| File name: | 89b2b74fd9ffb6d52aaab05ef72838dc.exe |
| Full analysis: | https://app.any.run/tasks/4eecccfc-0551-4270-86c7-30bcd33c4e60 |
| Verdict: | Malicious activity |
| Threats: | GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools |
| Analysis date: | March 24, 2025, 16:57:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections |
| MD5: | 89B2B74FD9FFB6D52AAAB05EF72838DC |
| SHA1: | 3754B615061F01731382F2B109525C7839580D96 |
| SHA256: | 5F491C60EAD99ED94AD519645EC06AE76DC7417FC36953A6A8B3AC303B6E2807 |
| SSDEEP: | 98304:O8s9XZ41BwjiDms15c4xkR7dIOlUpOq5o/qZXVsOrXopIWLy6PDZE4hGgMu90OqQ:Mf5hFEs |
MALICIOUS
GENERIC has been found (auto)
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
- svchost015.exe (PID: 5380)
GCLEANER has been detected (YARA)
- svchost015.exe (PID: 5380)
GCLEANER has been detected (SURICATA)
- svchost015.exe (PID: 5380)
LUMMA mutex has been found
- MSBuild.exe (PID: 4464)
Steals credentials from Web Browsers
- MSBuild.exe (PID: 4464)
Actions looks like stealing of personal data
- MSBuild.exe (PID: 4464)
SUSPICIOUS
Reads the BIOS version
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
Executable content was dropped or overwritten
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
- svchost015.exe (PID: 5380)
- jLuUySQsvwz.exe (PID: 3100)
- jLuUySQsvwz.tmp (PID: 4696)
- renaminggroupfiles54.exe (PID: 2236)
Reads security settings of Internet Explorer
- svchost015.exe (PID: 5380)
- renaminggroupfiles54.exe (PID: 2236)
Potential Corporate Privacy Violation
- svchost015.exe (PID: 5380)
Connects to the server without a host name
- svchost015.exe (PID: 5380)
- ePMo88lMcoVpu.exe (PID: 5800)
The process drops C-runtime libraries
- jLuUySQsvwz.tmp (PID: 4696)
Reads the Windows owner or organization settings
- jLuUySQsvwz.tmp (PID: 4696)
Process drops legitimate windows executable
- jLuUySQsvwz.tmp (PID: 4696)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- MSBuild.exe (PID: 4464)
Starts POWERSHELL.EXE for commands execution
- renaminggroupfiles54.exe (PID: 2236)
There is functionality for taking screenshot (YARA)
- MSBuild.exe (PID: 4464)
Searches for installed software
- MSBuild.exe (PID: 4464)
INFO
Create files in a temporary directory
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
- jLuUySQsvwz.exe (PID: 3100)
- jLuUySQsvwz.tmp (PID: 4696)
- svchost015.exe (PID: 5380)
Reads the computer name
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
- svchost015.exe (PID: 5380)
- renaminggroupfiles54.exe (PID: 2236)
- jLuUySQsvwz.tmp (PID: 4696)
- MSBuild.exe (PID: 4464)
- PRjIkpXSu.exe (PID: 5156)
- ePMo88lMcoVpu.exe (PID: 5800)
Checks supported languages
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
- svchost015.exe (PID: 5380)
- jLuUySQsvwz.exe (PID: 3100)
- jLuUySQsvwz.tmp (PID: 4696)
- renaminggroupfiles54.exe (PID: 2236)
- YrTc15LRYqdK.exe (PID: 5984)
- MSBuild.exe (PID: 4464)
- PRjIkpXSu.exe (PID: 5156)
- ePMo88lMcoVpu.exe (PID: 5800)
Checks proxy server information
- svchost015.exe (PID: 5380)
- slui.exe (PID: 4212)
Creates files or folders in the user directory
- svchost015.exe (PID: 5380)
- jLuUySQsvwz.tmp (PID: 4696)
The sample compiled with english language support
- 89b2b74fd9ffb6d52aaab05ef72838dc.exe (PID: 4620)
- jLuUySQsvwz.tmp (PID: 4696)
- renaminggroupfiles54.exe (PID: 2236)
Reads the machine GUID from the registry
- svchost015.exe (PID: 5380)
- MSBuild.exe (PID: 4464)
Creates a software uninstall entry
- jLuUySQsvwz.tmp (PID: 4696)
Creates files in the program directory
- renaminggroupfiles54.exe (PID: 2236)
Process checks computer location settings
- renaminggroupfiles54.exe (PID: 2236)
Reads the software policy settings
- MSBuild.exe (PID: 4464)
- slui.exe (PID: 4212)
Detects InnoSetup installer (YARA)
- jLuUySQsvwz.exe (PID: 3100)
- jLuUySQsvwz.tmp (PID: 4696)
Changes the registry key values via Powershell
- renaminggroupfiles54.exe (PID: 2236)
Compiled with Borland Delphi (YARA)
- jLuUySQsvwz.tmp (PID: 4696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (42.6) |
|---|---|---|
| .exe | | | Win16/32 Executable Delphi generic (19.5) |
