample i reviewed in this video does not have the SMB exploit, it is the extracted ransomware binary. the TOR IPs are the callback IPs used to forge a connection the threat actors in respect of payment / obtaining keys. Blocking any C2 indicator is a good idea whether you're a home user or corporation. Agree though, patching is key in this instance.
Hi Colin, I saw your message in Noriben demostration. I just wonder do you know how to setup an auto malware analysis sandbox using Noriben. Please help me.
I think I've read somewhere that the encryption method being used includes RSA(2048) and AES(256?). Given that the encryption is done relatively fast, I assume that most files, medium and large ones, are encrypted using AES. If the encryption program has the key in itself, theoretically you can get the encryption key. RSA on the other hand is a different story: the secret key is highly unlikely to be carried by the program itself, but maybe everyone is encrypted using the same key? So if somehow these guys get caught, the same solution key could apply to all victims.
thats right. my understanding is a new pub/priv keypair is generated for each user and the users private key is then encrypted with a hard coded public key of the bad guy, of which they obviously have the private key. therefore breaking the crypto is pretty unlikely, fooling the binary into thinking its paid is more likely to get results.
You have a good point, but I wouldn't have the decryption key coded into the binary if I were the bad guy. The decryption key must come from their server or something.
yeh thats right, their private key is not in the binary, but presumably is either sent over the wire, or more likely the users private key is decrypted on their server and sent back to the user.
Any chance I can get a copy of flypaper from you? I have looked online and found links to a free download that lead to countertack's site but support would not give me a copy and it was nowhere on the site.
Hi Colin, Does the malware run with privilege of the logged on user or does it run with elevated privilege such as system? If it uses the SMBv1 exploit does it run as the logged in user or again does it manage to elevate its rights?
Thanks for this. Ransomware really scares me, as I have many files that I could not bear to lose. What would you recommend for someone that isn't as geeky as yourself for protection for myself and my mother's computer?
good video overall, do video using malwarebytes, and why its not worty deleting (ofc since you wont be able to decrypt) but some people might find that important.
i was thinking , does this virus require the EFS service for it to perform the file encryption, microsoft systems automatically start this service at boot time, , so maybe if someone was to disable it (before getting the virus,) would it still harm your system, just a silly thought.
thank you learned a lot.. but i am curious on pressing decrypt button.. where would the wanacry program search for its decrypting keys.. over the tor or is it something thats randomly generated by the malware itself
Does anybody know where you can download flypaper? All the links I have found are dead and HBGary's website redirects now. Or do you know of an alternative to block a programs exit?
I think Windows has an Encryption scheme built in. If its that quick it has to be using the windows encryption API, Than there must be a key log somewhere on windows.
So, I'm not the most tech savvy, however I am interested in learning more about trojans, viruses, worms, hacks, exploits etc.. Just curious to know where/ how you learned most of the information you know about this type of topic? Because I'm very interested as well and you seem highly educated on the subject. Kinda curious to know where I should start out.. Cheers!
Idk if youve heard but someone at a security business in the us that got infected went into the files aparently and found out how to change the amount of time you have to pay and got it to stick.
good catch - i missed it on the first pass. turns out the contents of the file are also in the strings in memory which i viewed, the vbs simply creates the .lnk file on the desktop to the wannadecryptor process.
since the hash of taskhsvc.exe is identical to tor.exe, taskhsvc.exe is probably just the tor portbale executable, meaning all the ips you got from the process is probably not suspicous as you mentioned earlier since they're all probably just tor nodes. All communication from the ransomware is most likely exclusivly through tor, why would they make thousands of pcs directly connect to their server?
Easiest solution to all virus problems.. Have to accounts on your machine.. One administrator account and one standard user account :) And just keep using the standard one :)
follow me on twitter twitter.com/cybercdh :)
Clicks to learn about the WannaCry Ransomeware, ends up learning how to use cat. Awesome video Colin! Thanks
glad to be of service :)
To be honest, cat is just to con-_cat_-enate files, grep can read the file just fine without cat:
grep -E -o 'regex' strings.txt
But the command in the video works just as well.
lol learned how to use cat...
