File name:

random.exe

Full analysis: https://app.any.run/tasks/abefbc6b-61d8-4368-8850-5e401230be1f
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 05:32:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gcleaner
loader
inno
installer
delphi
telegram
stealer
lumma
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

ECE1D1507B62C20327E999C6936A95A7

SHA1:

B512BB8131168CC268F487C655116A37D8B888D3

SHA256:

8EB08322033F193A5E7EA16D83C0CD324EFAAAB628FB245BDB27F6977C2A6D86

SSDEEP:

98304:YDJWQ+WliEl+bJKTmRioXMN9rbciB7LropD1XGtzAugKSih+mJJdzOY5IP1xLwwg:e7CHcd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • random.exe (PID: 1672)

    • GCLEANER has been detected (SURICATA)

      • cvtres.exe (PID: 5392)

    • GENERIC has been found (auto)

      • cvtres.exe (PID: 5392)

    • LUMMA mutex has been found

      • 6Z66atfoygJ7n.exe (PID: 4920)

    • Steals credentials from Web Browsers

      • 6Z66atfoygJ7n.exe (PID: 4920)

    • Actions looks like stealing of personal data

      • 6Z66atfoygJ7n.exe (PID: 4920)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cvtres.exe (PID: 5392)
      • creativedatarecovery181.exe (PID: 5072)

    • Executable content was dropped or overwritten

      • kYI6jHc7U7Tz.exe (PID: 2320)
      • cvtres.exe (PID: 5392)
      • kYI6jHc7U7Tz.tmp (PID: 516)
      • creativedatarecovery181.exe (PID: 5072)

    • Potential Corporate Privacy Violation

      • cvtres.exe (PID: 5392)

    • Connects to the server without a host name

      • cvtres.exe (PID: 5392)

    • Reads the Windows owner or organization settings

      • kYI6jHc7U7Tz.tmp (PID: 516)

    • The process drops C-runtime libraries

      • kYI6jHc7U7Tz.tmp (PID: 516)

    • Process drops legitimate windows executable

      • kYI6jHc7U7Tz.tmp (PID: 516)

    • Starts POWERSHELL.EXE for commands execution

      • creativedatarecovery181.exe (PID: 5072)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • 6Z66atfoygJ7n.exe (PID: 4920)

    • Searches for installed software

      • 6Z66atfoygJ7n.exe (PID: 4920)

  • INFO

    • Reads the machine GUID from the registry

      • random.exe (PID: 1672)
      • cvtres.exe (PID: 5392)
      • 6Z66atfoygJ7n.exe (PID: 4920)

    • The sample compiled with english language support

      • random.exe (PID: 1672)
      • kYI6jHc7U7Tz.tmp (PID: 516)
      • cvtres.exe (PID: 5392)

    • Checks supported languages

      • random.exe (PID: 1672)
      • cvtres.exe (PID: 5392)
      • kYI6jHc7U7Tz.exe (PID: 2320)
      • creativedatarecovery181.exe (PID: 5072)
      • kYI6jHc7U7Tz.tmp (PID: 516)
      • 6Z66atfoygJ7n.exe (PID: 4920)
      • gZl8FQ8kzqZNa.exe (PID: 632)
      • CreativeDataRecovery.exe (PID: 1812)

    • Manual execution by a user

      • cvtres.exe (PID: 5392)
      • CreativeDataRecovery.exe (PID: 1812)

    • Reads the computer name

      • cvtres.exe (PID: 5392)
      • random.exe (PID: 1672)
      • kYI6jHc7U7Tz.tmp (PID: 516)
      • creativedatarecovery181.exe (PID: 5072)
      • CreativeDataRecovery.exe (PID: 1812)
      • gZl8FQ8kzqZNa.exe (PID: 632)
      • 6Z66atfoygJ7n.exe (PID: 4920)

    • Checks proxy server information

      • cvtres.exe (PID: 5392)
      • slui.exe (PID: 2108)

    • Reads the software policy settings

      • cvtres.exe (PID: 5392)
      • 6Z66atfoygJ7n.exe (PID: 4920)
      • slui.exe (PID: 2108)

    • Creates files or folders in the user directory

      • cvtres.exe (PID: 5392)
      • kYI6jHc7U7Tz.tmp (PID: 516)

