File name:

2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab

Full analysis: https://app.any.run/tasks/73716a53-a688-4c86-8c73-5bd0fe2dc318
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 13:09:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
gandcrab
evasion
grandcrab
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

9E9FDA1921EFACD96D32FC088E77F052

SHA1:

2204033A5F03EF0D7D771541CE5F5344CC55C3B3

SHA256:

36AD379F52745ED7DA1C57E91E1E8A0124B68CDFE3CE5BD6C4053456A6E0D14F

SSDEEP:

768:Wm5qEQyrCjoFZuE0uSoXQH+bReLe2CpT5W/UMlaxvKop2hKK9b2ivMsmc:1QyGkFZQebULe2CpTg/iZEZvMBc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • GRANDCRAB mutex has been found

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • GANDCRAB has been detected (SURICATA)

      • nslookup.exe (PID: 7960)
      • nslookup.exe (PID: 8116)
      • nslookup.exe (PID: 7180)
      • nslookup.exe (PID: 7284)
      • nslookup.exe (PID: 1116)
      • nslookup.exe (PID: 7352)
      • nslookup.exe (PID: 7856)
      • nslookup.exe (PID: 7536)
      • nslookup.exe (PID: 4164)
      • nslookup.exe (PID: 7720)
      • nslookup.exe (PID: 7148)
      • nslookup.exe (PID: 7888)
      • nslookup.exe (PID: 7224)
      • nslookup.exe (PID: 8092)
      • nslookup.exe (PID: 7204)
      • nslookup.exe (PID: 7240)
      • nslookup.exe (PID: 6676)
      • nslookup.exe (PID: 4268)
      • nslookup.exe (PID: 6112)
      • nslookup.exe (PID: 2504)
      • nslookup.exe (PID: 5968)
      • nslookup.exe (PID: 6644)
      • nslookup.exe (PID: 1196)
      • nslookup.exe (PID: 5756)
      • nslookup.exe (PID: 1164)
      • nslookup.exe (PID: 5228)
      • nslookup.exe (PID: 744)
      • nslookup.exe (PID: 6476)
      • nslookup.exe (PID: 7996)
      • nslookup.exe (PID: 8128)
      • nslookup.exe (PID: 7704)
      • nslookup.exe (PID: 6040)
      • nslookup.exe (PID: 5072)
      • nslookup.exe (PID: 4844)
      • nslookup.exe (PID: 2088)
      • nslookup.exe (PID: 3884)
      • nslookup.exe (PID: 2284)
      • nslookup.exe (PID: 7876)
      • nslookup.exe (PID: 664)
      • nslookup.exe (PID: 7332)
      • nslookup.exe (PID: 8188)
      • nslookup.exe (PID: 5308)
      • nslookup.exe (PID: 8088)
      • nslookup.exe (PID: 1056)
      • nslookup.exe (PID: 5576)
      • nslookup.exe (PID: 7260)
      • nslookup.exe (PID: 7216)
      • nslookup.exe (PID: 2420)
      • nslookup.exe (PID: 1812)
      • nslookup.exe (PID: 5200)
      • nslookup.exe (PID: 5056)
      • nslookup.exe (PID: 7084)
      • nslookup.exe (PID: 680)
      • nslookup.exe (PID: 7656)
      • nslookup.exe (PID: 5136)
      • nslookup.exe (PID: 7724)
      • nslookup.exe (PID: 7928)
      • nslookup.exe (PID: 7748)
      • nslookup.exe (PID: 7848)
      • nslookup.exe (PID: 7824)
      • nslookup.exe (PID: 5044)
      • nslookup.exe (PID: 5172)
      • nslookup.exe (PID: 5592)
      • nslookup.exe (PID: 2908)
      • nslookup.exe (PID: 5244)
      • nslookup.exe (PID: 2244)
      • nslookup.exe (PID: 968)
      • nslookup.exe (PID: 7524)
      • nslookup.exe (PID: 5380)
      • nslookup.exe (PID: 6240)
      • nslookup.exe (PID: 7516)
      • nslookup.exe (PID: 856)
      • nslookup.exe (PID: 7868)
      • nslookup.exe (PID: 8060)
      • nslookup.exe (PID: 7320)
      • nslookup.exe (PID: 7268)
      • nslookup.exe (PID: 7152)
      • nslookup.exe (PID: 2432)
      • nslookup.exe (PID: 7892)
      • nslookup.exe (PID: 8004)
      • nslookup.exe (PID: 6048)
      • nslookup.exe (PID: 208)

    • GandCrab is detected

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Executable content was dropped or overwritten

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Checks for external IP

      • svchost.exe (PID: 2196)

    • Uses NSLOOKUP.EXE to check DNS info

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

  • INFO

    • Creates files or folders in the user directory

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Reads the computer name

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Reads CPU info

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Checks supported languages

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Reads the machine GUID from the registry

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)

    • Checks proxy server information

      • 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe (PID: 7544)
      • slui.exe (PID: 872)

    • Reads the software policy settings

      • slui.exe (PID: 872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:20 17:28:57+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 33792
InitializedDataSize: 36352
UninitializedDataSize: -
EntryPoint: 0x4bf0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
375
Monitored processes
253
Malicious processes
83
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GANDCRAB 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe #GANDCRAB nslookup.exe conhost.exe no specs svchost.exe #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs slui.exe #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208nslookup nomoreransom.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664nslookup nomoreransom.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
668\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
680nslookup gandcrab.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744nslookup nomoreransom.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
856nslookup gandcrab.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
872C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
58 367
Read events
58 366
Write events
1
Delete events
0

Modification events

(PID) Process:(7544) 2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:pdlrerjeqan
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\uscqtl.exe"
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75442025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\uscqtl.exeexecutable
MD5:F48A68177CF3F040FF66F4AB1DD24174
SHA256:520783CCB948027A0F6BD306FD84BA5F075DA50EACAD38ADBE19E8D49DBAAFD4
75442025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:7AFD25B0DB1F00EBB26CEAD43C27A83B
SHA256:782FC5B2E28B1228ECAB9853289BB53ED4B7B8A2041185362F3ABA2752CDFA3E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
673
Threats
845

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.24:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5496
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.24:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
2.16.164.24:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.164.24
  • 2.16.164.120
  • 2.16.164.18
  • 2.16.164.9
  • 2.16.164.106
  • 2.16.164.72
  • 2.16.164.99
whitelisted
ipv4bot.whatismyipaddress.com
whitelisted
dns1.soprodns.ru
shared
2.100.168.192.in-addr.arpa
whitelisted
nomoreransom.coin
unknown
nomoreransom.bit
unknown
dns2.soprodns.ru
shared
gandcrab.bit
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
7704
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
7704
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
7704
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
7704
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
7856
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
7856
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
7856
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
7856
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
7856
nslookup.exe
A Network Trojan was detected
RANSOMWARE [ANY.RUN] GandCrab Domain has been detected (nomoreransom .bit)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-03-24_9e9fda1921efacd96d32fc088e77f052_gandcrab