File name:

46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af

Full analysis: https://app.any.run/tasks/cafcf23f-5e29-491f-8860-ba0cb42550b6
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: January 26, 2025, 04:12:46
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gcleaner
loader
themida
inno
installer
auto
generic
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

1405D31B1797411614BF70CEC2BC825A

SHA1:

1722404D465C643C151963B9BE55BCBCFB7BC314

SHA256:

46790F319948927F6DFA439991D92FAA77FF5203802E306E87BB34D91F8A32AF

SSDEEP:

98304:4stQnb/v9WNodVAs4/mJT0UkCWAvO75bSnT7e5eIUCbBbxx/8PiymwK+55q+:+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GCLEANER has been detected (SURICATA)

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • GENERIC has been found (auto)

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)
      • jrXzDfOpGrqS.exe (PID: 556)
      • jrXzDfOpGrqS.tmp (PID: 5576)
      • 3gpmediastation713.exe (PID: 5036)

    • Connects to the server without a host name

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Potential Corporate Privacy Violation

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Reads the Windows owner or organization settings

      • jrXzDfOpGrqS.tmp (PID: 5576)

    • Reads the BIOS version

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Process drops legitimate windows executable

      • jrXzDfOpGrqS.tmp (PID: 5576)

    • The process drops C-runtime libraries

      • jrXzDfOpGrqS.tmp (PID: 5576)

    • Reads security settings of Internet Explorer

      • 3gpmediastation713.exe (PID: 5036)
      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Starts POWERSHELL.EXE for commands execution

      • 3gpmediastation713.exe (PID: 5036)

    • Executes application which crashes

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Checks Windows Trust Settings

      • 3gpmediastation713.exe (PID: 5036)

  • INFO

    • Checks supported languages

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)
      • jrXzDfOpGrqS.tmp (PID: 5576)
      • jrXzDfOpGrqS.exe (PID: 556)
      • 3gpmediastation713.exe (PID: 5036)
      • AGk6WK1mLnq.exe (PID: 3540)

    • Create files in a temporary directory

      • jrXzDfOpGrqS.exe (PID: 556)
      • jrXzDfOpGrqS.tmp (PID: 5576)
      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Reads the computer name

      • jrXzDfOpGrqS.tmp (PID: 5576)
      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)
      • AGk6WK1mLnq.exe (PID: 3540)
      • 3gpmediastation713.exe (PID: 5036)

    • The sample compiled with czech language support

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Creates files or folders in the user directory

      • jrXzDfOpGrqS.tmp (PID: 5576)
      • WerFault.exe (PID: 3772)
      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Creates a software uninstall entry

      • jrXzDfOpGrqS.tmp (PID: 5576)

    • Process checks computer location settings

      • 3gpmediastation713.exe (PID: 5036)

    • The sample compiled with english language support

      • jrXzDfOpGrqS.tmp (PID: 5576)

    • Changes the registry key values via Powershell

      • 3gpmediastation713.exe (PID: 5036)

    • Creates files in the program directory

      • 3gpmediastation713.exe (PID: 5036)

    • Detects InnoSetup installer (YARA)

      • jrXzDfOpGrqS.exe (PID: 556)
      • jrXzDfOpGrqS.tmp (PID: 5576)

    • Compiled with Borland Delphi (YARA)

      • jrXzDfOpGrqS.tmp (PID: 5576)

    • Checks proxy server information

      • WerFault.exe (PID: 3772)
      • 3gpmediastation713.exe (PID: 5036)
      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Reads the software policy settings

      • WerFault.exe (PID: 3772)
      • 3gpmediastation713.exe (PID: 5036)

    • Reads the machine GUID from the registry

      • 3gpmediastation713.exe (PID: 5036)
      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)

