File name:

setup-antimalware-1024.exe

Full analysis: https://app.any.run/tasks/ad352044-5d3e-45e1-8909-365feaa0f2b9
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 18:55:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
upx
stealer
crypto-regex
dcrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

D4BC14D79ADB65D8A03C1043F0C2FF07

SHA1:

D454154FE8241EECF2A53F658AAEED805D25FECC

SHA256:

DE3E7309A038212864C3F1D717E29CBC3528390F1A8A99B5AEE924F1FDDC2508

SSDEEP:

24576:n9HmIVL1Tvp/MdafdwXCK0W8R/XJe0oYbdVRcTjCPJrIklTG0Z:RmIVXCafdjJDM0oYbTRejCxrIklTG0Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • DEJ2EXhm.DOr (PID: 4776)

    • Changes powershell execution policy (Bypass)

      • DEJ2EXhm.DOr (PID: 4776)

    • Changes Windows Defender settings

      • DEJ2EXhm.DOr (PID: 4776)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7508)

    • Actions looks like stealing of personal data

      • gsam.exe (PID: 5344)
      • gsam.exe (PID: 7084)

    • Changes the autorun value in the registry

      • rundll32.exe (PID: 2616)
      • rundll32.exe (PID: 6132)
      • rundll32.exe (PID: 7876)

    • Steals credentials from Web Browsers

      • gsam.exe (PID: 5344)
      • gsam.exe (PID: 7084)

    • DCRAT has been detected (YARA)

      • gsam.exe (PID: 7084)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • DEJ2EXhm.DOr (PID: 4776)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DEJ2EXhm.DOr (PID: 4776)

    • Reads security settings of Internet Explorer

      • setup-antimalware-1024.exe (PID: 7536)
      • gsam.exe (PID: 7084)

    • Process drops SQLite DLL files

      • DEJ2EXhm.DOr (PID: 4776)

    • Process drops legitimate windows executable

      • DEJ2EXhm.DOr (PID: 4776)

    • The process bypasses the loading of PowerShell profile settings

      • DEJ2EXhm.DOr (PID: 4776)

    • There is functionality for taking screenshot (YARA)

      • DEJ2EXhm.DOr (PID: 4776)
      • gsam.exe (PID: 7084)

    • Drops 7-zip archiver for unpacking

      • DEJ2EXhm.DOr (PID: 4776)

    • Drops a system driver (possible attempt to evade defenses)

      • DEJ2EXhm.DOr (PID: 4776)
      • rundll32.exe (PID: 6132)
      • drvinst.exe (PID: 7788)
      • rundll32.exe (PID: 7876)

    • Starts POWERSHELL.EXE for commands execution

      • DEJ2EXhm.DOr (PID: 4776)

    • The process verifies whether the antivirus software is installed

      • gsam.exe (PID: 5344)
      • gsam.exe (PID: 7084)

    • Uses RUNDLL32.EXE to load library

      • DEJ2EXhm.DOr (PID: 4776)

    • Creates a software uninstall entry

      • DEJ2EXhm.DOr (PID: 4776)

    • Starts application with an unusual extension

      • setup-antimalware-1024.exe (PID: 7536)

    • Creates files in the driver directory

      • drvinst.exe (PID: 7788)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 7772)

    • Executable content was dropped or overwritten

      • DEJ2EXhm.DOr (PID: 4776)
      • rundll32.exe (PID: 6132)
      • rundll32.exe (PID: 7876)
      • drvinst.exe (PID: 7788)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 7940)

    • Found regular expressions for crypto-addresses (YARA)

      • gsam.exe (PID: 7084)

    • Connects to unusual port

      • gsam.exe (PID: 7084)

  • INFO

    • The sample compiled with english language support

      • setup-antimalware-1024.exe (PID: 7536)
      • DEJ2EXhm.DOr (PID: 4776)
      • rundll32.exe (PID: 6132)
      • drvinst.exe (PID: 7788)
      • rundll32.exe (PID: 7876)

    • Reads the computer name

      • setup-antimalware-1024.exe (PID: 7536)
      • DEJ2EXhm.DOr (PID: 4776)
      • gsam.exe (PID: 5344)
      • drvinst.exe (PID: 7788)
      • drvinst.exe (PID: 7772)
      • gsam.exe (PID: 7084)

