gcleaner | af911c18e8db38c977b5c4aa0670dead6974fc2e39ef6203d127d76de607d2a8

Analysis

max time kernel
61s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
Size

286KB
MD5

00f4a1f42c4f14b3abaac3aba9f3e96a
SHA1

d03c6f1fdd55baf30ef75b388619182e48f0b6f6
SHA256

e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6
SHA512

325e08bba4a5cc0e3100bba6e70e9c192d678b5043084aa85945b62d805623936d3eaf5562c7c19a69ccbb160fd15f43ce21ffd33b15a34289f37ba2fab3ea40
SSDEEP

6144:SEqvWowyGiLdzcDWDYjR6q0u7jij2uBw6aBUqMrGQPA:YPwWdGR6ejij2uyn2

Score

10^/10

gcleaner loader

Malware Config

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2276	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
4792	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
2796	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
100	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
4248	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
4292	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
2408	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
4136	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
2736	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
4684	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
4808	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
1868	1400	WerFault.exe	e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe

C:\Users\Admin\AppData\Local\Temp\e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe
"C:\Users\Admin\AppData\Local\Temp\e5af7df2863f9e16acab231850b56fb62421fb7f4e25a6fb1d04a25efd302db6.exe"
1⤵
PID:1400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 740
  2⤵
  - Program crash
  PID:2276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 748
  2⤵
  - Program crash
  PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 748
  2⤵
  - Program crash
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 772
  2⤵
  - Program crash
  PID:100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 904
  2⤵
  - Program crash
  PID:4248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 980
  2⤵
  - Program crash
  PID:4292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 992
  2⤵
  - Program crash
  PID:2408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1496
  2⤵
  - Program crash
  PID:4136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1564
  2⤵
  - Program crash
  PID:2736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1500
  2⤵
  - Program crash
  PID:4684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1596
  2⤵
  - Program crash
  PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1772
  2⤵
  - Program crash
  PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1400 -ip 1400
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1400 -ip 1400
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1400 -ip 1400
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1400 -ip 1400
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1400 -ip 1400
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1400 -ip 1400
1⤵
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1400 -ip 1400
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1400 -ip 1400
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1400 -ip 1400
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1400 -ip 1400
1⤵
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1400 -ip 1400
1⤵
PID:2544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1400 -ip 1400
1⤵
PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-134-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/1400-140-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download