Where did you find flypaper at? All I find is a tool to create flash animations
When they want you to pay $300, but your PC is only worth $200... feelsbadman
some files are priceless
Nice explanation. I never thought of looking up strings like that.
Why would anyone down vote this very well constructed video... finally proper analysis and explanation... Does this variant operate similar to cryptowall other than the stand alone features and better tor integration or does it have additional payload to traverse the network and further penetrate (I have seen several variants that will not only hit mapped drives but also scan the network for accessible shares to further the number of effected files)? Is there evidence that the virus is looking to spread via SMB 1.0 packet exploits like most "experts" are claiming? I didn't notice any scans in the wireshark log looking for vulnerable systems?
the sample in my video is just the ransomware, it was being propagated as part of a 'parent' which would look for the kill switch, and look to further infect other connected devices via SMB. This was an extracted sample. Similar to other ransomware variant in that it doesn't need a C2 to get the key to encrypt. The crypto on this sample is well formed in my view. See my other video for a brief look at the dropper which drops this kind of sample.
Thank you Colin will do and Subscribed! :)
I was listening music and reading comments, what did he say?
They are North Korean hackers? ;)
probably too dumb to understand the video so took out their anger by disliking it
thanks Colin when we all work together humans are amazing
The ammount of information in these videos is just amazing... Keep these videos coming, they're very useful and educational.
thanks!
such a good channel; you've made me learn so much in the space of under 20 minutes. amazing
awesome to hear it!
Hey Colin, great videos! I happened upon them today by chance. Most of the malware analysis videos I find are 45 minutes of "uuuhhh, and then uhhh wait no that's not right". You do a great job of quickly and efficiently communicating what's going on.
As an applications programmer, I've been toying with cyber security as kind of a hobby, and it's really awesome to finally find some content on TH-cam that's as good as a lot of the programming content has gotten.
I was wondering if you'd consider doing a video that does a rundown of all the tools you use in these videos. Not, like, full-length tutorials on all of them, but maybe a quick description of the one's you've used the most in your videos so far, and a nice list in the description for people who are interested.
Anyway, keep up the great work!
thanks! yes, a video on common tools i use is in the pipeline.
I swear this guy is the best computer technician in the world
lol. thanks!
I would just like to say WOW 🙂 I was only wondering if there was a patch lol fair play fella you really now know your stuff very interesting 🙂
kind words, thanks.
It's not very often I come across a video where I learn as much as I did in this one. It's interesting to see what happens with the infection. I usually end up seeing the results, as I work mainly with backups.
thanks!
well.. you just earned a sub. since I was 13 I loved messing with computers like this. now I'm going to school about it
awesome!
Subbed.
I don't know what he did but someone needs to hire him
I am starting learning cyber security, I took the following: CCNA Security, CCNA CyberOps, Certified Ethical Hacker, Comptia Linux+, and I understand pretty much what he did, but a LOT slower, because I don't have job experience, just do it for fun.
I really like when I start understand complex stuff.
Great work Colin. awesome fix. Thanks for your help!! Nice show. Watched and Thanks for sharing your wonderful videos
thanks! glad you enjoyed.
wow. he even comment on their coding flaws also. such a nice guy
huge thanks for the explanation .very important stuff
Thanks.
I was able to take your list and tell my pfsense pfBlockerNG to block those IPs!
Great video, understood like 20% of it, but one can tell you know your stuff
thanks. feel free to ask questions
Wanna cry, uses RSA 2048. which is encryption that most ransomware use.
Great work, very interesting! Subscribed.
Bosapiutsa me 2
thanks! and welcome.
Very nice. Glad to know this!
Incredibly informative
thanks!
Hello Colin, Are the network indicator string dinamic ? that is if an update varient is expected with the infection like change in MD5 key with dinamic key generation ?