| .exe | | | Generic Win/DOS Executable (18.9) |
| .exe | | | DOS Executable Generic (18.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 398848 |
| InitializedDataSize: | 4214272 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x8d0000 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.0.4.0 |
| ProductVersionNumber: | 2.0.4.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileVersion: | 2, 0, 4, 0 |
| InternalName: | A2Master |
| LegalCopyright: | Copyright В© 1999-2010 Gladiators Software |
| OriginalFileName: | A2Master.exe |
| ProductName: | Aston2 |
| ProductVersion: | 2, 0, 4, 0 |
Total processes
140
Monitored processes
13
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1180 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "fGrRename" -Value "C:\ProgramData\RenamingGroupFiles\RenamingGroupFiles.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | renaminggroupfiles54.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2236 | "C:\Users\admin\AppData\Local\Renaming Group Files 5.4\renaminggroupfiles54.exe" -i | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\renaminggroupfiles54.exe | jLuUySQsvwz.tmp | ||||||||||||
User: admin Integrity Level: MEDIUM Version: 3.3.5.5 Modules
| |||||||||||||||
| 3100 | "C:\Users\admin\AppData\Roaming\YnYaVLmiP\jLuUySQsvwz.exe" | C:\Users\admin\AppData\Roaming\YnYaVLmiP\jLuUySQsvwz.exe | svchost015.exe | ||||||||||||
User: admin Company: Integrity Level: MEDIUM Description: Renaming Group Files Setup Version: Modules
| |||||||||||||||
| 4068 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | YrTc15LRYqdK.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4212 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4464 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | YrTc15LRYqdK.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 4620 | "C:\Users\admin\Desktop\89b2b74fd9ffb6d52aaab05ef72838dc.exe" | C:\Users\admin\Desktop\89b2b74fd9ffb6d52aaab05ef72838dc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 2, 0, 4, 0 Modules
| |||||||||||||||
| 4696 | "C:\Users\admin\AppData\Local\Temp\is-Q0GRQ.tmp\jLuUySQsvwz.tmp" /SL5="$8029A,3159030,56832,C:\Users\admin\AppData\Roaming\YnYaVLmiP\jLuUySQsvwz.exe" | C:\Users\admin\AppData\Local\Temp\is-Q0GRQ.tmp\jLuUySQsvwz.tmp | jLuUySQsvwz.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Version: 51.52.0.0 Modules
| |||||||||||||||
| 5156 | "C:\Users\admin\AppData\Roaming\Oujx8DUp9jp\PRjIkpXSu.exe" | C:\Users\admin\AppData\Roaming\Oujx8DUp9jp\PRjIkpXSu.exe | — | svchost015.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Gcleanerapp Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
12 517
Read events
12 500
Write events
17
Delete events
0
Modification events
| (PID) Process: | (5380) svchost015.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (5380) svchost015.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5380) svchost015.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.5.8 (a) | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Users\admin\AppData\Local\Renaming Group Files 5.4 | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Renaming Group Files 5.4\ | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: (Default) | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | Inno Setup: Language |
Value: English | |||
| (PID) Process: | (4696) jLuUySQsvwz.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Renaming Group Files_is1 |
| Operation: | write | Name: | DisplayName |
Value: Renaming Group Files 5.4 | |||
Executable files
39
Suspicious files
8
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4620 | 89b2b74fd9ffb6d52aaab05ef72838dc.exe | C:\Users\admin\AppData\Local\Temp\svchost015.exe | executable | |
MD5:B826DD92D78EA2526E465A34324EBEEA | SHA256:7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B | |||
| 5380 | svchost015.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\fuckingdllENCR[1].dll | binary | |
MD5:4BC1EF6688690AF3DD8D3D70906A9F98 | SHA256:7703A6B77C0B0935F5900A2D846CFA3AB59B46D03A1A0844F6BCB5CF9496B2FE | |||
| 5380 | svchost015.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\info[1].htm | text | |
