File name:

15bda68d69138b00b18b8e238a6f3ce1.exe

Full analysis: https://app.any.run/tasks/a5aaf615-dcb1-4cc8-8726-35d90a9bbaa3
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 16:59:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
gcleaner
loader
telegram
stealer
lumma
inno
installer
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

15BDA68D69138B00B18B8E238A6F3CE1

SHA1:

3705055C94525285D7A561030C61917C9382CA18

SHA256:

DA09FB0F1D8B48129724761FDDEF6D51E7F15E39BC3917EB5D14A85CA968EBBE

SSDEEP:

98304:OjeSVF/gLKWMtNQnV63HVvijRtEOWgqysui0h51SydCeqKCuRRJQzKGZPSc2JupC:OH7ePuI4OmXhv8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)
      • svchost015.exe (PID: 5072)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 5072)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 5072)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 2240)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 2240)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 2240)

  • SUSPICIOUS

    • Reads the BIOS version

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)

    • Executable content was dropped or overwritten

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)
      • svchost015.exe (PID: 5072)
      • RG0PZXU2Cy6.exe (PID: 6040)
      • RG0PZXU2Cy6.tmp (PID: 3268)
      • renaminggroupfiles54.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • svchost015.exe (PID: 5072)
      • renaminggroupfiles54.exe (PID: 7000)

    • Potential Corporate Privacy Violation

      • svchost015.exe (PID: 5072)

    • Connects to the server without a host name

      • svchost015.exe (PID: 5072)
      • wReoeKKfZk5A.exe (PID: 1272)

    • Reads the Windows owner or organization settings

      • RG0PZXU2Cy6.tmp (PID: 3268)

    • Process drops legitimate windows executable

      • RG0PZXU2Cy6.tmp (PID: 3268)

    • The process drops C-runtime libraries

      • RG0PZXU2Cy6.tmp (PID: 3268)

    • Starts POWERSHELL.EXE for commands execution

      • renaminggroupfiles54.exe (PID: 7000)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 2240)

    • Searches for installed software

      • MSBuild.exe (PID: 2240)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 2240)

  • INFO

    • Reads the computer name

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)
      • svchost015.exe (PID: 5072)
      • RG0PZXU2Cy6.tmp (PID: 3268)
      • renaminggroupfiles54.exe (PID: 7000)
      • MSBuild.exe (PID: 2240)
      • 92l3MmpcnOv.exe (PID: 4188)
      • wReoeKKfZk5A.exe (PID: 1272)

    • Checks supported languages

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)
      • svchost015.exe (PID: 5072)
      • RG0PZXU2Cy6.exe (PID: 6040)
      • RG0PZXU2Cy6.tmp (PID: 3268)
      • renaminggroupfiles54.exe (PID: 7000)
      • WAqktVywsiHW.exe (PID: 5064)
      • MSBuild.exe (PID: 2240)
      • 92l3MmpcnOv.exe (PID: 4188)
      • wReoeKKfZk5A.exe (PID: 1272)

    • Create files in a temporary directory

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)
      • RG0PZXU2Cy6.exe (PID: 6040)
      • RG0PZXU2Cy6.tmp (PID: 3268)
      • svchost015.exe (PID: 5072)

    • Checks proxy server information

      • svchost015.exe (PID: 5072)
      • slui.exe (PID: 6136)
      • renaminggroupfiles54.exe (PID: 7000)

    • The sample compiled with english language support

      • 15bda68d69138b00b18b8e238a6f3ce1.exe (PID: 7156)
      • RG0PZXU2Cy6.tmp (PID: 3268)
      • renaminggroupfiles54.exe (PID: 7000)

    • Creates files or folders in the user directory

      • svchost015.exe (PID: 5072)
      • RG0PZXU2Cy6.tmp (PID: 3268)

    • Reads the machine GUID from the registry

      • svchost015.exe (PID: 5072)
      • MSBuild.exe (PID: 2240)
      • renaminggroupfiles54.exe (PID: 7000)

