File name:

SecuriteInfo.com.Trojan.Inject5.57588.15702.18203

Full analysis: https://app.any.run/tasks/8c9d4e48-e134-4e09-a3c0-0cdf53fbbf70
Verdict: Malicious activity
Threats:

GCleaner is a type of malware loader that has the capability to deliver numerous malicious software programs, which differ based on the location of the targeted victim. This malware is commonly spread through fraudulent websites that advertise free PC optimization tools

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 18:36:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
delphi
gcleaner
loader
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

4D2BFB0A5D89BCB241E6B01B4BC81224

SHA1:

92B3252CA572B596A5711300566D81BDE430A996

SHA256:

FA6FBB09B7F94B2997010349058B485E0EA85DD4C6E28A9C7AE8CAC3276E96D2

SSDEEP:

98304:FiRrKhVgt+9qqqARNSyUSVQf5X1sU/cQ8jtMop5e8IzRtvGWRTHlDLEm2QUc3EXE:lcKblkv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)
      • svchost015.exe (PID: 2320)

    • GENERIC has been found (auto)

      • svchost015.exe (PID: 2320)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 2320)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 2320)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)
      • svchost015.exe (PID: 2320)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)
      • svchost015.exe (PID: 2320)

    • Reads security settings of Internet Explorer

      • svchost015.exe (PID: 2320)

    • Potential Corporate Privacy Violation

      • svchost015.exe (PID: 2320)

    • Connects to the server without a host name

      • svchost015.exe (PID: 2320)

  • INFO

    • Checks supported languages

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)
      • svchost015.exe (PID: 2320)

    • The sample compiled with chinese language support

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)

    • Create files in a temporary directory

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)
      • svchost015.exe (PID: 2320)

    • Compiled with Borland Delphi (YARA)

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)

    • Reads the computer name

      • svchost015.exe (PID: 2320)

    • The sample compiled with english language support

      • SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe (PID: 1872)

    • Checks proxy server information

      • svchost015.exe (PID: 2320)
      • slui.exe (PID: 1352)

    • Reads the machine GUID from the registry

      • svchost015.exe (PID: 2320)

    • Creates files or folders in the user directory

      • svchost015.exe (PID: 2320)

    • Reads the software policy settings

      • svchost015.exe (PID: 2320)
      • slui.exe (PID: 1352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 494080
InitializedDataSize: 2997248
UninitializedDataSize: -
EntryPoint: 0x79814
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.7.0.1220
ProductVersionNumber: 3.7.0.1220
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: Fl as hGet3
CompanyName: Tren d Media Corporation Limited
FileDescription: FlashGet3
FileVersion: 3, 7, 0, 1220
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start securiteinfo.com.trojan.inject5.57588.15702.18203.exe #GCLEANER svchost015.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1352C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1872"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe
explorer.exe
User:
admin
Company:
Tren d Media Corporation Limited
Integrity Level:
MEDIUM
Description:
FlashGet3
Exit code:
0
Version:
3, 7, 0, 1220
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.trojan.inject5.57588.15702.18203.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2320C:\Users\admin\AppData\Local\Temp\svchost015.exeC:\Users\admin\AppData\Local\Temp\svchost015.exe
SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exe
User:
admin
Company:
RealVNC Ltd
Integrity Level:
MEDIUM
Description:
VNC® Server Licensing
Exit code:
0
Version:
6.0.1 (r23971)
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
1 436
Read events
1 433
Write events
3
Delete events
0

Modification events

(PID) Process:(2320) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2320) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2320) svchost015.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
6
Suspicious files
11
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2320svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9E62DD75009A293E0AF9565AE544F23E_62EF4F5924FC0DC7564A4F4F2942BB70binary
MD5:1C09BC68C9493C0098C6A9C5B857E94B
SHA256:326153FF4EEC8A12DF2CB690789214537D1B24C71D1E985D123C77923B6200FA
2320svchost015.exeC:\Users\admin\AppData\Local\Temp\wWEwEYBNKKWweF5Ew1tEYfeR\YCL.exeexecutable
MD5:7D93971CD051866725F8AB32C81BDCF1
SHA256:8E9721500C5E789DB49525011DC204305E8DD11F59A2E65BB3862C85BC58E48D
2320svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\fuckingdllENCR[1].dllbinary
MD5:4BC1EF6688690AF3DD8D3D70906A9F98
SHA256:7703A6B77C0B0935F5900A2D846CFA3AB59B46D03A1A0844F6BCB5CF9496B2FE
2320svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\service[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
2320svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htmbinary
MD5:CFCD208495D565EF66E7DFF9F98764DA
SHA256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
2320svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\soft[1]executable
MD5:7D93971CD051866725F8AB32C81BDCF1
SHA256:8E9721500C5E789DB49525011DC204305E8DD11F59A2E65BB3862C85BC58E48D
2320svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9E62DD75009A293E0AF9565AE544F23E_62EF4F5924FC0DC7564A4F4F2942BB70binary
MD5:093BD775C4B8F046A56B3EE30C589A6A
SHA256:64C659409BFC3AE405C48BB4F6E6F860DD7277143953126253448AC3CD17FA91
1872SecuriteInfo.com.Trojan.Inject5.57588.15702.18203.exeC:\Users\admin\AppData\Local\Temp\svcA0A5.tmpexecutable
MD5:45305A46E6F927367632F669995BB1F1
SHA256:524921FBBA041CE579B9E438D75F79B10AC5BC6165E23CC58AF106B2D4365A43
2320svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
2320svchost015.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:64E0404E793B50210019C916C4E8B67C
SHA256:012B06519FF2A974FFACD3373E17804F02D3A7E1608DA658C0067B1DAC05E962
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
31
DNS requests
20
Threats
21

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2320
svchost015.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2320
svchost015.exe
GET
200
142.250.185.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
2320
svchost015.exe
GET
200
142.250.185.163:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCLv9IIZH%2B2MBIS18%2FOut80
unknown
whitelisted
2320
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/success?substr=mixtwo&s=three&sub=none
unknown
malicious
4644
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4644
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2320
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/update
unknown
malicious
2320
svchost015.exe
GET
200
185.156.72.196:80
http://185.156.72.196/service
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
472
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.17:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2320
svchost015.exe
142.250.186.161:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
2320
svchost015.exe
142.250.185.163:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 184.24.77.17
  • 184.24.77.9
  • 184.24.77.23
  • 184.24.77.27
  • 184.24.77.15
  • 184.24.77.12
  • 184.24.77.33
  • 184.24.77.26
  • 184.24.77.13
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
drive.usercontent.google.com
  • 142.250.186.161
whitelisted
c.pki.goog
  • 142.250.185.163
whitelisted
o.pki.goog
  • 142.250.185.163
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.0
  • 40.126.31.129
  • 40.126.31.2
  • 20.190.159.130
  • 20.190.159.131
  • 20.190.159.64
  • 40.126.31.73
whitelisted

Threats

PID
Process
Class
Message
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
2320
svchost015.exe
A Network Trojan was detected
LOADER [ANY.RUN] GCleaner HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Trojan.Inject5.57588.15702.18203