File name:

2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop

Full analysis: https://app.any.run/tasks/06448d08-69a4-4aa1-b6af-215d8bc11790
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 15:20:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ransomware
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

9E5B7E41D9B81DF7EE48756EAB7C18A4

SHA1:

7103B7A4DD4081C65EA580119F715CD375FB18CB

SHA256:

BC678FB530E03A5AFE9B25C1C9F326490FC719718E2EAFBE8FAE4248C8203ECD

SSDEEP:

768:YpWCeOidQQ3N9lPeOMQyhOziFzeh0jlTvsUSz1j5jCON:BHNveOMQziFy6BvsUk1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • cmd.exe (PID: 1052)

    • Renames files like ransomware

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)

    • RANSOMWARE has been detected

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)

  • SUSPICIOUS

    • Application launched itself

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 1532)

    • Reads security settings of Internet Explorer

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 1532)

    • There is functionality for taking screenshot (YARA)

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)

    • Starts CMD.EXE for commands execution

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)

    • Executes as Windows Service

      • vds.exe (PID: 6620)
      • VSSVC.exe (PID: 1128)
      • wbengine.exe (PID: 736)

  • INFO

    • Reads the machine GUID from the registry

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 1532)
      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)
      • OfficeClickToRun.exe (PID: 4620)

    • Checks supported languages

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 1532)
      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)
      • OfficeClickToRun.exe (PID: 4620)

    • Reads the computer name

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 1532)
      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)
      • OfficeClickToRun.exe (PID: 4620)

    • Process checks computer location settings

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 1532)

    • Reads Windows Product ID

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5528)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 4620)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 4620)

    • Reads the software policy settings

      • slui.exe (PID: 5556)

    • Checks proxy server information

      • OfficeClickToRun.exe (PID: 4620)
      • slui.exe (PID: 5556)

    • Creates files in the program directory

      • 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe (PID: 5800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:11 18:02:33+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 32768
InitializedDataSize: 99328
UninitializedDataSize: -
EntryPoint: 0x6800
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe no specs THREAT 2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe cmd.exe no specs conhost.exe no specs vssadmin.exe no specs vssvc.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs wmic.exe no specs officeclicktorun.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\WINDOWS\system32\wbengine.exe"C:\Windows\System32\wbengine.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Block Level Backup Engine Service EXE
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbengine.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1040wbadmin delete catalog -quietC:\Windows\System32\wbadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® BLB Backup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1052"C:\WINDOWS\system32\cmd.exe"C:\Windows\System32\cmd.exe2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
1128C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1532"C:\Users\admin\Desktop\2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe" C:\Users\admin\Desktop\2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4620"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
4932C:\WINDOWS\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5528wmic shadowcopy deleteC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
5556C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 949
Read events
4 949
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1 146
Text files
87
Unknown types
0

Dropped files

PID
Process
Filename
Type
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\successlogin.rtf.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:92B0FC3B18538DEB145F77AB400E33EF
SHA256:95D19596A5ED9DE8AB4CC8758C05CE5661CCC7C8727CB72C2D5A1F7D3515DB89
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\sellerhead.rtf.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:F162E03421A048C2429C8B01294DDA1B
SHA256:7FFCD7A6296F2FB7DA7D0425C032691E5496139004E41F02D7F0B096CB67BB4A
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\matchsurvey.png.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:4077C7E9DDD41F3FEEE153D38BE8BAFB
SHA256:B2A4AED096A255C6BAB189D5770854D012D1D2DE6D81CB16BFD24F225E749FCB
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\presentnewsletter.png.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:9F0BCABA16052CC70DD58E68E2A5AB32
SHA256:2473EE1ACC5C22B24C06E44C7565D8E48044A646436EB2F5E7E4185EB602D48D
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\submittedestate.rtf.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:C818D51211AF979B5E150597B0377FDB
SHA256:1683DBE0E98DFA11EB6874CCEEAC6C16FF0DBBEC181B25120B95A6377DF29796
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\contentinfo.png.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:4114625D43BE74E5E8C1C572B28CF757
SHA256:09BCC1CEEEA4A599E73037E99C04E03284C7AB05F98306D09AB23D496C6A7431
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\Users\admin\Desktop\economytom.png.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:AB6C6F839551ADBBCBE5DE1ABC3BC334
SHA256:5CA03D8D0479E17C4AE5056C2D525091D769768F62948AAF9502712C7098514A
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\$WinREAgent\RollbackInfo.ini.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:00A4BA0B68412DF5A2D9B412A0A431BB
SHA256:B04358BAEC6185357D287814D10439CBDC83F8F692056DAD4731BC1BBFEC5604
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\$WinREAgent\+README-WARNING+.txttext
MD5:B8574DE7710F90405DCAEB88B9BF91FC
SHA256:4CEC1A0E42AD080C255A7A67CB21EA09E794855E61AB3AFF624B5A98D07225AF
58002025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop.exeC:\$WinREAgent\Rollback.xml.[C8E7DCE6].[decsupp24@tuta.io].MARKbinary
MD5:4DC2CE2268D0520748104BB7BDEA65F2
SHA256:6D53CFBAF2D6FA15FE647C0098599491C8B71422443FED804B3E4E28CBCBD1A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
53
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2392
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.216.77.12
  • 23.216.77.11
  • 23.216.77.14
  • 23.216.77.17
  • 23.216.77.43
  • 23.216.77.10
  • 23.216.77.9
  • 23.216.77.15
  • 23.216.77.8
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.130
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.66
  • 40.126.32.136
  • 20.190.160.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_9e5b7e41d9b81df7ee48756eab7c18a4_elex_gcleaner_makop