gcleaner | 0376c239f4324376c49264469fb4e0727f9c525191bf95c0128f9b51fdb0cad8

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 22:22

Target

81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
Size

286KB
MD5

04a0a92818fff9b931159046aae65313
SHA1

5d216cceee67ac22373e4ef81ae09f7bed148c3b
SHA256

81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8
SHA512

cc24a04193961ee240719974f9969201bb6d21caad6c4cb6f428b0b6d6e1474409384a105f66d7f3f64da6b828d3c3d1c06f07798af18202d535f7864d4c53ad
SSDEEP

3072:hnyj+CWonmWRoMehGOiyks2d0rdyFrmsKgRJhqfI9Wcvta1xnid3GDHia0W5cqVd:t1nWRG0ZY2dPZrKg4fI9Bt2DbUqnP

Score

10^/10

gcleaner loader

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4512	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
4528	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
5012	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
3060	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
2240	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
2208	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
4596	828	WerFault.exe	81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
4080	3944	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe
"C:\Users\Admin\AppData\Local\Temp\81cbb252bf93891c7ff2242c6e792e7dbfc1dcc39cb17ebb47f2b630a46ca4e8.exe"
1⤵
PID:828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 740
  2⤵
  - Program crash
  PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 776
  2⤵
  - Program crash
  PID:4528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 768
  2⤵
  - Program crash
  PID:5012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 832
  2⤵
  - Program crash
  PID:3060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 912
  2⤵
  - Program crash
  PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 916
  2⤵
  - Program crash
  PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 972
  2⤵
  - Program crash
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 828 -ip 828
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 828 -ip 828
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 828 -ip 828
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 828 -ip 828
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 828 -ip 828
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 828 -ip 828
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 828 -ip 828
1⤵
PID:4824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 3944 -ip 3944
1⤵
PID:4360

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3944 -s 1764
1⤵
- Program crash
PID:4080

memory/828-134-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/828-135-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/828-136-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download