Argha Chatterjee more than likely
if you are using a window os ,then put your bitlocker on for your harddisk ,the ramsomware will not affect ,because when bit locker is enable/on it already encrypted your harddisk data.so ramsomware cant enfect your data
Amazing video, very informative. I am obsessed with writing and studying malware. The spreading mechanisms is what interests me the most. Do you have any videos of showing the pcap files on this spreading via SMB 1?
fantastic anlyization
This is very interesting. You know your stuff. Please make more videos.
Subbed... Great job man... Say where do you get the program FlyPaper from? I am familiar with the rest of the tools you use, but not that one...
ive had it for years, i dont see it online anymore tbh. watch this space, i'll see if i can find it somewhere.
Colin Hardy can't you upload the file or something to google drive or mediafire?
All of the IP addresses you found are associated with tor. It looks like you are looking at the strings in the tor binary.
I've seen so many videos of educated techies discussing the virus but none of them going so far to understand what it actually does. Thanks mate!
If you could clarify, when it encrypts your files, what sorts of files are encrypted? Standard document extensions? Music and pictures, maybe? I noticed you freely operated with all of your executables (and naturally they wouldn't want to cripple your machine prior to "paying").
thanks for the comments. there is a config which the ransomware operates to which includes the filetypes its set to encrypt. in this case exe's were not being encrypted, which is usual as i imagine the malware would then likely encrypt itself.
Seeing the computer files getting encrypted is so scary
Man, omg ur so smart, i didnt know that all things exist...
might be a dumb question, would the files on a plugged in external harddrive be encrypted too if you was hit with the ransomware?
cola yes. Most ransomware variants will encrypt all connected drives and network shares
network shares u mean shared folders? or this means if a friend live with me in same local network it would affect my computer even if did not run the ramsomware?
Yes, if you have shared folders and mapped drives that are accessible then they will be encrypted as well. The malware will encrypt anything that is directly accessible through your computer. If your friend has no shared drives that are visible to your computer or no mapped network drives from his computer to yours then it should be safe.
Brilliant bro!
kudos!
thanks!
Time to update your wireshark version ;)
oh and may I suggest sort -u instead of sort | uniq
good spot on the wireshark. im so stuck in my ways of sort | uniq lol.
m.vbs was written to your desktop, it just had some extension on it (.WIN something). It is right in the middle next to the Burp Suite Free Edition orange/black icon. It would have been interesting to take a look at that being a console script it should be far easier to inspect than some random binary code...
yeh i missed it at first glance, it wasnt anything special if i recall and you can actually pull the contents of the file from the binary strings in memory.
+Colin Hardy what Mac computer you have?
the one ive used here is a macbook pro 15", 16gb ram with 1TB disk.
thanks, this is very useful.
thanks!
+Colin Hardy please i want to download this ransomware for test!
Dear all , precautions is your should take daily backup for other place on cloud if in ceca your system is infected can immediately restore your backup i am doing the same and our data is secure 100% Thanks Ankush It Admin
At around 08:42 you mention some Network indicators that should be investigated for impact and subsequently blocked, I'm curious what exactly you mean by blocking. Do you mean we should create a firewall wall rule for a specific port or application then block it or something else entirely?
I would like to know where did you get flypaper? Cause i'm looking for it to study better wannacry and i'm completely lost on getting it
Okay, explain to me like I'm five. The list of IP Addresses in 'ips.txt' file are sketchy, Tor-related hosts that I want to block to protect my computer from WannaCry? And if so, how would I go about doing that? Thanks a bunch.
ty Colin
you just earned a subscription, thank you ...
where did you learn all these!?? experience?? amazing video ... loved it. wish I can be like you someday.
Well done lad
Great info, subbed
What makes me wonder is, if the IP addresses where the virus is contacting are known, why it is such a mistery for IANA to determine its location? Would that not mean that the virus is originated from there?
The IPs are actually TOR entry nodes.
Are files on macs in danger too? Or is it windows only? Because it can spread via ip's on the same network. And is it treath for linux?
