gcleaner | 41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 09:40

Target

41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
Size

313KB
MD5

156ba1683fd49e67a52afcbef2a154ed
SHA1

3b416c5a550136532393f946a51dae46fb9cfd50
SHA256

41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea
SHA512

3b7ecc019f0fe652e4c97ac55385b73506288f693c237fa350ce427bd5edd18591f3a47d963ecf7e5de4fea02efe1822d9c0a6efd3ce9edbde4803a30d24058c
SSDEEP

6144:qU1/w/Po9Tc+7D29GuR0vUMhLqRg9XfE/:5w/Pov2ES0MYO

Score

10^/10

gcleaner loader

Family

gcleaner

185.172.128.90

5.42.64.56

185.172.128.69

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5064	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
4012	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
2160	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
3544	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
4032	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
3796	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
2696	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
2100	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
3108	3140	WerFault.exe	41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe

C:\Users\Admin\AppData\Local\Temp\41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe
"C:\Users\Admin\AppData\Local\Temp\41520590fd911f3c057bfc6c55409e83963f4469a679afc14a750897c35a47ea.exe"
1⤵
PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 452
  2⤵
  - Program crash
  PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 488
  2⤵
  - Program crash
  PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 748
  2⤵
  - Program crash
  PID:2160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 784
  2⤵
  - Program crash
  PID:3544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 784
  2⤵
  - Program crash
  PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 844
  2⤵
  - Program crash
  PID:3796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 912
  2⤵
  - Program crash
  PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 988
  2⤵
  - Program crash
  PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 752
  2⤵
  - Program crash
  PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3140 -ip 3140
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3140 -ip 3140
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3140 -ip 3140
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3140 -ip 3140
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3140 -ip 3140
1⤵
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3140 -ip 3140
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3140 -ip 3140
1⤵
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3140 -ip 3140
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3140 -ip 3140
1⤵
PID:4920

memory/3140-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3140-1-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/3140-2-0x0000000002080000-0x00000000020BC000-memory.dmp

Filesize
240KB

Download
memory/3140-4-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3140-6-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/3140-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download