File name:

SecuriteInfo.com.Trojan.Inject5.57588.19464.25061

Full analysis: https://app.any.run/tasks/07c4ea81-a3a1-4ce7-893d-803293d1211f
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: June 22, 2025, 00:11:24
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
gcleaner
loader
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

87804A67106D43C13906D08510045E64

SHA1:

50C475D1BBC04DFA7F378225D539A0888AE8D2B1

SHA256:

15A515744C599357ED3C534890753EB7D62930774D962C7936FC29AE5FA360B1

SSDEEP:

98304:miRrKhVLrTMNDojoRKaP5YmBjs0J4b15bZ5oGVS8uy5JK04K2Hr3elnROdRXQyQL:sXbrPUux

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)
      • svchost015.exe (PID: 4860)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 4860)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 4860)

    • GENERIC has been found (auto)

      • svchost015.exe (PID: 4860)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)
      • svchost015.exe (PID: 4860)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)
      • svchost015.exe (PID: 4860)

    • Reads security settings of Internet Explorer

      • svchost015.exe (PID: 4860)

    • Connects to the server without a host name

      • svchost015.exe (PID: 4860)

    • Potential Corporate Privacy Violation

      • svchost015.exe (PID: 4860)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)
      • svchost015.exe (PID: 4860)

    • The sample compiled with chinese language support

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)

    • The sample compiled with english language support

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)

    • Compiled with Borland Delphi (YARA)

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)

    • Reads the computer name

      • svchost015.exe (PID: 4860)

    • Create files in a temporary directory

      • SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe (PID: 2760)
      • svchost015.exe (PID: 4860)

    • Creates files or folders in the user directory

      • svchost015.exe (PID: 4860)

    • Reads the software policy settings

      • svchost015.exe (PID: 4860)
      • slui.exe (PID: 5928)

    • Reads the machine GUID from the registry

      • svchost015.exe (PID: 4860)

    • Checks proxy server information

      • svchost015.exe (PID: 4860)
      • slui.exe (PID: 5928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 494080
InitializedDataSize: 2997248
UninitializedDataSize: -
EntryPoint: 0x79814
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.7.0.1220
ProductVersionNumber: 3.7.0.1220
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Fl as hGet3
CompanyName: Tren d Media Corporation Limited
FileDescription: FlashGet3
FileVersion: 3, 7, 0, 1220
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.trojan.inject5.57588.19464.25061.exe #GCLEANER svchost015.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2760"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe
explorer.exe
User:
admin
Company:
Tren d Media Corporation Limited
Integrity Level:
MEDIUM
Description:
FlashGet3
Exit code:
0
Version:
3, 7, 0, 1220
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.trojan.inject5.57588.19464.25061.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4860C:\Users\admin\AppData\Local\Temp\svchost015.exeC:\Users\admin\AppData\Local\Temp\svchost015.exe
SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
MEDIUM
Description:
VNC® Server Licensing
Exit code:
0
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5928C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
1 427
Read events
1 424
Write events
3
Delete events
0

Modification events

(PID) Process:(4860) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4860) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4860) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
11
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4860svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E62DD75009A293E0AF9565AE544F23E_62EF4F5924FC0DC7564A4F4F2942BB70binary
MD5:1C09BC68C9493C0098C6A9C5B857E94B
SHA256:326153FF4EEC8A12DF2CB690789214537D1B24C71D1E985D123C77923B6200FA
2760SecuriteInfo.com.Trojan.Inject5.57588.19464.25061.exeC:\Users\admin\AppData\Local\Temp\svc9D0B.tmpexecutable
MD5:45305A46E6F927367632F669995BB1F1
SHA256:524921FBBA041CE579B9E438D75F79B10AC5BC6165E23CC58AF106B2D4365A43
4860svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\success[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
4860svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\text[1]text
MD5:5E847B1CC501E8A09997640FED7DB52F
SHA256:C06903CB5A25E63794907092B488A8580074C872272A9FC51CEF5E76EEECF7A2
4860svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\service[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
4860svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\info[1].htmtext
MD5:FE9B08252F126DDFCB87FB82F9CC7677
SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF
4860svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
4860svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\dll[1]executable
MD5:2ECB51AB00C5F340380ECF849291DBCF
SHA256:F1B3E0F2750A9103E46A6A4A34F1CF9D17779725F98042CC2475EC66484801CF
4860svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
4860svchost015.exeC:\Users\admin\Desktop\YCL.lnkbinary
MD5:FD451BE4D29ECD2D1074FDF1043B3059
SHA256:28C60A131294A422C05475D95847D5EE7E553F30D39C957EF27A708BF6EEBD74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
29
DNS requests
19
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4860
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/success?substr=mixtwo&s=three&sub=none
unknown
malicious
4860
svchost015.exe
GET
200
142.250.185.67:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
1080
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1080
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3576
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4860
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
4860
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/info
unknown
malicious
4860
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/update
unknown
malicious
4860
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3732
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4860
svchost015.exe
142.250.185.225:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
4860
svchost015.exe
142.250.185.67:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
drive.usercontent.google.com
  • 142.250.185.225
whitelisted
c.pki.goog
  • 142.250.185.67
whitelisted
o.pki.goog
  • 142.250.185.67
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.65
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.2
  • 40.126.32.140
whitelisted

Threats

PID
Process
Class
Message
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
4860
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Trojan.Inject5.57588.19464.25061