Sorry for the bad english btw
macs are not affected, to my knowledge.
Best way to protect your files save them all to an external storage device like an External Hard Drive that must be plugged in if you want to access them. So the only things that are on the local disk drive is the basic files that are needed to run the PC, Laptop and etc... Everything else like personal photos, videos, and etc should be saved to the external hard drives or flash drives. And you should also have a back of your system before it was infected by any viruses. So that way if you're ever locked out of your files by something like a ransomware virus then you can simply restore your PC, laptop or etc. to the factory default and wipe that virus from your local hard drive that comes installed on the PC, laptop, or etc.
And I learned that lesson the hard way when my old Laptop's original hard drive fried itself and I had to get a new one to replace it. And after I got the new hard drive out in I went and bought myself a 1TB External Hard drive.
this ransomware at the same time of encrypting files scans the internet for hosts with the SMB port (445) open and then if it finds any it will remotely execute the payload using the vulnerability in the SMB protocol. (this has now been patched in Windows update) the communication to those IPs you are seeing is simply your infected host trying to make connections over the internet to spread the payload and hence blocking these IPs would have no impact. the easiest and most effective way at the moment to protect yourself is to simply download the Windows update which includes the patch for the SMB vulnerability. this will prevent you from getting the ransomware by getting code remotely executed on your machine.
actually the sample i reviewed in this video does not have the SMB exploit, it is the extracted ransomware binary. the TOR IPs are the callback IPs used to forge a connection the threat actors in respect of payment / obtaining keys. Blocking any C2 indicator is a good idea whether you're a home user or corporation. Agree though, patching is key in this instance.
Nice Video!
It runs attrib +sh . which means that the original file may just be hidden because the .wncry file always have roughly same size. Just my analysis.
Hi Colin,
I saw your message in Noriben demostration. I just wonder do you know how to setup an auto malware analysis sandbox using Noriben. Please help me.
Thanks for the ip list!
Cracking vid, Do you rate software like Sophos Intercept x for stopping ransomware infections?
Jesus crist this guy is smart.
I think I've read somewhere that the encryption method being used includes RSA(2048) and AES(256?). Given that the encryption is done relatively fast, I assume that most files, medium and large ones, are encrypted using AES. If the encryption program has the key in itself, theoretically you can get the encryption key. RSA on the other hand is a different story: the secret key is highly unlikely to be carried by the program itself, but maybe everyone is encrypted using the same key? So if somehow these guys get caught, the same solution key could apply to all victims.
thats right. my understanding is a new pub/priv keypair is generated for each user and the users private key is then encrypted with a hard coded public key of the bad guy, of which they obviously have the private key. therefore breaking the crypto is pretty unlikely, fooling the binary into thinking its paid is more likely to get results.
You have a good point, but I wouldn't have the decryption key coded into the binary if I were the bad guy. The decryption key must come from their server or something.
yeh thats right, their private key is not in the binary, but presumably is either sent over the wire, or more likely the users private key is decrypted on their server and sent back to the user.
What software is bring utilized at around 08:08 ?? Process explorer? Or simply task manager/anything like it?
That's Process Hacker processhacker.sourceforge.io/
wow awesome... we need people like you in our governments anticyber hacking.
could someone share flypaper please :)
here, wikileaks.org/hbgary-emails/emailid/67831
check the email for pw and you can download it from the attachments
@@MrLePiggy why i cannot extract the file on rar when i already open it???
Hi! it's okay... i'm already open it...
Any chance I can get a copy of flypaper from you? I have looked online and found links to a free download that lead to countertack's site but support would not give me a copy and it was nowhere on the site.
Hi Colin, Does the malware run with privilege of the logged on user or does it run with elevated privilege such as system? If it uses the SMBv1 exploit does it run as the logged in user or again does it manage to elevate its rights?
the dropper which uses the smb exploit runs with high integrity.
Others are like, Yeah, so just make a crazy lody and drum and setup.
Good shit man.
thanks!
Thanks for this. Ransomware really scares me, as I have many files that I could not bear to lose.