    • Compiled with Borland Delphi (YARA)

      • setup-antimalware-1024.exe (PID: 7536)
      • DEJ2EXhm.DOr (PID: 4776)
      • gsam.exe (PID: 7084)
      • slui.exe (PID: 5800)

    • Reads CPU info

      • setup-antimalware-1024.exe (PID: 7536)
      • gsam.exe (PID: 7084)

    • Create files in a temporary directory

      • DEJ2EXhm.DOr (PID: 4776)
      • setup-antimalware-1024.exe (PID: 7536)
      • rundll32.exe (PID: 6132)

    • Creates files in the program directory

      • DEJ2EXhm.DOr (PID: 4776)
      • gsam.exe (PID: 5344)
      • gsam.exe (PID: 7084)

    • Checks supported languages

      • setup-antimalware-1024.exe (PID: 7536)
      • gsam.exe (PID: 5344)
      • DEJ2EXhm.DOr (PID: 4776)
      • drvinst.exe (PID: 7788)
      • drvinst.exe (PID: 7772)
      • gsam.exe (PID: 7084)

    • Reads the software policy settings

      • setup-antimalware-1024.exe (PID: 7536)
      • slui.exe (PID: 7616)
      • drvinst.exe (PID: 7788)
      • gsam.exe (PID: 7084)

    • Reads the machine GUID from the registry

      • setup-antimalware-1024.exe (PID: 7536)
      • drvinst.exe (PID: 7788)
      • gsam.exe (PID: 7084)

    • Creates files or folders in the user directory

      • setup-antimalware-1024.exe (PID: 7536)
      • gsam.exe (PID: 7084)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7508)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7508)

    • Reads Environment values

      • gsam.exe (PID: 5344)
      • gsam.exe (PID: 7084)

    • Reads security settings of Internet Explorer

      • runonce.exe (PID: 7568)
      • runonce.exe (PID: 7704)
      • runonce.exe (PID: 5548)

    • Reads the time zone

      • runonce.exe (PID: 7568)
      • runonce.exe (PID: 7704)
      • runonce.exe (PID: 5548)

    • Checks proxy server information

      • setup-antimalware-1024.exe (PID: 7536)
      • gsam.exe (PID: 7084)

    • UPX packer has been detected

      • setup-antimalware-1024.exe (PID: 7536)

    • Creates files in the driver directory

      • rundll32.exe (PID: 7876)

    • Process checks computer location settings

      • setup-antimalware-1024.exe (PID: 7536)
      • gsam.exe (PID: 7084)