MD5:FE9B08252F126DDFCB87FB82F9CC7677 | SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF | |||
| 5380 | svchost015.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\success[1].htm | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 4696 | jLuUySQsvwz.tmp | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-UNVKS.tmp | executable | |
MD5:A7F201C0B9AC05E950ECC55D4403EC16 | SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA | |||
| 4696 | jLuUySQsvwz.tmp | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\icuin51.dll | executable | |
MD5:A7F201C0B9AC05E950ECC55D4403EC16 | SHA256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA | |||
| 4696 | jLuUySQsvwz.tmp | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\uninstall\unins000.exe | executable | |
MD5:EA258FC63B1417666DB137C33EA726AB | SHA256:07643082B8BCED03E89A14F946D9BF92C3B65A20369F30AD7F335BC189B33816 | |||
| 4696 | jLuUySQsvwz.tmp | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\icuuc51.dll | executable | |
MD5:DAE4100039A943128C34BA3E05F6CD02 | SHA256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA | |||
| 4696 | jLuUySQsvwz.tmp | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\is-QMT16.tmp | executable | |
MD5:EAE56B896A718C3BC87A4253832A5650 | SHA256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1 | |||
| 4696 | jLuUySQsvwz.tmp | C:\Users\admin\AppData\Local\Renaming Group Files 5.4\libGLESv2.dll | executable | |
MD5:A73EE126B2E6D43182D4C3482899D338 | SHA256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
30
DNS requests
8
Threats
22
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/success?substr=mixfour&s=three&sub=none | unknown | — | — | unknown |
5380 | svchost015.exe | GET | — | 185.156.73.98:80 | http://185.156.73.98/info | unknown | — | — | malicious |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/info | unknown | — | — | malicious |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/update | unknown | — | — | malicious |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/service | unknown | — | — | malicious |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/service | unknown | — | — | malicious |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/service | unknown | — | — | malicious |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/service | unknown | — | — | malicious |
5800 | ePMo88lMcoVpu.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/success?substr=test&s=test&sub=nn | unknown | — | — | unknown |
5380 | svchost015.exe | GET | 200 | 185.156.73.98:80 | http://185.156.73.98/service | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5380 | svchost015.exe | 185.156.73.98:80 | — | OOO SibirInvest | RU | unknown |
4464 | MSBuild.exe | 149.154.167.99:443 | t.me | Telegram Messenger Inc | GB | whitelisted |
4464 | MSBuild.exe | 104.21.16.1:443 | cosmosyf.top | CLOUDFLARENET | — | unknown |
5800 | ePMo88lMcoVpu.exe | 185.156.73.98:80 | — | OOO SibirInvest | RU | unknown |
2136 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4212 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
t.me |
| whitelisted |
cosmosyf.top |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5380 | svchost015.exe | A Network Trojan was detected | LOADER [ANY.RUN] GCleaner HTTP Header |
5380 | svchost015.exe | A Network Trojan was detected | LOADER [ANY.RUN] GCleaner HTTP Header |
5380 | svchost015.exe | A Network Trojan was detected | LOADER [ANY.RUN] GCleaner HTTP Header |
5380 | svchost015.exe | A Network Trojan was detected | LOADER [ANY.RUN] GCleaner HTTP Header |
5380 | svchost015.exe | A Network Trojan was detected | LOADER [ANY.RUN] GCleaner HTTP Header |
5380 | svchost015.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
5380 | svchost015.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
5380 | svchost015.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
5380 | svchost015.exe | A Network Trojan was detected | LOADER [ANY.RUN] GCleaner HTTP Header |
4464 | MSBuild.exe | Misc activity | ET INFO Observed Telegram Domain (t .me in TLS SNI) |