gcleaner | 463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9

Analysis

max time kernel
291s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13-06-2024 22:46

Target

463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
Size

307KB
MD5

916a4c477eafe95b07f7635752ca3473
SHA1

e2f44510657cbb811c49e795110c6867893c221c
SHA256

463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9
SHA512

3ab8c61387d695c48e1f7d4afb563b8642e2149210fa60ae00ec28ea82bfdf54738754ec8310c72803bb2c48da68b5a9ea2cfce02d301f71d1b29826a5dcc8e3
SSDEEP

6144:fulNa5HvMMwbmzB5eN7aWXzDeTxFoFb4T:fulNa5H4SzB5epzDeTxFF

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

185.172.128.69

Attributes

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3164	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
4080	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
1932	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
2328	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
4556	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
1900	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
168	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
4908	5032	WerFault.exe	463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe

C:\Users\Admin\AppData\Local\Temp\463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe
"C:\Users\Admin\AppData\Local\Temp\463457050ebd391504c79b7da8c98340240d9883de6195fccd651345237a37a9.exe"
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 764
2⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 776
2⤵
- Program crash
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 864
2⤵
- Program crash
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 952
2⤵
- Program crash
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 972
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1116
2⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1128
2⤵
- Program crash
PID:168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1216
2⤵
- Program crash
PID:4908

memory/5032-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5032-2-0x00000000008D0000-0x00000000008FD000-memory.dmp

Filesize
180KB

Download
memory/5032-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/5032-5-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5032-6-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/5032-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download