File name:

rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185

Full analysis: https://app.any.run/tasks/6d6150e2-24fd-4a37-a7db-f21bdbc811fd
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: July 06, 2025, 05:04:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
gcleaner
loader
telegram
inno
installer
lumma
stealer
auto
generic
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

37A590E76720C825E2F42AC34358892D

SHA1:

0B7A1A18EF82BD90F136E4D8FDFC17A7B0BF596E

SHA256:

32F78D28504CD4CD30E6C0CBA38470AC864234F98A0C8620E37FFE3040ADD185

SSDEEP:

98304:xa9TqaWZiXhKyXRDfV6HtZuZM/foa9hBz7QCMU6LDAvJYmfqFJdVVOc2JtTBIUL0:A8X5mn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • svchost015.exe (PID: 1496)
      • idQ1Y1ZxJppoa.exe (PID: 3756)
      • idQ1Y1ZxJppoa.exe (PID: 6672)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 1496)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 1496)

    • LUMMA mutex has been found

      • winhlp32.exe (PID: 2188)

    • Steals credentials from Web Browsers

      • winhlp32.exe (PID: 2188)

    • Actions looks like stealing of personal data

      • winhlp32.exe (PID: 2188)

    • Registers / Runs the DLL via REGSVR32.EXE

      • idQ1Y1ZxJppoa.tmp (PID: 1268)

    • GENERIC has been found (auto)

      • svchost015.exe (PID: 1496)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • svchost015.exe (PID: 1496)
      • winhlp32.exe (PID: 2188)

    • Executable content was dropped or overwritten

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • svchost015.exe (PID: 1496)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • DTxvUOPhsrL.exe (PID: 1380)
      • photorecoverytable1192.exe (PID: 6900)
      • idQ1Y1ZxJppoa.exe (PID: 3756)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)
      • idQ1Y1ZxJppoa.exe (PID: 6672)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)

    • Reads security settings of Internet Explorer

      • svchost015.exe (PID: 1496)
      • photorecoverytable1192.exe (PID: 6900)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)

    • Connects to the server without a host name

      • svchost015.exe (PID: 1496)

    • Potential Corporate Privacy Violation

      • svchost015.exe (PID: 1496)

    • Reads the Windows owner or organization settings

      • DTxvUOPhsrL.tmp (PID: 2804)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)

    • Process drops legitimate windows executable

      • DTxvUOPhsrL.tmp (PID: 2804)

    • The process drops C-runtime libraries

      • DTxvUOPhsrL.tmp (PID: 2804)

    • Starts POWERSHELL.EXE for commands execution

      • photorecoverytable1192.exe (PID: 6900)
      • regsvr32.exe (PID: 4544)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • winhlp32.exe (PID: 2188)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 4544)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 4544)

    • Detected use of alternative data streams (AltDS)

      • regsvr32.exe (PID: 4544)

    • Connects to SMTP port

      • regsvr32.exe (PID: 4544)

  • INFO

    • The sample compiled with english language support

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • photorecoverytable1192.exe (PID: 6900)
      • DTxvUOPhsrL.tmp (PID: 2804)

    • Checks supported languages

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • svchost015.exe (PID: 1496)
      • DTxvUOPhsrL.exe (PID: 1380)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • photorecoverytable1192.exe (PID: 6900)
      • PPNdX5oT1MRwx.exe (PID: 7132)
      • idQ1Y1ZxJppoa.exe (PID: 3756)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)
      • idQ1Y1ZxJppoa.exe (PID: 6672)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)
      • identity_helper.exe (PID: 7712)

    • Compiled with Borland Delphi (YARA)

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)
      • idQ1Y1ZxJppoa.exe (PID: 6672)

    • Create files in a temporary directory

      • rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe (PID: 6852)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • DTxvUOPhsrL.exe (PID: 1380)
      • idQ1Y1ZxJppoa.exe (PID: 3756)
      • idQ1Y1ZxJppoa.exe (PID: 6672)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)
      • svchost015.exe (PID: 1496)

    • Reads the computer name

      • svchost015.exe (PID: 1496)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • photorecoverytable1192.exe (PID: 6900)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)
      • identity_helper.exe (PID: 7712)

    • Checks proxy server information

      • svchost015.exe (PID: 1496)
      • slui.exe (PID: 2460)