    • Creates files in the program directory

      • renaminggroupfiles54.exe (PID: 7000)

    • Creates a software uninstall entry

      • RG0PZXU2Cy6.tmp (PID: 3268)

    • Process checks computer location settings

      • renaminggroupfiles54.exe (PID: 7000)

    • Changes the registry key values via Powershell

      • renaminggroupfiles54.exe (PID: 7000)

    • Reads the software policy settings

      • MSBuild.exe (PID: 2240)
      • slui.exe (PID: 6136)
      • renaminggroupfiles54.exe (PID: 7000)

    • Detects InnoSetup installer (YARA)

      • RG0PZXU2Cy6.exe (PID: 6040)
      • RG0PZXU2Cy6.tmp (PID: 3268)

    • Compiled with Borland Delphi (YARA)

      • RG0PZXU2Cy6.tmp (PID: 3268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 599040
InitializedDataSize: 5204480
UninitializedDataSize: -
EntryPoint: 0xa0a000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.4.0
ProductVersionNumber: 2.0.4.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 2, 0, 4, 0
InternalName: A2Master
LegalCopyright: Copyright В© 1999-2010 Gladiators Software
OriginalFileName: A2Master.exe
ProductName: Aston2
ProductVersion: 2, 0, 4, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
14
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #GENERIC 15bda68d69138b00b18b8e238a6f3ce1.exe #GCLEANER svchost015.exe rg0pzxu2cy6.exe rg0pzxu2cy6.tmp renaminggroupfiles54.exe powershell.exe no specs conhost.exe no specs waqktvywsihw.exe no specs conhost.exe no specs #LUMMA msbuild.exe 92l3mmpcnov.exe no specs svchost.exe wreoekkfzk5a.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWAqktVywsiHW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272"C:\Users\admin\AppData\Roaming\vygrfywjr\wReoeKKfZk5A.exe"C:\Users\admin\AppData\Roaming\vygrfywjr\wReoeKKfZk5A.exe
svchost015.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
14351980
Modules
Images
c:\users\admin\appdata\roaming\vygrfywjr\wreoekkfzk5a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\winhttp.dll
2108"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "fGrRename" -Value "C:\ProgramData\RenamingGroupFiles\RenamingGroupFiles.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exerenaminggroupfiles54.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2240"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
WAqktVywsiHW.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
3268"C:\Users\admin\AppData\Local\Temp\is-JOP60.tmp\RG0PZXU2Cy6.tmp" /SL5="$8029A,3159030,56832,C:\Users\admin\AppData\Roaming\zv09YFqB\RG0PZXU2Cy6.exe" C:\Users\admin\AppData\Local\Temp\is-JOP60.tmp\RG0PZXU2Cy6.tmp
RG0PZXU2Cy6.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-jop60.tmp\rg0pzxu2cy6.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4188"C:\Users\admin\AppData\Roaming\IHNlCS\92l3MmpcnOv.exe"C:\Users\admin\AppData\Roaming\IHNlCS\92l3MmpcnOv.exesvchost015.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gcleanerapp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\ihnlcs\92l3mmpcnov.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5064"C:\Users\admin\AppData\Roaming\LpHVkKobKE\WAqktVywsiHW.exe"C:\Users\admin\AppData\Roaming\LpHVkKobKE\WAqktVywsiHW.exesvchost015.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\lphvkkobke\waqktvywsihw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
5072"C:\Users\admin\Desktop\15bda68d69138b00b18b8e238a6f3ce1.exe" C:\Users\admin\AppData\Local\Temp\svchost015.exe
15bda68d69138b00b18b8e238a6f3ce1.exe
User:
admin
Company:
X-Ways Software Technology AG
Integrity Level:
MEDIUM
Description:
WinHex
Exit code:
0
Version:
21.1
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
15 612
Read events
15 592
Write events
20
Delete events
0