    • Reads product name

      • gsam.exe (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (38.2)
.exe | Win32 EXE Yoda's Crypter (37.5)
.dll | Win32 Dynamic Link Library (generic) (9.2)
.exe | Win32 Executable (generic) (6.3)
.exe | Win16/32 Executable Delphi generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:19 19:33:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 831488
InitializedDataSize: 61440
UninitializedDataSize: 1548288
EntryPoint: 0x2450f0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 4.1.0.88
ProductVersionNumber: 4.1.0.88
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Gridinsoft® Anti-Malware Web Installer
ProductVersion: 4.1.0
CompanyName: Gridinsoft LLC
LegalCopyright: © Gridinsoft LLC, 2022
LegalTrademarks: Gridinsoft®
InternalName: AntiMalwareInstaller
OriginalFileName: AntiMalwareInstaller.exe
FileVersion: 4.1.0.88
FileDescription: Anti-Malware Web Installer
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
24
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start setup-antimalware-1024.exe sppextcomobj.exe no specs slui.exe dej2exhm.dor regsvr32.exe no specs powershell.exe no specs conhost.exe no specs slui.exe gsam.exe rundll32.exe runonce.exe no specs grpconv.exe no specs rundll32.exe drvinst.exe drvinst.exe no specs runonce.exe no specs grpconv.exe no specs rundll32.exe runonce.exe no specs grpconv.exe no specs regsvr32.exe no specs regsvr32.exe no specs #DCRAT gsam.exe setup-antimalware-1024.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1244"C:\Windows\System32\grpconv.exe" -oC:\Windows\System32\grpconv.exerunonce.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2616C:\WINDOWS\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.infC:\Windows\System32\rundll32.exe
DEJ2EXhm.DOr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
4776C:\Users\admin\AppData\Local\Temp\DEJ2EXhm.DOr /S /I /D=C:\Program Files\GridinSoft Anti-Malware\C:\Users\admin\AppData\Local\Temp\DEJ2EXhm.DOr
setup-antimalware-1024.exe
User:
admin
Company:
Gridinsoft LLC
Integrity Level:
HIGH
Description:
GridinSoft Anti-Malware 4.3.60 Setup
Exit code:
0
Version:
4.3.60.5852
Modules
Images
c:\users\admin\appdata\local\temp\dej2exhm.dor
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5344"C:\Program Files\GridinSoft Anti-Malware\gsam.exe" -add-shortcutC:\Program Files\GridinSoft Anti-Malware\gsam.exe
DEJ2EXhm.DOr
User:
admin
Company:
Gridinsoft LLC
Integrity Level:
HIGH
Description:
Anti-Malware (64-bit)
Exit code:
0
Version:
4.3.60.5852
Modules
Images
c:\program files\gridinsoft anti-malware\gsam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
5548"C:\WINDOWS\system32\runonce.exe" -rC:\Windows\System32\runonce.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Run Once Wrapper
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
5800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6132C:\WINDOWS\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 C:\Program Files\GridinSoft Anti-Malware\Driver\GSDriver.infC:\Windows\System32\rundll32.exe
DEJ2EXhm.DOr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
7084"C:\Program Files\GridinSoft Anti-Malware\gsam.exe" C:\Program Files\GridinSoft Anti-Malware\gsam.exe
setup-antimalware-1024.exe
User:
admin
Company:
Gridinsoft LLC
Integrity Level:
HIGH
Description:
Anti-Malware (64-bit)
Version:
4.3.60.5852
Modules
Images
c:\program files\gridinsoft anti-malware\gsam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
7368"C:\WINDOWS\system32\regsvr32.exe" /s /u "C:\Program Files\GridinSoft Anti-Malware\shellext.dll"C:\Windows\SysWOW64\regsvr32.exeDEJ2EXhm.DOr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7440"C:\Users\admin\Desktop\setup-antimalware-1024.exe" C:\Users\admin\Desktop\setup-antimalware-1024.exeexplorer.exe
User:
admin
Company:
Gridinsoft LLC
Integrity Level:
MEDIUM
Description:
Anti-Malware Web Installer
Exit code:
3221226540
Version:
4.1.0.88
Modules
Images
c:\users\admin\desktop\setup-antimalware-1024.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
67 340
Read events
67 212
Write events
120
Delete events
8

Modification events

(PID) Process:(7536) setup-antimalware-1024.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7536) setup-antimalware-1024.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7536) setup-antimalware-1024.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7536) setup-antimalware-1024.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\GridinSoft\Anti-Malware
Operation:writeName:InstallerFileName
Value:
setup-antimalware-1024.exe
(PID) Process:(7568) runonce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:GrpConv
Value:
grpconv -o
(PID) Process:(6132) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.dev.log
Value:
4096
(PID) Process:(4776) DEJ2EXhm.DOrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GridinSoft Anti-Malware
Operation:writeName:DisplayVersion
Value:
4.3.60
(PID) Process:(4776) DEJ2EXhm.DOrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GridinSoft Anti-Malware
Operation:writeName:UninstallString
Value:
C:\Program Files\GridinSoft Anti-Malware\uninst.exe
(PID) Process:(4776) DEJ2EXhm.DOrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GridinSoft Anti-Malware
Operation:writeName:InstallLocation
Value:
C:\Program Files\GridinSoft Anti-Malware
(PID) Process:(4776) DEJ2EXhm.DOrKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GridinSoft Anti-Malware
Operation:writeName:DisplayName
Value:
GridinSoft Anti-Malware
Executable files
49
Suspicious files
289
Text files
65
Unknown types
4