    • Reads the machine GUID from the registry

      • svchost015.exe (PID: 1496)
      • winhlp32.exe (PID: 2188)

    • Reads the software policy settings

      • svchost015.exe (PID: 1496)
      • winhlp32.exe (PID: 2188)
      • slui.exe (PID: 2460)

    • Creates files or folders in the user directory

      • svchost015.exe (PID: 1496)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)

    • Creates a software uninstall entry

      • DTxvUOPhsrL.tmp (PID: 2804)

    • Creates files in the program directory

      • photorecoverytable1192.exe (PID: 6900)

    • Process checks computer location settings

      • photorecoverytable1192.exe (PID: 6900)
      • svchost015.exe (PID: 1496)
      • idQ1Y1ZxJppoa.tmp (PID: 3048)

    • Changes the registry key values via Powershell

      • photorecoverytable1192.exe (PID: 6900)

    • Application launched itself

      • chrome.exe (PID: 4864)
      • chrome.exe (PID: 3740)
      • chrome.exe (PID: 4844)
      • chrome.exe (PID: 4860)
      • msedge.exe (PID: 2448)
      • msedge.exe (PID: 7768)
      • msedge.exe (PID: 592)

    • Detects InnoSetup installer (YARA)

      • DTxvUOPhsrL.exe (PID: 1380)
      • DTxvUOPhsrL.tmp (PID: 2804)
      • idQ1Y1ZxJppoa.exe (PID: 6672)
      • idQ1Y1ZxJppoa.tmp (PID: 1268)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2288)
      • powershell.exe (PID: 7292)

    • Application based on Golang

      • idQ1Y1ZxJppoa.tmp (PID: 1268)

    • Reads Environment values

      • identity_helper.exe (PID: 7712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 476160
InitializedDataSize: 4605440
UninitializedDataSize: -
EntryPoint: 0x752c8
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
235
Monitored processes
98
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
start rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe #GCLEANER svchost015.exe dtxvuophsrl.exe dtxvuophsrl.tmp photorecoverytable1192.exe powershell.exe no specs conhost.exe no specs ppndx5ot1mrwx.exe no specs #LUMMA winhlp32.exe chrome.exe chrome.exe no specs slui.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs idq1y1zxjppoa.exe idq1y1zxjppoa.tmp idq1y1zxjppoa.exe idq1y1zxjppoa.tmp regsvr32.exe no specs regsvr32.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
316\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
316"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2724,i,12628829063052716319,18050866155485642637,262144 --variations-seed-version --mojo-platform-channel-handle=2808 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
436"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2204,i,17548708285498852930,5752752899391090288,262144 --variations-seed-version --mojo-platform-channel-handle=2528 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
592"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exewinhlp32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=1964,i,18443777098850684642,3598953634993001780,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1040"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5744,i,11443893637629907642,7885025149809654234,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1268"C:\Users\admin\AppData\Local\Temp\is-B83RD.tmp\idQ1Y1ZxJppoa.tmp" /SL5="$A031C,2525909,817664,C:\Users\admin\AppData\Roaming\i2A1rTsS0O\idQ1Y1ZxJppoa.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-B83RD.tmp\idQ1Y1ZxJppoa.tmp
idQ1Y1ZxJppoa.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-b83rd.tmp\idq1y1zxjppoa.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
1380"C:\Users\admin\AppData\Roaming\5ksqqR6lQlB\DTxvUOPhsrL.exe"C:\Users\admin\AppData\Roaming\5ksqqR6lQlB\DTxvUOPhsrL.exe
svchost015.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Photo Recovery Table Setup
Version:
Modules
Images
c:\users\admin\appdata\roaming\5ksqqr6lqlb\dtxvuophsrl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1496C:\Users\admin\AppData\Local\Temp\svchost015.exeC:\Users\admin\AppData\Local\Temp\svchost015.exe
rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
MEDIUM
Description:
VNC® Server Licensing
Exit code:
0
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
50 771
Read events
50 690
Write events
77
Delete events
4

