gcleaner | 8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b

Analysis

max time kernel
73s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2023 12:05

Target

81a953d9ee346ef7115b1c34fcf387ca.exe
Size

340KB
MD5

81a953d9ee346ef7115b1c34fcf387ca
SHA1

27002576173bc56690b8ca08351d1d6e2941c92c
SHA256

8d373fe483977f095f6017d9d62190c73a48e75b55dbd81b933af93edb7de72b
SHA512

429bc8f616e66e76ddd0b2f83bc4ce15d9af5de982bef640a026c3a328c4049574f884f471290e3bb8870d5ce1eb075c74562cce5a072766f15e6be9abb20a8d
SSDEEP

6144:tjONygp6w335FFFu2/5OQ+KsPC1YB9vpDuxfPaW:tjONygww335FFFft+KKT8x3

Score

10^/10

gcleaner loader

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2588	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe
2244	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe
2092	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe
5056	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe
2392	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe
760	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe
4508	4488	WerFault.exe	81a953d9ee346ef7115b1c34fcf387ca.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

81a953d9ee346ef7115b1c34fcf387ca.exe

pid process

4488 81a953d9ee346ef7115b1c34fcf387ca.exe
4488 81a953d9ee346ef7115b1c34fcf387ca.exe

pid	process
4488	81a953d9ee346ef7115b1c34fcf387ca.exe
4488	81a953d9ee346ef7115b1c34fcf387ca.exe

C:\Users\Admin\AppData\Local\Temp\81a953d9ee346ef7115b1c34fcf387ca.exe
"C:\Users\Admin\AppData\Local\Temp\81a953d9ee346ef7115b1c34fcf387ca.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 740
2⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 760
2⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 780
2⤵
- Program crash
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 788
2⤵
- Program crash
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 904
2⤵
- Program crash
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1000
2⤵
- Program crash
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 960
2⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 4488
1⤵
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4488 -ip 4488
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4488 -ip 4488
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4488 -ip 4488
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4488 -ip 4488
1⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4488 -ip 4488
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4488 -ip 4488
1⤵
PID:1608

memory/4488-134-0x0000000000A90000-0x0000000000AD0000-memory.dmp

Filesize
256KB

Download
memory/4488-135-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/4488-137-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download