gcleaner | 4bb1431cfcd257535ab1564f7deb1a09d1ae51d50a8b596f119e531bed2b2a29

Analysis

max time kernel
91s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 19:41

Target

4bb1431cfcd257535ab1564f7deb1a09d1ae51d50a8b596f119e531bed2b2a29.exe
Size

261KB
MD5

4aa8769134b3c72f51496b2c57b9b3e4
SHA1

96451f042a02078bd49ec246cc86ebf79c698a5e
SHA256

4bb1431cfcd257535ab1564f7deb1a09d1ae51d50a8b596f119e531bed2b2a29
SHA512

18d865416983899c40c0fce87345fe00865ae87d8dfb045bca302dba4f6d4fdfb30a7c08a3ec08cf63f5f877fbc775b44f5903c93497a3b5e7c1535964a27aaf
SSDEEP

6144:wmr0muK5V/KeO5Gchf5mk7HS4RsLSiwHjkUA:nr0muveeGchf5mr4RsLSw

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

5.42.64.3

5.42.65.115

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Downloads MZ/PE file

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3064	4088	WerFault.exe	83
3428	4088	WerFault.exe	83
2756	4088	WerFault.exe	83
4144	4088	WerFault.exe	83
4868	4088	WerFault.exe	83
64	4088	WerFault.exe	83
776	4088	WerFault.exe	83

C:\Users\Admin\AppData\Local\Temp\4bb1431cfcd257535ab1564f7deb1a09d1ae51d50a8b596f119e531bed2b2a29.exe
"C:\Users\Admin\AppData\Local\Temp\4bb1431cfcd257535ab1564f7deb1a09d1ae51d50a8b596f119e531bed2b2a29.exe"
1⤵
PID:4088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 748
  2⤵
  - Program crash
  PID:3064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 768
  2⤵
  - Program crash
  PID:3428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 796
  2⤵
  - Program crash
  PID:2756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 760
  2⤵
  - Program crash
  PID:4144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 904
  2⤵
  - Program crash
  PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 980
  2⤵
  - Program crash
  PID:64
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1288
  2⤵
  - Program crash
  PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4088 -ip 4088
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4088 -ip 4088
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4088 -ip 4088
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4088 -ip 4088
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4088 -ip 4088
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4088 -ip 4088
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4088 -ip 4088
1⤵
PID:3432

memory/4088-1-0x00000000006F0000-0x00000000007F0000-memory.dmp

Filesize
1024KB

Download
memory/4088-2-0x00000000005E0000-0x000000000061C000-memory.dmp

Filesize
240KB

Download
memory/4088-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4088-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4088-8-0x00000000005E0000-0x000000000061C000-memory.dmp

Filesize
240KB

Download