File name:

2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop

Full analysis: https://app.any.run/tasks/08726b20-3f50-4e35-b96c-64f8674fee64
Verdict: Malicious activity
Analysis date: June 21, 2025, 19:16:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
xor-url
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

408389EF5472475E39DA208B57EF0917

SHA1:

1D043FF69EBDDFE86033084584EEB218DAED6E3D

SHA256:

BED4E937C8B9DDC2996F17C0ABF2BA8A602E3DF6828D490EF2720D43F0962F8F

SSDEEP:

12288:1rTRKVUjYgyJNDHAqsAzEa5iqFudcJvGzZIDngHf:x9KVUnyJNDHAqscEgipW0Z84

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • svchost.exe (PID: 1668)

    • XORed URL has been found (YARA)

      • svchost.exe (PID: 1668)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Reads security settings of Internet Explorer

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Executing commands from a ".bat" file

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Process run an executable payload

      • rundll32.exe (PID: 3908)

  • INFO

    • Reads the machine GUID from the registry

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)
      • 2hj64hf8d2.exe (PID: 6292)

    • Checks supported languages

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)
      • 2hj64hf8d2.exe (PID: 6292)

    • The sample compiled with english language support

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Creates files in the program directory

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Checks proxy server information

      • svchost.exe (PID: 1668)
      • slui.exe (PID: 3956)

    • Reads the computer name

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Launching a file from a Registry key

      • svchost.exe (PID: 1668)

    • Process checks computer location settings

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 1668)
      • rundll32.exe (PID: 3908)

    • Creates files or folders in the user directory

      • 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe (PID: 3780)

    • Manual execution by a user

      • rundll32.exe (PID: 3908)

    • Reads the software policy settings

      • slui.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(1668) svchost.exe
Decrypted-URLs (1)https://www.bing.com
Decrypted-URLs (2)https://www.bing.com
https://www.google.com
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:09:01 11:09:14+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 286720
InitializedDataSize: 204800
UninitializedDataSize: -
EntryPoint: 0x33eef
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.5.7917.9892
ProductVersionNumber: 1.5.7917.9892
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unknown (04E0)
Comments: Green Soldier GameSim ableteeth build
CompanyName: jobshowbeauty aboveblockprepare
FileDescription: GameSim
FileVersion: 1.5.7917.9892
InternalName: GameSim
LegalCopyright: Bedsimple Once
LegalTrademarks: Gaseye Minute stronghole BelieveFront shoequart offollow
OriginalFileName: liemethod.exe
ProductName: GameSim
ProductVersion: 1.5.7917.9892
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe #XOR-URL svchost.exe cmd.exe no specs conhost.exe no specs rundll32.exe no specs 2hj64hf8d2.exe no specs slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1668C:\ProgramData\2hj64hf8d2.exeC:\Windows\SysWOW64\svchost.exe
2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\sechost.dll
xor-url
(PID) Process(1668) svchost.exe
Decrypted-URLs (1)https://www.bing.com
(PID) Process(1668) svchost.exe
Decrypted-URLs (2)https://www.bing.com
https://www.google.com
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3780"C:\Users\admin\Desktop\2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe" C:\Users\admin\Desktop\2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
3908rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\2HJ64H~1.EXEC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
3956C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5476C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\vbjA58.tmp.bat" "C:\Users\admin\Desktop\2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe""C:\Windows\SysWOW64\cmd.exe2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6292"C:\PROGRA~3\2HJ64H~1.EXE" C:\ProgramData\2hj64hf8d2.exerundll32.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\2hj64hf8d2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
6876\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 310
Read events
10 305
Write events
5
Delete events
0

Modification events

(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
Operation:writeName:65a7ba98
Value:
000000000000000000000000000000000000000000000000000000000000000000000000433A5C50726F6772616D446174615C32686A363468663864322E65786500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:IntelPowerAgent1
Value:
rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\2HJ64H~1.EXE
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
37802025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exeC:\Users\admin\AppData\Local\vbjA58.tmp.battext
MD5:ACE85D2BF3789F870BC5E10C8559C686
SHA256:C506546D691AE036F82796D98118BE8C49D73FBA1D64F5BCB24CCACD54CD6EE8
37802025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exeC:\ProgramData\2hj64hf8d2.exeexecutable
MD5:C09995003015AF3DE70EC19C21E414DB
SHA256:6BD44FB39BCB193BB6870F8F80B512E1898ADA7E34D9973C67A2DCD4767A3C9C
5476cmd.exeC:\Users\admin\Desktop\2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop.exetext
MD5:494C5F463863FD4763797BC63E518A6B
SHA256:A5FE29FD887667BE9CDFB1510D633AA0D7F1BCF1F9A2F34E354A5F750878D17C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
49
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1488
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1488
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
download.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
whitelisted
blatnoidomen.com
malicious
login.live.com
  • 40.126.32.136
  • 20.190.160.67
  • 40.126.32.68
  • 20.190.160.4
  • 20.190.160.131
  • 40.126.32.133
  • 20.190.160.130
  • 20.190.160.65
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_408389ef5472475e39da208b57ef0917_elex_gcleaner_stop