    • Create files in a temporary directory

      • kYI6jHc7U7Tz.exe (PID: 2320)
      • kYI6jHc7U7Tz.tmp (PID: 516)
      • cvtres.exe (PID: 5392)

    • Creates files in the program directory

      • creativedatarecovery181.exe (PID: 5072)

    • Creates a software uninstall entry

      • kYI6jHc7U7Tz.tmp (PID: 516)

    • Process checks computer location settings

      • creativedatarecovery181.exe (PID: 5072)

    • Changes the registry key values via Powershell

      • creativedatarecovery181.exe (PID: 5072)

    • Detects InnoSetup installer (YARA)

      • kYI6jHc7U7Tz.exe (PID: 2320)
      • kYI6jHc7U7Tz.tmp (PID: 516)

    • Compiled with Borland Delphi (YARA)

      • kYI6jHc7U7Tz.tmp (PID: 516)

    • Attempting to use instant messaging service

      • 6Z66atfoygJ7n.exe (PID: 4920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:09:09 08:08:20+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.1
CodeSize: 2385920
InitializedDataSize: 991744
UninitializedDataSize: -
EntryPoint: 0x1d5b87
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.0.0
ProductVersionNumber: 10.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: WiFi Password Key Generator Software
FileVersion: 10.0.0.0
LegalCopyright: Copyright (C) 2007-2019, All rights reserved
ProductName: WiFi Password Key Generator
ProductVersion: 10.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
11
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start random.exe no specs #GCLEANER cvtres.exe kyi6jhc7u7tz.exe kyi6jhc7u7tz.tmp creativedatarecovery181.exe powershell.exe no specs conhost.exe no specs creativedatarecovery.exe no specs #LUMMA 6z66atfoygj7n.exe gzl8fq8kzqzna.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\AppData\Local\Temp\is-6POU7.tmp\kYI6jHc7U7Tz.tmp" /SL5="$800BE,3717761,54272,C:\Users\admin\AppData\Roaming\bRinBT\kYI6jHc7U7Tz.exe" C:\Users\admin\AppData\Local\Temp\is-6POU7.tmp\kYI6jHc7U7Tz.tmp
kYI6jHc7U7Tz.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-6pou7.tmp\kyi6jhc7u7tz.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
632"C:\Users\admin\AppData\Roaming\QPET5mcMTPs\gZl8FQ8kzqZNa.exe"C:\Users\admin\AppData\Roaming\QPET5mcMTPs\gZl8FQ8kzqZNa.execvtres.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gcleanerapp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\qpet5mcmtps\gzl8fq8kzqzna.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1672"C:\Users\admin\Desktop\random.exe" C:\Users\admin\Desktop\random.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WiFi Password Key Generator Software
Exit code:
4294967295
Version:
10.0.0.0
Modules
Images
c:\users\admin\desktop\random.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1812C:\ProgramData\CreativeDataRecovery\CreativeDataRecovery.exeC:\ProgramData\CreativeDataRecovery\CreativeDataRecovery.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
13.5.1.81
Modules
Images
c:\programdata\creativedatarecovery\creativedatarecovery.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
2108C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2320"C:\Users\admin\AppData\Roaming\bRinBT\kYI6jHc7U7Tz.exe"C:\Users\admin\AppData\Roaming\bRinBT\kYI6jHc7U7Tz.exe
cvtres.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Creative Data Recovery Setup
Version:
Modules
Images
c:\users\admin\appdata\roaming\brinbt\kyi6jhc7u7tz.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3676"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "CDataRecv" -Value "C:\ProgramData\CreativeDataRecovery\CreativeDataRecovery.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execreativedatarecovery181.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4920"C:\Users\admin\AppData\Roaming\7rmhE0NGt\6Z66atfoygJ7n.exe"C:\Users\admin\AppData\Roaming\7rmhE0NGt\6Z66atfoygJ7n.exe
cvtres.exe
User:
admin
Company:
Strategic Resource Ltd.
Integrity Level:
MEDIUM
Description:
Provides Snapshot Compliance capabilities
Exit code:
0
Version:
4.8.82.1297
Modules
Images
c:\users\admin\appdata\roaming\7rmhe0ngt\6z66atfoygj7n.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5072"C:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\creativedatarecovery181.exe" -iC:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\creativedatarecovery181.exe
kYI6jHc7U7Tz.tmp
User:
admin
Integrity Level:
MEDIUM
Version:
13.5.1.81
Modules
Images
c:\users\admin\appdata\local\creative data recovery 13.5.1.81\creativedatarecovery181.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5392"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
15 224
Read events
15 207
Write events
17
Delete events
0

