File name:

SecuriteInfo.com.Win32.MalwareX-gen.15343.21443

Full analysis: https://app.any.run/tasks/16765f8c-6274-46b5-917b-a29377ac157b
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 15:23:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
gcleaner
loader
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

F1983D7900A62D5518182B1F91288DAD

SHA1:

62AFE8435F4F01AD25BDC3D5D91CDA0CC2BFC2DD

SHA256:

269D27FE9542455527B4C44460C2A9C291D233C5EC1BD82206A77F1D228BCABF

SSDEEP:

98304:1iRrKhVGDnH37jhawBJnXb899rZnmXIVwwcihwzEwBOi1UVlRt6Cq+hf6y3PRFR2:VrEB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)
      • svchost015.exe (PID: 7116)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 7116)

    • GENERIC has been found (auto)

      • svchost015.exe (PID: 7116)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)
      • svchost015.exe (PID: 7116)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)
      • svchost015.exe (PID: 7116)

    • Reads security settings of Internet Explorer

      • svchost015.exe (PID: 7116)

    • Connects to the server without a host name

      • svchost015.exe (PID: 7116)

    • Potential Corporate Privacy Violation

      • svchost015.exe (PID: 7116)

  • INFO

    • The sample compiled with chinese language support

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)

    • Compiled with Borland Delphi (YARA)

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)

    • Checks supported languages

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)
      • svchost015.exe (PID: 7116)

    • Create files in a temporary directory

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)
      • svchost015.exe (PID: 7116)

    • The sample compiled with english language support

      • SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe (PID: 3752)

    • Reads the computer name

      • svchost015.exe (PID: 7116)

    • Reads the machine GUID from the registry

      • svchost015.exe (PID: 7116)

    • Checks proxy server information

      • svchost015.exe (PID: 7116)
      • slui.exe (PID: 3580)

    • Reads the software policy settings

      • svchost015.exe (PID: 7116)
      • slui.exe (PID: 3580)

    • Creates files or folders in the user directory

      • svchost015.exe (PID: 7116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 494080
InitializedDataSize: 2997248
UninitializedDataSize: -
EntryPoint: 0x79814
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.7.0.1220
ProductVersionNumber: 3.7.0.1220
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Fl as hGet3
CompanyName: Tren d Media Corporation Limited
FileDescription: FlashGet3
FileVersion: 3, 7, 0, 1220
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.win32.malwarex-gen.15343.21443.exe #GCLEANER svchost015.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3580C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3752"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe
explorer.exe
User:
admin
Company:
Tren d Media Corporation Limited
Integrity Level:
MEDIUM
Description:
FlashGet3
Exit code:
0
Version:
3, 7, 0, 1220
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.win32.malwarex-gen.15343.21443.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7116C:\Users\admin\AppData\Local\Temp\svchost015.exeC:\Users\admin\AppData\Local\Temp\svchost015.exe
SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
MEDIUM
Description:
VNC® Server Licensing
Exit code:
0
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
1 382
Read events
1 379
Write events
3
Delete events
0

Modification events

(PID) Process:(7116) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7116) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7116) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
11
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3752SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exeC:\Users\admin\AppData\Local\Temp\svcA18F.tmpexecutable
MD5:45305A46E6F927367632F669995BB1F1
SHA256:524921FBBA041CE579B9E438D75F79B10AC5BC6165E23CC58AF106B2D4365A43
3752SecuriteInfo.com.Win32.MalwareX-gen.15343.21443.exeC:\Users\admin\AppData\Local\Temp\svchost015.exeexecutable
MD5:CEEAE1523C3864B719E820B75BF728AA
SHA256:4E04E2FB20A9C6846B5D693EA67098214F77737F4F1F3DF5F0C78594650E7F71
7116svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
7116svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
7116svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:0A8DEC890E8F019BC09B5A709B7BE49D
SHA256:BE6A5EC85CC4CA7C758E6ABFF86D3CE378217E762AA8DF8A146C2D8D38B41F07
7116svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\info[1].htmtext
MD5:FE9B08252F126DDFCB87FB82F9CC7677
SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF
7116svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\fuckingdllENCR[1].dllbinary
MD5:4BC1EF6688690AF3DD8D3D70906A9F98
SHA256:7703A6B77C0B0935F5900A2D846CFA3AB59B46D03A1A0844F6BCB5CF9496B2FE
7116svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:E1406994D219C32E5B75413CF34D63FB
SHA256:52402F1A47FD8298E0DE812D042E835EA20DE6970BE6F3DDEAB161773B22DE08
7116svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\text[1]text
MD5:5E847B1CC501E8A09997640FED7DB52F
SHA256:C06903CB5A25E63794907092B488A8580074C872272A9FC51CEF5E76EEECF7A2
7116svchost015.exeC:\Users\admin\AppData\Local\Temp\8ffJ7eWtGKGsEFzfffw8D\YCL.exeexecutable
MD5:7D93971CD051866725F8AB32C81BDCF1
SHA256:8E9721500C5E789DB49525011DC204305E8DD11F59A2E65BB3862C85BC58E48D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
29
DNS requests
18
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.22:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7116
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
7116
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7116
svchost015.exe
GET
200
172.217.18.3:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7116
svchost015.exe
GET
200
172.217.18.3:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7116
svchost015.exe
GET
200
172.217.18.3:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCLv9IIZH%2B2MBIS18%2FOut80
unknown
whitelisted
7116
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/success?substr=mixtwo&s=three&sub=none
unknown
malicious
7116
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/update
unknown
malicious
7116
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/info
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4708
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
184.24.77.22:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7116
svchost015.exe
142.250.184.225:443
drive.usercontent.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 184.24.77.22
  • 184.24.77.31
  • 184.24.77.34
  • 184.24.77.18
  • 184.24.77.30
  • 184.24.77.19
  • 184.24.77.16
  • 184.24.77.14
  • 184.24.77.23
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
drive.usercontent.google.com
  • 142.250.184.225
whitelisted
c.pki.goog
  • 172.217.18.3
whitelisted
o.pki.goog
  • 172.217.18.3
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.131
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.131
  • 40.126.31.1
  • 40.126.31.129
  • 20.190.159.64
whitelisted

Threats

PID
Process
Class
Message
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
7116
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.MalwareX-gen.15343.21443