Dropped files

PID
Process
Filename
Type
7536setup-antimalware-1024.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\gsam-4.3.60.5852-setup[1].exe
MD5:
SHA256:
7536setup-antimalware-1024.exeC:\Users\admin\AppData\Local\Temp\DEJ2EXhm.DOr
MD5:
SHA256:
4776DEJ2EXhm.DOrC:\Program Files\GridinSoft Anti-Malware\gtkmgmtc.exeexecutable
MD5:1341FD4A957532DF4FA16C0A73C1771A
SHA256:FA9D0C80D4D6C4BBB717A5CE310F476C85155E91852512D938AA590465B3514F
7536setup-antimalware-1024.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:04C72861FA1B6329ACC1AD957BD0F2A8
SHA256:C2BC4E69CA9FDB0BE4C1C179E49E5A48AE420B2910F905658E71D0BA55DDA883
7536setup-antimalware-1024.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:37A155E31C8703B7F57BEC1602A84742
SHA256:BFAA94DB80AD8D30C73996434A2128D7F520B9FBC82DBCFF9630D2ACED68DC92
4776DEJ2EXhm.DOrC:\Program Files\GridinSoft Anti-Malware\offreg.dllexecutable
MD5:1EAB65173F446A3E116556CE53C7717D
SHA256:54CE76E23156BDB9873014F9DA22C023339EE3F1E5A3B7D70C1A9E1016865A50
4776DEJ2EXhm.DOrC:\Program Files\GridinSoft Anti-Malware\pFilters.dllexecutable
MD5:61E33977A8DECDFCA372F9AAFEC7F334
SHA256:D27EEB8628B99E66D3C27FDF52C457AEA03F01E23E6C8ED632B847B99B17D936
7536setup-antimalware-1024.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751binary
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
4776DEJ2EXhm.DOrC:\Program Files\GridinSoft Anti-Malware\shellext.dllexecutable
MD5:86B25FDE5B216C9671F8D55F25253D9E
SHA256:5D8335270E22AD9B0250940631F08C3411D0575869C23CCCED819809E76CFEB0
4776DEJ2EXhm.DOrC:\Program Files\GridinSoft Anti-Malware\libmem.dllexecutable
MD5:A91AD44260CB64A971E60EA210D0F9D6
SHA256:8193EF3964CA00C84811AA5BAF0CEC652E8C89EAAEEADFC5763B2B7922F8EF7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
80
DNS requests
39
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7536
setup-antimalware-1024.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1276
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1276
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7084
gsam.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAV14ffsm9imej9hicY%2Bl7s%3D
unknown
whitelisted
7084
gsam.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAxzMedPflRKIhs2702zVHA%3D
unknown
whitelisted
7084
gsam.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTjzY2p9Pa8oibmj%2BNSMWsz63kmWgQUuhbZbU2FL3MpdpovdYxqII%2BeyG8CEAuuZrxaun%2BVh8b56QTjMwQ%3D
unknown
whitelisted
7084
gsam.exe
GET
200
142.250.186.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.188:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7536
setup-antimalware-1024.exe
142.93.183.102:443
bind.gridinsoft.com
DIGITALOCEAN-ASN
US
suspicious
7536
setup-antimalware-1024.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.188
  • 23.48.23.191
  • 23.48.23.185
  • 23.48.23.194
  • 23.48.23.192
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.174
  • 23.48.23.193
  • 23.48.23.162
  • 23.48.23.138
  • 23.48.23.139
  • 23.48.23.177
  • 23.48.23.183
  • 23.48.23.141
  • 23.48.23.145
  • 23.48.23.150
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 23.219.150.101
  • 23.35.229.160
whitelisted
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
bind.gridinsoft.com
  • 142.93.183.102
unknown
x1.c.lencr.org
  • 69.192.161.44
whitelisted
8a82d43e7382eb560508-db1e9047be4d687c9233d1b7230c4dbc.ssl.cf2.rackcdn.com
  • 23.45.97.132
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.31.0
  • 40.126.31.71
  • 40.126.31.67
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.131
  • 20.190.159.2
  • 20.190.159.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup-antimalware-1024.exe