URL:

https://github.com/OG476/WannaCry.exe

Full analysis: https://app.any.run/tasks/36057767-1102-46a4-8a9e-2ca4f8e7a3f1
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 14, 2025, 17:22:48
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
wannacry
ransomware
stealer
qrcode
maldoc
Indicators:
MD5:

56DFBCBFF9BF0AA9366155F9CF56628D

SHA1:

AAB6CC055434D8AD1469AA1E52499B0724D4393D

SHA256:

F026038FE45C9D29A33B13752CB3268F54A97ED101847EB4432CA3DE3FA943D9

SSDEEP:

3:N8tEdpRgKXLb6Nn:2utgwSn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • WANNACRY has been detected

      • WannaCry.exe (PID: 868)
      • @WanaDecryptor@.exe (PID: 7592)
      • @WanaDecryptor@.exe (PID: 2348)
      • @WanaDecryptor@.exe (PID: 424)

    • Writes a file to the Word startup folder

      • WannaCry.exe (PID: 868)

    • Modifies files in the Chrome extension folder

      • WannaCry.exe (PID: 868)

    • WANNACRY has been detected (YARA)

      • WannaCry.exe (PID: 868)
      • @WanaDecryptor@.exe (PID: 7592)
      • @WanaDecryptor@.exe (PID: 424)

    • Actions looks like stealing of personal data

      • WannaCry.exe (PID: 868)

    • Drops known malicious image

      • WannaCry.exe (PID: 868)

    • Wannacry exe files

      • @WanaDecryptor@.exe (PID: 7592)
      • cmd.exe (PID: 7372)
      • @WanaDecryptor@.exe (PID: 2348)
      • @WanaDecryptor@.exe (PID: 424)
      • @WanaDecryptor@.exe (PID: 4048)
      • @WanaDecryptor@.exe (PID: 6596)
      • @WanaDecryptor@.exe (PID: 5500)
      • @WanaDecryptor@.exe (PID: 7584)

    • WannaCry Ransomware is detected

      • WannaCry.exe (PID: 868)
      • cmd.exe (PID: 7372)

    • RANSOMWARE has been detected

      • WannaCry.exe (PID: 868)

    • Deletes shadow copies

      • cmd.exe (PID: 4500)

    • Changes the autorun value in the registry

      • reg.exe (PID: 7804)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msedge.exe (PID: 984)
      • msedge.exe (PID: 6524)
      • WannaCry.exe (PID: 868)

    • Starts a Microsoft application from unusual location

      • WannaCry.exe (PID: 868)
      • taskdl.exe (PID: 3000)
      • taskdl.exe (PID: 7208)
      • @WanaDecryptor@.exe (PID: 7592)
      • @WanaDecryptor@.exe (PID: 2348)
      • taskdl.exe (PID: 7628)
      • taskdl.exe (PID: 2064)
      • @WanaDecryptor@.exe (PID: 424)
      • taskdl.exe (PID: 7424)
      • taskdl.exe (PID: 1612)
      • @WanaDecryptor@.exe (PID: 4048)
      • taskdl.exe (PID: 7064)
      • @WanaDecryptor@.exe (PID: 6596)
      • @WanaDecryptor@.exe (PID: 5500)
      • taskdl.exe (PID: 3936)
      • @WanaDecryptor@.exe (PID: 7584)
      • taskdl.exe (PID: 6812)

    • Executable content was dropped or overwritten

      • WannaCry.exe (PID: 868)
      • @WanaDecryptor@.exe (PID: 7592)

    • Uses ATTRIB.EXE to modify file attributes

      • WannaCry.exe (PID: 868)

    • Uses ICACLS.EXE to modify access control lists

      • WannaCry.exe (PID: 868)

    • Executing commands from a ".bat" file

      • WannaCry.exe (PID: 868)

    • Starts CMD.EXE for commands execution

      • WannaCry.exe (PID: 868)
      • @WanaDecryptor@.exe (PID: 2348)

    • The process executes VB scripts

      • cmd.exe (PID: 6768)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 420)

    • Connects to unusual port

      • taskhsvc.exe (PID: 4836)

    • Reads security settings of Internet Explorer

      • @WanaDecryptor@.exe (PID: 2348)

    • The process executes via Task Scheduler

      • updater.exe (PID: 2232)