Modification events

(PID) Process:(5392) cvtres.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5392) cvtres.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5392) cvtres.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.1 (a)
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:Inno Setup: Language
Value:
English
(PID) Process:(516) kYI6jHc7U7Tz.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Data Recovery_is1
Operation:writeName:DisplayName
Value:
Creative Data Recovery 13.5.1.81
Executable files
36
Suspicious files
9
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5392cvtres.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\info[1].htmtext
MD5:FE9B08252F126DDFCB87FB82F9CC7677
SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF
5392cvtres.exeC:\Users\admin\AppData\Roaming\bRinBT\kYI6jHc7U7Tz.exeexecutable
MD5:F40E5C3155B55A47BB545F1BB84FCA11
SHA256:2ABE69757E03DB71DE906532A3DE32DFBFA7867BAB5A04E37E128B2FACDB063D
5392cvtres.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\ONE[1].fileexecutable
MD5:F40E5C3155B55A47BB545F1BB84FCA11
SHA256:2ABE69757E03DB71DE906532A3DE32DFBFA7867BAB5A04E37E128B2FACDB063D
5392cvtres.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\fuckingdllENCR[1].dllbinary
MD5:4BC1EF6688690AF3DD8D3D70906A9F98
SHA256:7703A6B77C0B0935F5900A2D846CFA3AB59B46D03A1A0844F6BCB5CF9496B2FE
516kYI6jHc7U7Tz.tmpC:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\uninstall\is-7VKLE.tmpexecutable
MD5:EC5AA018252F653866E997307B4C9E09
SHA256:67B84A2CA542550D161BF8473A8DD56942EAB61596D4B525352BA8E5CF11CF0A
2320kYI6jHc7U7Tz.exeC:\Users\admin\AppData\Local\Temp\is-6POU7.tmp\kYI6jHc7U7Tz.tmpexecutable
MD5:C9B04061371F10D9700A7B52BF4D233B
SHA256:22B83626D13C5AF977CF10D981CB06EDBE3F87B80E5D5E50100813509532C36C
516kYI6jHc7U7Tz.tmpC:\Users\admin\AppData\Local\Temp\is-3EH5D.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
516kYI6jHc7U7Tz.tmpC:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\icuuc51.dllexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
516kYI6jHc7U7Tz.tmpC:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\is-RDEDB.tmpexecutable
MD5:EAE56B896A718C3BC87A4253832A5650
SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
516kYI6jHc7U7Tz.tmpC:\Users\admin\AppData\Local\Creative Data Recovery 13.5.1.81\is-N2GVE.tmpexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
30
DNS requests
7
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/success?substr=mixsix&s=three&sub=none
unknown
malicious
5392
cvtres.exe
GET
185.156.72.196:80
http://185.156.72.196/info
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/info
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/update
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
5392
cvtres.exe
GET
185.156.72.196:80
http://185.156.72.196/ycl
unknown
malicious
5392
cvtres.exe
GET
200
185.156.72.196:80
http://185.156.72.196/ycl
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5392
cvtres.exe
142.250.186.33:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
5392
cvtres.exe
185.156.72.196:80
Tov Vaiz Partner
RU
malicious
672
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4920
6Z66atfoygJ7n.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
4920
6Z66atfoygJ7n.exe
104.21.58.163:443
bullhevrgg.live
CLOUDFLARENET
unknown
2108
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.238
whitelisted
drive.usercontent.google.com
  • 142.250.186.33
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
t.me
  • 149.154.167.99
whitelisted
bullhevrgg.live
  • 104.21.58.163
  • 172.67.161.211
unknown

Threats

PID
Process
Class
Message
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5392
cvtres.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5392
cvtres.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5392
cvtres.exe
Misc activity
ET INFO EXE - Served Attached HTTP
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5392
cvtres.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
random.exe