Modification events

(PID) Process:(1496) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1496) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1496) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.5.1 (a)
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Local\Photo Recovery Table 1.3.3.1193
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Local\Photo Recovery Table 1.3.3.1193\
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:Inno Setup: Icon Group
Value:
(Default)
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:Inno Setup: Language
Value:
English
(PID) Process:(2804) DTxvUOPhsrL.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Photo Recovery Table_is1
Operation:writeName:DisplayName
Value:
Photo Recovery Table 2.0.4.1192
Executable files
85
Suspicious files
695
Text files
268
Unknown types
0

Dropped files

PID
Process
Filename
Type
1496svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\fuckingdllENCR[1].dllbinary
MD5:4BC1EF6688690AF3DD8D3D70906A9F98
SHA256:6BBFC32B36972B252587914130FF5018E20B4327D28A4AE6DB06395B80ACA4CE
1496svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\success[1].htmbinary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1496svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\info[1].htmtext
MD5:FE9B08252F126DDFCB87FB82F9CC7677
SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF
6852rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exeC:\Users\admin\AppData\Local\Temp\svcB1DB.tmpexecutable
MD5:AD387E34F627CBF0E4920439D0ED80A5
SHA256:410070FEE996ADD03214A3A4AEA30F343A6F8BAED1A7385295F28432760340D1
6852rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185.exeC:\Users\admin\AppData\Local\Temp\svchost015.exeexecutable
MD5:CEEAE1523C3864B719E820B75BF728AA
SHA256:4E04E2FB20A9C6846B5D693EA67098214F77737F4F1F3DF5F0C78594650E7F71
2804DTxvUOPhsrL.tmpC:\Users\admin\AppData\Local\Temp\is-D4SNO.tmp\_isetup\_iscrypt.dllexecutable
MD5:A69559718AB506675E907FE49DEB71E9
SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
1380DTxvUOPhsrL.exeC:\Users\admin\AppData\Local\Temp\is-0I8KI.tmp\DTxvUOPhsrL.tmpexecutable
MD5:23B6B3A2642A0C2708A353955D0FD233
SHA256:C1A7D9706442A9619208795AB69AD96F3B048BA3A88700DB5CC3D73B07A2B5AB
2804DTxvUOPhsrL.tmpC:\Users\admin\AppData\Local\Temp\is-D4SNO.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
2804DTxvUOPhsrL.tmpC:\Users\admin\AppData\Local\Photo Recovery Table 1.3.3.1193\libEGL.dllexecutable
MD5:EAE56B896A718C3BC87A4253832A5650
SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
2804DTxvUOPhsrL.tmpC:\Users\admin\AppData\Local\Photo Recovery Table 1.3.3.1193\uninstall\is-NS8G5.tmpexecutable
MD5:07F929B9C0D9F3D8934E49D665073C81
SHA256:CFBD850B61F595CD9D8C9E3C3FC36775CCE25FEEA00542F9A285ABE992B4360B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
502
TCP/UDP connections
288
DNS requests
170
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
173.194.76.84:443
https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
unknown
text
17 b
whitelisted
7008
chrome.exe
GET
200
142.250.186.174:80
http://clients2.google.com/time/1/current?cup2key=8:xRKgNQrX21hF0yhwxb8gDx-RerTFMJujzFp2WntVXyc&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
GET
200
172.217.18.106:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
binary
41 b
whitelisted
4804
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4804
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
172.217.18.1:443
https://drive.usercontent.google.com/download?id=1YBVIDkZgygNfUU2rbJXXCYdrzay5rMdY&export=download&authuser=0&confirm=t
unknown
text
13 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4804
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4804
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
drive.usercontent.google.com
  • 142.250.185.225
whitelisted
t.me
  • 149.154.167.99
whitelisted
spliba.xyz
  • 144.172.115.212
unknown
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
clients2.google.com
  • 142.250.186.174
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 172.217.18.10
  • 142.250.185.106
  • 216.58.206.42
  • 216.58.206.74
  • 142.250.186.42
  • 142.250.181.234
  • 142.250.185.234
  • 142.250.185.202
  • 142.250.186.106
  • 142.250.184.234
  • 142.250.185.170
  • 142.250.185.74
  • 172.217.16.202
  • 142.250.186.74
  • 142.250.185.138
  • 172.217.16.138
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
rl_32f78d28504cd4cd30e6c0cba38470ac864234f98a0c8620e37ffe3040add185