    • Themida protector has been detected

      • 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe (PID: 640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:01:24 15:28:40+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 186880
InitializedDataSize: 81408
UninitializedDataSize: -
EntryPoint: 0x863000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 61.0.0.0
ProductVersionNumber: 42.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Patched, Private build, Special build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Czech
CharacterSet: Unknown (08E2)
FileVersions: 38.34.8.33
ProductVersions: 80.4.57.49
InternalName: Gunlet
CompanyName: Meratro
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #GCLEANER 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe jrxzdfopgrqs.exe jrxzdfopgrqs.tmp 3gpmediastation713.exe powershell.exe no specs conhost.exe no specs agk6wk1mlnq.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
556"C:\Users\admin\AppData\Roaming\n5NMjv\jrXzDfOpGrqS.exe"C:\Users\admin\AppData\Roaming\n5NMjv\jrXzDfOpGrqS.exe
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
3GP Media Station Setup
Version:
Modules
Images
c:\users\admin\appdata\roaming\n5nmjv\jrxzdfopgrqs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
640"C:\Users\admin\Desktop\46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe" C:\Users\admin\Desktop\46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226505
Modules
Images
c:\users\admin\desktop\46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
644"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "3gpMedia3" -Value "C:\ProgramData\3GPNewStation\3GPNewStation.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3gpmediastation713.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3364\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3540"C:\Users\admin\AppData\Roaming\EZPAdaaAI5\AGk6WK1mLnq.exe"C:\Users\admin\AppData\Roaming\EZPAdaaAI5\AGk6WK1mLnq.exe46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gcleanerapp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\ezpadaaai5\agk6wk1mlnq.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3772C:\WINDOWS\SysWOW64\WerFault.exe -u -p 640 -s 520C:\Windows\SysWOW64\WerFault.exe
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5036"C:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\3gpmediastation713.exe" -iC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\3gpmediastation713.exe
jrXzDfOpGrqS.tmp
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\3gp media station 2013 7.13\3gpmediastation713.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5576"C:\Users\admin\AppData\Local\Temp\is-26L9L.tmp\jrXzDfOpGrqS.tmp" /SL5="$502C6,3411372,56832,C:\Users\admin\AppData\Roaming\n5NMjv\jrXzDfOpGrqS.exe" C:\Users\admin\AppData\Local\Temp\is-26L9L.tmp\jrXzDfOpGrqS.tmp
jrXzDfOpGrqS.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-26l9l.tmp\jrxzdfopgrqs.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
14 220
Read events
14 200
Write events
20
Delete events
0

Modification events

(PID) Process:(640) 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(640) 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(640) 46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.6 (a)
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\3GP Media Station 2013 7.13
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:Inno Setup: Language
Value:
English
(PID) Process:(5576) jrXzDfOpGrqS.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\3GP Media Station_is1
Operation:writeName:DisplayName
Value:
3GP Media Station 2013 7.13
Executable files
34
Suspicious files
11
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
64046790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ONE[1].fileexecutable
MD5:8823E0882604303D07E82981A1CF5303
SHA256:B091E45DCC7CA0DFDC12467DA87CBFC5237AEAE04FCBE25CB37212CA186C500B
64046790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\add[1].htmbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\is-A61JI.tmpexecutable
MD5:EAE56B896A718C3BC87A4253832A5650
SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\icuuc51.dllexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\uninstall\is-IMRR6.tmpexecutable
MD5:097806F9EBE13F5DC09D722A95430E16
SHA256:8779D4F3EA4259D2AEF37E6894335C22E4A1EEC8C81B19D3822A1815BAE052D3
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\icuin51.dllexecutable
MD5:A7F201C0B9AC05E950ECC55D4403EC16
SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\is-7JMRE.tmpexecutable
MD5:A73EE126B2E6D43182D4C3482899D338
SHA256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\libGLESv2.dllexecutable
MD5:A73EE126B2E6D43182D4C3482899D338
SHA256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\is-IVOI3.tmpexecutable
MD5:E3C817F7FE44CC870ECDBCBC3EA36132
SHA256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
5576jrXzDfOpGrqS.tmpC:\Users\admin\AppData\Local\3GP Media Station 2013 7.13\is-DA337.tmpexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
23
DNS requests
7
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/add?substr=mixtwo&s=three&sub=emp
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/dll/download
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/dll/key
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/files/download
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/files/download
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/files/download
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/soft/download
unknown
malicious
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
GET
200
185.156.73.23:80
http://185.156.73.23/soft/download
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
52.191.219.104:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
52.191.219.104:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3976
svchost.exe
52.191.219.104:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
185.156.73.23:80
OOO SibirInvest
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.191.219.104
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.72
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
watson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.130
  • 104.126.37.128
  • 104.126.37.131
whitelisted
self.events.data.microsoft.com
  • 51.105.71.137
whitelisted

Threats

PID
Process
Class
Message
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
Misc activity
ET INFO EXE - Served Attached HTTP
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
640
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Process
Message
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
46790f319948927f6dfa439991d92faa77ff5203802e306e87bb34d91f8a32af