File name:	01f228972518b06279379731a4d0d096d45525fee7c4ad3b8f82ba247f407420.exe
Full analysis:	https://app.any.run/tasks/e61653f2-b061-4924-a189-55f75bcb0ac4
Verdict:	Malicious activity
Threats:	GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 09, 2025, 00:14:45
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi gcleaner loader inno installer auto generic golang
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	A6474A1A17563528AC60EAE440589741
SHA1:	24189BD3DF4F06D28042B39950937EBAEE5E8EB4
SHA256:	01F228972518B06279379731A4D0D096D45525FEE7C4AD3B8F82BA247F407420
SSDEEP:	98304:ZUYOz2GVJqxuT+Aj+jjJSDwiKU9rH95UV200tSSFKKXTeicBO73ss9+ftwo5visb:V7Im

.exe	\|	Win32 Executable Delphi generic (37.4)
.scr	\|	Windows screen saver (34.5)
.exe	\|	Win32 Executable (generic) (11.9)
.exe	\|	Win16/32 Executable Delphi generic (5.4)
.exe	\|	Generic Win/DOS Executable (5.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	409088
InitializedDataSize:	4584960
UninitializedDataSize:	-
EntryPoint:	0x64d50
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	-
FileDescription:	-
FileVersion:	1.0.0.0
InternalName:	-
LegalCopyright:	-
LegalTrademarks:	-
OriginalFileName:	-
ProductName:	-
ProductVersion:	1.0.0.0
Comments:	-


(PID) Process:	(5552) svchost015.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5552) svchost015.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5552) svchost015.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.5.1 (a)
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Users\admin\AppData\Local\Mega Commander 0.2.1.4685
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\Mega Commander 0.2.1.4685\
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: (Default)
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	Inno Setup: Language
Value: English
(PID) Process:	(7076) wSd9pSAwPTrL.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mega Commander_is1
Operation:	write	Name:	InstallDate
Value: 20250709

PID	Process	Filename		Type
2044	01f228972518b06279379731a4d0d096d45525fee7c4ad3b8f82ba247f407420.exe	C:\Users\admin\AppData\Local\Temp\svchost015.exe		executable
		MD5:CEEAE1523C3864B719E820B75BF728AA	SHA256:4E04E2FB20A9C6846B5D693EA67098214F77737F4F1F3DF5F0C78594650E7F71
5552	svchost015.exe	C:\Users\admin\AppData\Roaming\O5nd9P2\wSd9pSAwPTrL.exe		executable
		MD5:49175B1F235CF58FB584A4A433A9D16E	SHA256:B39EE651D5B7F388657248945C2A1AC632C2C93661528450548F57AEDF241BE2
7076	wSd9pSAwPTrL.tmp	C:\Users\admin\AppData\Local\Temp\is-D6V46.tmp\_isetup\_iscrypt.dll		executable
		MD5:A69559718AB506675E907FE49DEB71E9	SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
640	wSd9pSAwPTrL.exe	C:\Users\admin\AppData\Local\Temp\is-0G2OV.tmp\wSd9pSAwPTrL.tmp		executable
		MD5:D3464A0392C25019619CAB1CEA9E64CE	SHA256:CE2093022A74C90830DCCDD5AF4AA876182A70D204B81817EDCE32DA7FCC6A6F
5552	svchost015.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\ONE[1].file		executable
		MD5:49175B1F235CF58FB584A4A433A9D16E	SHA256:B39EE651D5B7F388657248945C2A1AC632C2C93661528450548F57AEDF241BE2
5552	svchost015.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\info[1].htm		text
		MD5:FE9B08252F126DDFCB87FB82F9CC7677	SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF
5552	svchost015.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\success[1].htm		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
5552	svchost015.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\text[1]		text
		MD5:8E20D4A9B35A38CC167A3AF60AAE86EA	SHA256:9540DF47A22B6F4321DDF19EDB258922B91A91AC407F2DD507AF72C5F55CE6E1
5552	svchost015.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\fuckingdllENCR[1].dll		binary
		MD5:4BC1EF6688690AF3DD8D3D70906A9F98	SHA256:7703A6B77C0B0935F5900A2D846CFA3AB59B46D03A1A0844F6BCB5CF9496B2FE
7076	wSd9pSAwPTrL.tmp	C:\Users\admin\AppData\Local\Temp\is-D6V46.tmp\_isetup\_setup64.tmp		executable
		MD5:4FF75F505FDDCC6A9AE62216446205D9	SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1984	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1984	RUXIMICS.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	216.58.206.65:443	https://drive.usercontent.google.com/download?id=1YBVIDkZgygNfUU2rbJXXCYdrzay5rMdY&export=download&authuser=0&confirm=t	unknown	text	13 b	whitelisted
5552	svchost015.exe	GET	200	176.46.157.48:80	http://176.46.157.48/success?substr=mixsix&s=three&sub=none	unknown	—	—	unknown
5552	svchost015.exe	GET	200	176.46.157.48:80	http://176.46.157.48/info	unknown	—	—	unknown
5552	svchost015.exe	GET	200	176.46.157.48:80	http://176.46.157.48/update	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1984	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1268	svchost.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
1984	RUXIMICS.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
google.com	142.250.185.238	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
drive.usercontent.google.com	216.58.206.65	whitelisted
watson.events.data.microsoft.com	13.92.180.205	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted
x1.c.lencr.org	184.51.141.54	whitelisted
microsoft.com	13.107.246.45	whitelisted
microsoft-com.mail.protection.outlook.com	52.101.11.10 52.101.11.7 52.101.9.21 52.101.8.32	whitelisted

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
5552	svchost015.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
5552	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
5552	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
5552	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
5552	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header
5552	svchost015.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
5552	svchost015.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5552	svchost015.exe	Misc activity	ET INFO EXE - Served Attached HTTP
5552	svchost015.exe	A Network Trojan was detected	LOADER [ANY.RUN] GCleaner HTTP Header

General Info

01f228972518b06279379731a4d0d096d45525fee7c4ad3b8f82ba247f407420.exe

A6474A1A17563528AC60EAE440589741

24189BD3DF4F06D28042B39950937EBAEE5E8EB4

01F228972518B06279379731A4D0D096D45525FEE7C4AD3B8F82BA247F407420

98304:ZUYOz2GVJqxuT+Aj+jjJSDwiKU9rH95UV200tSSFKKXTeicBO73ss9+ftwo5visb:V7Im

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

GCLEANER has been detected (YARA)

GCLEANER has been detected (SURICATA)

Registers / Runs the DLL via REGSVR32.EXE

GENERIC has been found (auto)

SUSPICIOUS

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Connects to the server without a host name

Starts POWERSHELL.EXE for commands execution

Executes application which crashes

Reads the Windows owner or organization settings

Process drops legitimate windows executable

The process drops C-runtime libraries

Detected use of alternative data streams (AltDS)

Connects to SMTP port

The process executes via Task Scheduler

The process bypasses the loading of PowerShell profile settings

The process hide an interactive prompt from the user

INFO

Creates files or folders in the user directory

Reads the computer name

Compiled with Borland Delphi (YARA)

Checks supported languages

The sample compiled with english language support

Reads the machine GUID from the registry

Reads the software policy settings

Checks proxy server information

Create files in a temporary directory

Creates files in the program directory

Process checks computer location settings

Changes the registry key values via Powershell

Creates a software uninstall entry

Detects InnoSetup installer (YARA)

Manual execution by a user

Application based on Golang

Checks if a key exists in the options dictionary (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information