    • Application launched itself

      • updater.exe (PID: 2232)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5960)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 892)
      • identity_helper.exe (PID: 7284)
      • WannaCry.exe (PID: 868)
      • taskdl.exe (PID: 3000)
      • taskdl.exe (PID: 2064)
      • taskdl.exe (PID: 7208)
      • @WanaDecryptor@.exe (PID: 7592)
      • taskdl.exe (PID: 7628)
      • @WanaDecryptor@.exe (PID: 2348)
      • taskhsvc.exe (PID: 4836)
      • @WanaDecryptor@.exe (PID: 424)
      • taskdl.exe (PID: 7424)
      • updater.exe (PID: 2232)
      • updater.exe (PID: 6732)
      • @WanaDecryptor@.exe (PID: 6596)
      • taskdl.exe (PID: 1612)
      • taskdl.exe (PID: 7064)
      • taskdl.exe (PID: 3936)
      • @WanaDecryptor@.exe (PID: 7584)
      • @WanaDecryptor@.exe (PID: 5500)
      • taskdl.exe (PID: 6812)
      • @WanaDecryptor@.exe (PID: 4048)

    • Application launched itself

      • msedge.exe (PID: 6524)
      • msedge.exe (PID: 7640)

    • Reads the computer name

      • identity_helper.exe (PID: 892)
      • identity_helper.exe (PID: 7284)
      • WannaCry.exe (PID: 868)
      • @WanaDecryptor@.exe (PID: 424)
      • @WanaDecryptor@.exe (PID: 2348)
      • updater.exe (PID: 2232)
      • taskhsvc.exe (PID: 4836)

    • Reads Environment values

      • identity_helper.exe (PID: 892)
      • identity_helper.exe (PID: 7284)

    • The sample compiled with english language support

      • msedge.exe (PID: 984)
      • msedge.exe (PID: 6524)
      • WannaCry.exe (PID: 868)
      • @WanaDecryptor@.exe (PID: 7592)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 984)
      • msedge.exe (PID: 6524)

    • Manual execution by a user

      • WannaCry.exe (PID: 868)
      • msedge.exe (PID: 5768)

    • Reads the machine GUID from the registry

      • WannaCry.exe (PID: 868)
      • taskhsvc.exe (PID: 4836)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 4040)
      • WMIC.exe (PID: 1180)

    • Creates files or folders in the user directory

      • WannaCry.exe (PID: 868)
      • taskhsvc.exe (PID: 4836)

    • Creates files in the program directory

      • WannaCry.exe (PID: 868)

    • Checks proxy server information

      • slui.exe (PID: 2220)

    • Reads the software policy settings

      • slui.exe (PID: 2220)

    • Create files in a temporary directory

      • WannaCry.exe (PID: 868)

    • Process checks computer location settings

      • @WanaDecryptor@.exe (PID: 2348)

    • Launching a file from a Registry key

      • reg.exe (PID: 7804)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
236
Monitored processes
88
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs #WANNACRY wannacry.exe attrib.exe no specs icacls.exe no specs conhost.exe no specs conhost.exe no specs taskdl.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs taskdl.exe no specs msedge.exe no specs taskdl.exe no specs msedge.exe no specs msedge.exe no specs taskdl.exe no specs msedge.exe no specs #WANNACRY @wanadecryptor@.exe msedge.exe no specs #WANNACRY cmd.exe no specs conhost.exe no specs #WANNACRY @wanadecryptor@.exe no specs msedge.exe no specs taskhsvc.exe conhost.exe no specs #WANNACRY @wanadecryptor@.exe no specs cmd.exe no specs conhost.exe no specs reg.exe taskdl.exe no specs cmd.exe conhost.exe no specs wmic.exe no specs vssvc.exe no specs msedge.exe no specs updater.exe no specs updater.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs msedge.exe no specs msedge.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs msedge.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #WANNACRY @wanadecryptor@.exe no specs taskdl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zyzvdxbqct621" /t REG_SZ /d "\"C:\Users\admin\Desktop\tasksche.exe\"" /fC:\Windows\SysWOW64\cmd.exeWannaCry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
424@WanaDecryptor@.exeC:\Users\admin\Desktop\@WanaDecryptor@.exe
WannaCry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\@wanadecryptor@.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
868"C:\Users\admin\Desktop\WannaCry.exe" C:\Users\admin\Desktop\WannaCry.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\desktop\wannacry.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
892"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6520,i,7305750600251974814,4734381088016896029,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
984"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2240,i,7305750600251974814,4734381088016896029,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5276,i,7305750600251974814,4734381088016896029,262144 --variations-seed-version --mojo-platform-channel-handle=5272 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180wmic shadowcopy delete C:\Windows\SysWOW64\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1300"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6520,i,7305750600251974814,4734381088016896029,262144 --variations-seed-version --mojo-platform-channel-handle=6532 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
3221226029
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
1392"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5124,i,4226705020998037031,1707645222596931415,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1612taskdl.exeC:\Users\admin\Desktop\taskdl.exeWannaCry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\desktop\taskdl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
10 805
Read events
10 762
Write events
43
Delete events
0

