File name:

2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab

Full analysis: https://app.any.run/tasks/fb588fc6-a511-4944-8b52-db35db3cfd27
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 19:47:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
gandcrab
evasion
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

39D401BA091D10CF2D1B9B9A06C4AB36

SHA1:

1E9CE101139D79E727F03EE1DC2C14435D9AE661

SHA256:

1525E8F6F20F35AC2E9F37ACEF28B51A7F090A67BF55073B554F0DAD79888DE9

SSDEEP:

768:gX2UqF/NRmRDbBBcBP+4JH+8ReCeDCzzA5WgK9b2ivo+sCnhwFC:x9Nct+Je8UCeDCzsggEZv1GI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GANDCRAB mutex has been found

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)
      • urkmke.exe (PID: 4776)

    • Changes the autorun value in the registry

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • GANDCRAB has been detected (SURICATA)

      • nslookup.exe (PID: 2152)
      • nslookup.exe (PID: 5544)
      • nslookup.exe (PID: 5204)
      • nslookup.exe (PID: 4452)
      • nslookup.exe (PID: 6388)
      • nslookup.exe (PID: 6752)
      • nslookup.exe (PID: 4380)
      • nslookup.exe (PID: 4068)
      • nslookup.exe (PID: 2088)
      • nslookup.exe (PID: 2392)
      • nslookup.exe (PID: 2984)
      • nslookup.exe (PID: 4932)
      • nslookup.exe (PID: 736)
      • nslookup.exe (PID: 5756)
      • nslookup.exe (PID: 6972)
      • nslookup.exe (PID: 2504)
      • nslookup.exe (PID: 4920)
      • nslookup.exe (PID: 5332)
      • nslookup.exe (PID: 2316)
      • nslookup.exe (PID: 5008)
      • nslookup.exe (PID: 5400)
      • nslookup.exe (PID: 6300)
      • nslookup.exe (PID: 1532)
      • nslookup.exe (PID: 1812)
      • nslookup.exe (PID: 6192)
      • nslookup.exe (PID: 2344)
      • nslookup.exe (PID: 5116)
      • nslookup.exe (PID: 3008)
      • nslookup.exe (PID: 4188)
      • nslookup.exe (PID: 904)
      • nslookup.exe (PID: 4284)
      • nslookup.exe (PID: 5504)
      • nslookup.exe (PID: 1132)
      • nslookup.exe (PID: 5036)
      • nslookup.exe (PID: 2420)
      • nslookup.exe (PID: 6044)
      • nslookup.exe (PID: 5172)
      • nslookup.exe (PID: 5800)
      • nslookup.exe (PID: 3956)
      • nslookup.exe (PID: 5892)
      • nslookup.exe (PID: 6660)
      • nslookup.exe (PID: 7036)
      • nslookup.exe (PID: 5164)
      • nslookup.exe (PID: 6264)
      • nslookup.exe (PID: 4692)
      • nslookup.exe (PID: 6080)
      • nslookup.exe (PID: 2092)
      • nslookup.exe (PID: 4776)
      • nslookup.exe (PID: 5344)
      • nslookup.exe (PID: 4120)
      • nslookup.exe (PID: 6572)
      • nslookup.exe (PID: 864)
      • nslookup.exe (PID: 7012)
      • nslookup.exe (PID: 6072)
      • nslookup.exe (PID: 1852)
      • nslookup.exe (PID: 632)
      • nslookup.exe (PID: 1280)
      • nslookup.exe (PID: 4228)
      • nslookup.exe (PID: 2268)
      • svchost.exe (PID: 2196)
      • nslookup.exe (PID: 6040)
      • nslookup.exe (PID: 4728)
      • nslookup.exe (PID: 6256)
      • nslookup.exe (PID: 6760)
      • nslookup.exe (PID: 3180)
      • nslookup.exe (PID: 5740)
      • nslookup.exe (PID: 4220)
      • nslookup.exe (PID: 3620)
      • nslookup.exe (PID: 6736)
      • nslookup.exe (PID: 3028)
      • nslookup.exe (PID: 1072)
      • nslookup.exe (PID: 5232)
      • nslookup.exe (PID: 684)
      • nslookup.exe (PID: 664)
      • nslookup.exe (PID: 1568)
      • nslookup.exe (PID: 5392)
      • nslookup.exe (PID: 2340)
      • nslookup.exe (PID: 1244)
      • nslookup.exe (PID: 6344)
      • nslookup.exe (PID: 5188)
      • nslookup.exe (PID: 2148)
      • nslookup.exe (PID: 1272)
      • nslookup.exe (PID: 3828)

    • GandCrab is detected

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Reads security settings of Internet Explorer

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • Uses NSLOOKUP.EXE to check DNS info

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

  • INFO

    • Reads the machine GUID from the registry

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • Creates files or folders in the user directory

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • Reads CPU info

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)
      • urkmke.exe (PID: 4776)

    • Auto-launch of the file from Registry key

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • Reads the computer name

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)

    • Checks supported languages

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)
      • urkmke.exe (PID: 4776)

    • Checks proxy server information

      • 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe (PID: 660)
      • slui.exe (PID: 5680)

    • Manual execution by a user

      • urkmke.exe (PID: 4776)

    • Reads the software policy settings

      • slui.exe (PID: 5680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:20 17:28:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 33792
InitializedDataSize: 36352
UninitializedDataSize: -
EntryPoint: 0x4bf0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
386
Monitored processes
264
Malicious processes
85
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GANDCRAB 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe nslookup.exe conhost.exe no specs #GANDCRAB svchost.exe #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs urkmke.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs slui.exe nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
240nslookup nomoreransom.coin dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300nslookup nomoreransom.coin dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
436nslookup nomoreransom.coin dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
632nslookup gandcrab.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
660"C:\Users\admin\Desktop\2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe" C:\Users\admin\Desktop\2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
60 561
Read events
60 560
Write events
1
Delete events
0

Modification events

(PID) Process:(660) 2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:qjqumqtetuw
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\urkmke.exe"
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6602025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:593FB925ACB7204DBC5FCE8C3033A829
SHA256:BB3809B4FCB59B9A32BEF40FD027A9AD60B6070987B259FF329AB86B68E1A14D
6602025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\urkmke.exeexecutable
MD5:758A12560E0905027488EF4CC0A3C812
SHA256:D5747CD69CB417BBA47DEA67481AB8AC1EA121EC4CF93C1F11F28169E7B7EBA8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
55
DNS requests
708
Threats
881

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2316
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2316
SIHClient.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2316
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2316
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2316
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
2316
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 172.211.123.250
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
ipv4bot.whatismyipaddress.com
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.129
  • 40.126.31.73
  • 20.190.159.128
  • 40.126.31.1
  • 40.126.31.3
  • 20.190.159.131
  • 20.190.159.64
whitelisted
dns1.soprodns.ru
shared
2.100.168.192.in-addr.arpa
whitelisted
nomoreransom.coin
unknown
nomoreransom.bit
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
3676
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
3676
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
3676
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
3676
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
2152
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2152
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2152
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
2152
nslookup.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] GandCrab Domain has been detected (nomoreransom .bit)
2152
nslookup.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] GandCrab Domain has been detected (nomoreransom .bit)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_39d401ba091d10cf2d1b9b9a06c4ab36_elex_gandcrab