gcleaner | 0df707ea4faac4b07939ac3a4cc235699451830cfb75f6d665a2a81f0bc125e6

Analysis

max time kernel
113s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2023 14:42

Target

99a3cebe3450021c771985d2414bfcae.exe
Size

260KB
MD5

99a3cebe3450021c771985d2414bfcae
SHA1

d0a5583d0ec903418fc1f8043f005824b11a6fdb
SHA256

0df707ea4faac4b07939ac3a4cc235699451830cfb75f6d665a2a81f0bc125e6
SHA512

d82d76d0cd5a8705c8122613920c82c7e7ff864159d3559ae9a0b4e4452ba72b11d78b935a60373c3b9bdafc14ec57dad1b423c7340085ae5bab443319560e91
SSDEEP

6144:kAYTwA8lsnpt1cuXdgn87eFsLniXf2LQaRgyXET:p0HmsnjXSn87eFsjtLQ0gms

Score

10^/10

gcleaner loader

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4296	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
4388	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
1352	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
4752	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
2428	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
1300	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
100	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe
5092	1996	WerFault.exe	99a3cebe3450021c771985d2414bfcae.exe

C:\Users\Admin\AppData\Local\Temp\99a3cebe3450021c771985d2414bfcae.exe
"C:\Users\Admin\AppData\Local\Temp\99a3cebe3450021c771985d2414bfcae.exe"
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 740
2⤵
- Program crash
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 784
2⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 784
2⤵
- Program crash
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 848
2⤵
- Program crash
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 904
2⤵
- Program crash
PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 980
2⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1316
2⤵
- Program crash
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1200
2⤵
- Program crash
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1996 -ip 1996
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1996 -ip 1996
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1996 -ip 1996
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1996 -ip 1996
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1996 -ip 1996
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1996 -ip 1996
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1996 -ip 1996
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1996 -ip 1996
1⤵
PID:1884

memory/1996-134-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1996-135-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1996-136-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download
memory/1996-140-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download