Modification events

(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6524) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
A8568F317D982F00
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328590
Operation:writeName:WindowTabManagerFileMappingId
Value:
{EC6EA8D5-5FC7-43EB-89DF-7027C751D0E5}
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328590
Operation:writeName:WindowTabManagerFileMappingId
Value:
{2E09455D-AFEB-4915-A62C-EF7AF64EE31D}
(PID) Process:(6524) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328590
Operation:writeName:WindowTabManagerFileMappingId
Value:
{556ACBBE-FFBF-4740-B819-6DAC0F374E55}
Executable files
22
Suspicious files
1 962
Text files
517
Unknown types
158

Dropped files

PID
Process
Filename
Type
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1754a8.TMP
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1754a8.TMP
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF1754c7.TMP
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1754d6.TMP
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF1754d6.TMP
MD5:
SHA256:
6524msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF1754a8.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
149
DNS requests
211
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.32.85.199:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7392
SIHClient.exe
GET
200
23.32.85.199:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7392
SIHClient.exe
GET
200
23.32.85.199:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
984
msedge.exe
GET
200
150.171.28.11:80
http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:Wi1Hqyh8bXWB3FhIQ4u09hcBVwJd5rrXLmilUmJ2zvY&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
5444
svchost.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5328
SearchApp.exe
GET
200
23.210.252.238:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6664
svchost.exe
HEAD
200
77.224.14.21:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752967575&P2=404&P3=2&P4=RN%2bJKTxIOY0gsrVUTporXtoV%2bsMBr63zqCWUuJ7a14Zeu91oYhdUJ4jJoL8JgIiqgDhDNrxF7%2bIPo0rYf1V%2fbg%3d%3d
unknown
whitelisted
6664
svchost.exe
GET
206
77.224.14.21:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752967575&P2=404&P3=2&P4=RN%2bJKTxIOY0gsrVUTporXtoV%2bsMBr63zqCWUuJ7a14Zeu91oYhdUJ4jJoL8JgIiqgDhDNrxF7%2bIPo0rYf1V%2fbg%3d%3d
unknown
whitelisted
6664
svchost.exe
GET
206
77.224.14.21:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1752967575&P2=404&P3=2&P4=RN%2bJKTxIOY0gsrVUTporXtoV%2bsMBr63zqCWUuJ7a14Zeu91oYhdUJ4jJoL8JgIiqgDhDNrxF7%2bIPo0rYf1V%2fbg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.32.85.199:80
www.microsoft.com
AKAMAI-AS
SE
whitelisted
4
System
192.168.100.255:138
whitelisted
984
msedge.exe
4.225.11.194:443
github.com
MICROSOFT-CORP-MSN-AS-BLOCK
SE
whitelisted
984
msedge.exe
150.171.28.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
984
msedge.exe
150.171.28.11:80
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.8
whitelisted
www.microsoft.com
  • 23.32.85.199
whitelisted
google.com
  • 142.250.74.110
whitelisted
edge.microsoft.com
  • 150.171.28.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
github.com
  • 4.225.11.194
whitelisted
copilot.microsoft.com
  • 2.22.244.233
whitelisted
github.githubassets.com
  • 185.199.109.154
whitelisted
avatars.githubusercontent.com
  • 185.199.109.133
whitelisted

Threats

PID
Process
Class
Message
984
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
984
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
984
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
4836
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152
4836
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4836
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4836
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4836
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148
4836
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
4836
taskhsvc.exe
Unknown Traffic
ET JA3 Hash - Possible Malware - Malspam
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/OG476/WannaCry.exe