File name:

2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab

Full analysis: https://app.any.run/tasks/9473116a-0a99-403c-ad02-24ea41c2312b
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: December 05, 2024, 17:29:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ransomware
gandcrab
evasion
upx
grandcrab
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 5 sections
MD5:

1B6562DE0E87C25D62554181AC42A5C5

SHA1:

0147D068F419FE06C25EF740EF8F124A7F31B8A0

SHA256:

EAFF5AF95CB6A6F6F430D91F5B98D68F7C76394592ED1F4FC96BEE26645BC354

SSDEEP:

1536:dQQyHtDQebULe2Cpcg/iZEhxIVLppUsC6bm5:uQyN8OULe2ycg/53IVLpp9y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GRANDCRAB mutex has been found

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Changes the autorun value in the registry

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • GANDCRAB has been detected (SURICATA)

      • nslookup.exe (PID: 3552)
      • nslookup.exe (PID: 5748)
      • nslookup.exe (PID: 4428)
      • nslookup.exe (PID: 5740)
      • nslookup.exe (PID: 4992)
      • nslookup.exe (PID: 4580)
      • nslookup.exe (PID: 3736)
      • nslookup.exe (PID: 836)
      • nslookup.exe (PID: 880)
      • nslookup.exe (PID: 536)
      • nslookup.exe (PID: 624)
      • nslookup.exe (PID: 1544)
      • nslookup.exe (PID: 3680)
      • nslookup.exe (PID: 3876)
      • nslookup.exe (PID: 2676)
      • nslookup.exe (PID: 4824)
      • nslookup.exe (PID: 3928)
      • nslookup.exe (PID: 2612)
      • nslookup.exe (PID: 4972)
      • nslookup.exe (PID: 4128)
      • nslookup.exe (PID: 4520)
      • nslookup.exe (PID: 4596)
      • nslookup.exe (PID: 6016)
      • nslookup.exe (PID: 4420)
      • nslookup.exe (PID: 2132)
      • nslookup.exe (PID: 540)
      • nslookup.exe (PID: 5728)
      • nslookup.exe (PID: 4624)
      • nslookup.exe (PID: 3640)
      • nslookup.exe (PID: 5488)
      • nslookup.exe (PID: 5872)
      • nslookup.exe (PID: 3532)
      • nslookup.exe (PID: 4120)
      • nslookup.exe (PID: 848)
      • nslookup.exe (PID: 5652)
      • nslookup.exe (PID: 968)
      • nslookup.exe (PID: 5752)
      • nslookup.exe (PID: 3488)
      • nslookup.exe (PID: 4504)
      • nslookup.exe (PID: 936)
      • nslookup.exe (PID: 132)
      • nslookup.exe (PID: 3864)
      • nslookup.exe (PID: 5036)
      • nslookup.exe (PID: 4876)
      • nslookup.exe (PID: 4020)
      • nslookup.exe (PID: 4556)
      • nslookup.exe (PID: 4968)
      • nslookup.exe (PID: 3172)
      • nslookup.exe (PID: 1804)
      • nslookup.exe (PID: 5588)
      • nslookup.exe (PID: 3824)
      • nslookup.exe (PID: 4056)
      • nslookup.exe (PID: 436)
      • nslookup.exe (PID: 5916)
      • nslookup.exe (PID: 2940)
      • nslookup.exe (PID: 1144)
      • nslookup.exe (PID: 2280)
      • nslookup.exe (PID: 1416)
      • nslookup.exe (PID: 3816)
      • nslookup.exe (PID: 4052)
      • nslookup.exe (PID: 6012)
      • nslookup.exe (PID: 1512)
      • nslookup.exe (PID: 6132)
      • nslookup.exe (PID: 2040)
      • nslookup.exe (PID: 5992)
      • nslookup.exe (PID: 5340)
      • nslookup.exe (PID: 4816)
      • nslookup.exe (PID: 5712)
      • nslookup.exe (PID: 5000)
      • nslookup.exe (PID: 5592)
      • nslookup.exe (PID: 3124)
      • nslookup.exe (PID: 5212)
      • nslookup.exe (PID: 4444)
      • nslookup.exe (PID: 5460)
      • nslookup.exe (PID: 5576)
      • nslookup.exe (PID: 5628)
      • nslookup.exe (PID: 4912)
      • nslookup.exe (PID: 5828)
      • nslookup.exe (PID: 5696)
      • nslookup.exe (PID: 2628)
      • nslookup.exe (PID: 3992)
      • nslookup.exe (PID: 1292)
      • nslookup.exe (PID: 4764)
      • nslookup.exe (PID: 4544)
      • nslookup.exe (PID: 2432)

    • GandCrab is detected

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Checks for external IP

      • svchost.exe (PID: 2192)

    • Uses NSLOOKUP.EXE to check DNS info

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

  • INFO

    • Reads CPU info

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Checks supported languages

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Creates files or folders in the user directory

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Reads the machine GUID from the registry

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Reads the computer name

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • Checks proxy server information

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)

    • UPX packer has been detected

      • 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe (PID: 4652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:20 17:28:57+00:00
ImageFileCharacteristics: Executable, 32-bit, No debug
PEType: PE32
LinkerVersion: 12
CodeSize: 28672
InitializedDataSize: 4096
UninitializedDataSize: 65536
EntryPoint: 0x4bf0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
376
Monitored processes
262
Malicious processes
86
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #GANDCRAB 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe nslookup.exe conhost.exe no specs svchost.exe #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs nslookup.exe conhost.exe no specs #GANDCRAB nslookup.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
132nslookup gandcrab.bit dns1.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
188nslookup nomoreransom.coin dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
236nslookup nomoreransom.coin dns1.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
436nslookup gandcrab.bit dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
448nslookup nomoreransom.coin dns2.soprodns.ruC:\Windows\SysWOW64\nslookup.exe
2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
524\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenslookup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
57 189
Read events
57 188
Write events
1
Delete events
0

Modification events

(PID) Process:(4652) 2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:pjtygjaxigf
Value:
"C:\Users\admin\AppData\Roaming\Microsoft\rcaukk.exe"
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
46522024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\rcaukk.exeexecutable
MD5:13389DA35A11BCF645DF0D219A6021B2
SHA256:8FBF082A5AE151219F1C813C0D84CFB7B5CE606BF2C57E6E84455CDC4E64D308
46522024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1693682860-607145093-2874071422-1001\0f5007522459c86e95ffcc62f32308f1_bb926e54-e3ca-40fd-ae90-2764341e7792binary
MD5:CBFE6A2AFFD121D8372A81C2992E5A2D
SHA256:9DEC81DB6AA95B5D54BBA37B9050CB44B641456093AACDE866258011B04C8CB1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
691
Threats
873

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1144
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1144
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1144
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1144
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
ipv4bot.whatismyipaddress.com
shared
dns1.soprodns.ru
shared
www.microsoft.com
  • 23.35.229.160
whitelisted
2.100.168.192.in-addr.arpa
whitelisted
nomoreransom.coin
unknown
nomoreransom.bit
unknown
dns2.soprodns.ru
shared

Threats

PID
Process
Class
Message
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (whatismyipaddress .com)
2232
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
2232
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
2232
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
2232
nslookup.exe
Potentially Bad Traffic
ET HUNTING Observed DNS Query for EmerDNS TLD (.coin)
3552
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3552
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3552
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
3552
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
5748
nslookup.exe
Potentially Bad Traffic
ET INFO DNS Query Domain .bit
176 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-05_1b6562de0e87c25d62554181ac42a5c5_gandcrab