gcleaner | 0b984b1fcdbf934fdb457d7d64b3828a3017d1ccb18dcf8402c3d82ae6daa4af

Analysis

max time kernel
141s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 07:13

Target

0b984b1fcdbf934fdb457d7d64b3828a3017d1ccb18dcf8402c3d82ae6daa4af.exe
Size

238KB
MD5

7f3f1badecce49078910e25c377b5097
SHA1

1934c64cc54196f5d9800b9ce868ecba0c430749
SHA256

0b984b1fcdbf934fdb457d7d64b3828a3017d1ccb18dcf8402c3d82ae6daa4af
SHA512

685ec80ef7b83e661863ab429910353434b32aed53597092072ed74d7147c4ce07157317527a9701fa3c35744c0b7bf56aae465eb5e3e6c4c885616319cf96b3
SSDEEP

3072:XVX2LoN6XejiWQgHvg+yhxN81eUs9vee+dIz7Tyr5BEasld:XbN6Xu7jv4UteIK7TyGl

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1796	2872	WerFault.exe	78
4040	2872	WerFault.exe	78
4568	2872	WerFault.exe	78
2240	2872	WerFault.exe	78
884	2872	WerFault.exe	78
2428	2872	WerFault.exe	78
2180	2872	WerFault.exe	78

C:\Users\Admin\AppData\Local\Temp\0b984b1fcdbf934fdb457d7d64b3828a3017d1ccb18dcf8402c3d82ae6daa4af.exe
"C:\Users\Admin\AppData\Local\Temp\0b984b1fcdbf934fdb457d7d64b3828a3017d1ccb18dcf8402c3d82ae6daa4af.exe"
1⤵
PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 636
  2⤵
  - Program crash
  PID:1796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 636
  2⤵
  - Program crash
  PID:4040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 636
  2⤵
  - Program crash
  PID:4568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 804
  2⤵
  - Program crash
  PID:2240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 976
  2⤵
  - Program crash
  PID:884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 984
  2⤵
  - Program crash
  PID:2428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 776
  2⤵
  - Program crash
  PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2872 -ip 2872
1⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2872 -ip 2872
1⤵
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2872 -ip 2872
1⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2872 -ip 2872
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2872 -ip 2872
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2872 -ip 2872
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2872 -ip 2872
1⤵
PID:2520

memory/2872-2-0x0000000002D60000-0x0000000002D8D000-memory.dmp

Filesize
180KB

Download
memory/2872-1-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/2872-3-0x0000000000400000-0x0000000002AF9000-memory.dmp

Filesize
39.0MB

Download
memory/2872-6-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download