Modification events

(PID) Process:(5072) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5072) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5072) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.8 (a)
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Renaming Group Files 5.4
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Renaming Group Files 5.4\
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:Inno Setup: Language
Value:
English
(PID) Process:(3268) RG0PZXU2Cy6.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1
Operation:writeName:DisplayName
Value:
Renaming Group Files 5.4
Executable files
39
Suspicious files
8
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5072svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\success[1].htmbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
715615bda68d69138b00b18b8e238a6f3ce1.exeC:\Users\admin\AppData\Local\Temp\svchost015.exeexecutable
MD5:B826DD92D78EA2526E465A34324EBEEA
SHA256:7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
5072svchost015.exeC:\Users\admin\AppData\Roaming\zv09YFqB\RG0PZXU2Cy6.exeexecutable
MD5:F20517CC727F171C9EFD8A4DC86E70B3
SHA256:EF9D4F174E5072F3A8F5FDF51AC841055E79C8D40971E0C02A5915B7136492DB
5072svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\ONE[1].fileexecutable
MD5:F20517CC727F171C9EFD8A4DC86E70B3
SHA256:EF9D4F174E5072F3A8F5FDF51AC841055E79C8D40971E0C02A5915B7136492DB
3268RG0PZXU2Cy6.tmpC:\Users\admin\AppData\Local\Renaming Group Files 5.4\uninstall\is-GSKV3.tmpexecutable
MD5:EA258FC63B1417666DB137C33EA726AB
SHA256:07643082B8BCED03E89A14F946D9BF92C3B65A20369F30AD7F335BC189B33816
3268RG0PZXU2Cy6.tmpC:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-G3P4S.tmpexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
3268RG0PZXU2Cy6.tmpC:\Users\admin\AppData\Local\Renaming Group Files 5.4\icuuc51.dllexecutable
MD5:DAE4100039A943128C34BA3E05F6CD02
SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
3268RG0PZXU2Cy6.tmpC:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-1HCTB.tmpexecutable
MD5:A7F201C0B9AC05E950ECC55D4403EC16
SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
3268RG0PZXU2Cy6.tmpC:\Users\admin\AppData\Local\Renaming Group Files 5.4\icuin51.dllexecutable
MD5:A7F201C0B9AC05E950ECC55D4403EC16
SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
3268RG0PZXU2Cy6.tmpC:\Users\admin\AppData\Local\Renaming Group Files 5.4\uninstall\unins000.exeexecutable
MD5:EA258FC63B1417666DB137C33EA726AB
SHA256:07643082B8BCED03E89A14F946D9BF92C3B65A20369F30AD7F335BC189B33816
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
32
DNS requests
7
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/update
unknown
malicious
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/info
unknown
malicious
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/success?substr=mixthree&s=three&sub=none
unknown
unknown
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/service
unknown
malicious
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/service
unknown
malicious
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/service
unknown
malicious
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/service
unknown
malicious
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/service
unknown
malicious
1272
wReoeKKfZk5A.exe
GET
200
185.156.73.98:80
http://185.156.73.98/success?substr=test&s=test&sub=nn
unknown
unknown
5072
svchost015.exe
GET
200
185.156.73.98:80
http://185.156.73.98/ycl
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5072
svchost015.exe
185.156.73.98:80
OOO SibirInvest
RU
unknown
2240
MSBuild.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
2240
MSBuild.exe
104.21.64.1:443
cosmosyf.top
CLOUDFLARENET
unknown
1272
wReoeKKfZk5A.exe
185.156.73.98:80
OOO SibirInvest
RU
unknown
2852
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
t.me
  • 149.154.167.99
whitelisted
cosmosyf.top
  • 104.21.64.1
  • 104.21.48.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.96.1
  • 104.21.32.1
  • 104.21.80.1
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
5072
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5072
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5072
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5072
svchost015.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5072
svchost015.exe
Misc activity
ET INFO EXE - Served Attached HTTP
5072
svchost015.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5072
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
5072
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2240
MSBuild.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
5072
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
15bda68d69138b00b18b8e238a6f3ce1.exe