What would you recommend for someone that isn't as geeky as yourself for protection for myself and my mother's computer?
good anti-virus, and keep up to date with microsoft updates.
good video overall, do video using malwarebytes, and why its not worty deleting (ofc since you wont be able to decrypt) but some people might find that important.
i was thinking , does this virus require the EFS service for it to perform the file encryption, microsoft systems automatically start this service at boot time, , so maybe if someone was to disable it (before getting the virus,) would it still harm your system, just a silly thought.
thank you learned a lot.. but i am curious on pressing decrypt button.. where would the wanacry program search for its decrypting keys.. over the tor or is it something thats randomly generated by the malware itself
the keys are held locally, but encrypted using the malware authors public key.
WannaCry i love you...do it again !!!!
Nice work! I noticed your tools and am wondering if you have ever used Cuckoo Sandbox? I use it for things like this. It is open source.
i do use sandboxes yes, they're good to confirm findings from manual analysis.
This is awesome..
Best of the best
Nice video !!
Does anybody know where you can download flypaper? All the links I have found are dead and HBGary's website redirects now. Or do you know of an alternative to block a programs exit?
that looked like a node when u were using wireshark
would you be able to add a link for that ips.txt? Definitely interested at blocking those
simple question, if I have windows 10 ver 1703. am I safe yet? thank you
HI, do you think this Ransomware can double encrypt the system that is already encrypted with other software, for example microsoft bitlocker ?
tbh not sure.
good man
good analyse
Hey, if you don't mind me asking, what's your background?
You obviously know your stuff, are you a pen tester, researcher, general enthusiast?
just a guy who loves malware and cyber security.
I think Windows has an Encryption scheme built in. If its that quick it has to be using the windows encryption API, Than there must be a key log somewhere on windows.
So, I'm not the most tech savvy, however I am interested in learning more about trojans, viruses, worms, hacks, exploits etc.. Just curious to know where/ how you learned most of the information you know about this type of topic? Because I'm very interested as well and you seem highly educated on the subject. Kinda curious to know where I should start out.. Cheers!
lots of books! Practical Malware Analysis is good. other sites such as lynda and coursera have stuff too. More formal training can be done with SANS.
are those .onions at the bottom of the code encrypted tor network emails???
The 71 wanna cry operators that disliked this. Shame on you
Idk if youve heard but someone at a security business in the us that got infected went into the files aparently and found out how to change the amount of time you have to pay and got it to stick.
interesting, i havent heard this.
where can i download this flypaper sir
for video thanks
sooo how exactly does it spread, sorry but i am not as smart as you
#Colin Hardy
Is this malware capable of infact databases or just files and folders within the computer it uses icacls command line argument
At 6:50 M.vbs was indeed on your desktop
good catch - i missed it on the first pass. turns out the contents of the file are also in the strings in memory which i viewed, the vbs simply creates the .lnk file on the desktop to the wannadecryptor process.
since the hash of taskhsvc.exe is identical to tor.exe, taskhsvc.exe is probably just the tor portbale executable, meaning all the ips you got from the process is probably not suspicous as you mentioned earlier since they're all probably just tor nodes. All communication from the ransomware is most likely exclusivly through tor, why would they make thousands of pcs directly connect to their server?
your a legend :0
Would you be able to see where the messages will be sent to or what site the bitcoin is sent to
*Hackers* : time to make money and destroy lives! Nyeheheheheh
*Colin Hardy* : ok so here we are Oh look creepy skull that's nice!
Does WannaCry 2.0 or 1 also encrypt any other internal or external drives?
0x6274fa (Vietnamese) ? 8:53 idont get it, this string here
Can you post the list of hosts that we should block on our networks?
How would you get this ransomware on to your computer, would accessing sites be enough to get it?
possible in this case the likely infection vector is through an SMB exploit. gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
Easiest solution to all virus problems.. Have to accounts on your machine.. One administrator account and one standard user account :) And just keep using the standard one :)