d847b98ee4ccdadf0a406fa42cac1de6132ed595bc3986c54e22a1b46e178aaa

Analysis

max time kernel
122s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GDLauncher.exe
Size

169.9MB
MD5

1e78a22ba51219a321c0ffe245871915
SHA1

d27ab1645110f5c9b29bf0d93775f414af9d8e90
SHA256

a9c23f5fd00df04dd51c57aa0fe46cc2af8c9e523dc3183018dad093f03ab1d1
SHA512

c4175a0f48042f285525c4f674003febaf385fd4ab63546502a467173a2f9bd3f66b0a233d84b685ae7dff5ccd0d986ffce5743519fb9f30db2b9a579ec6292d
SSDEEP

1572864:js+fxQiW1vVzbHpUcEtmLd7cF3PPHNzLuTe7ulsxM/Gyr/w7VoB4X+x2CFRXQQS5:2e8BWNg3DFxfq

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1500	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	core_module.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	GDLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	GDLauncher.exe

Loads dropped DLL 1 IoCs

pid	Process
5300	GDLauncher.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	GDLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	GDLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	GDLauncher.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher\URL Protocol	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher\ = "URL:gdlauncher"	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher\shell\open\command	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher\shell	GDLauncher.exe
Key created	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher\shell\open	GDLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\gdlauncher\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GDLauncher.exe\" \"%1\""	GDLauncher.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe
724	powershell.exe
724	powershell.exe
724	powershell.exe
1624	core_module.exe
1624	core_module.exe
1736	powershell.exe
1624	core_module.exe
1624	core_module.exe
1624	core_module.exe
5300	GDLauncher.exe
5300	GDLauncher.exe
5300	GDLauncher.exe
5300	GDLauncher.exe
5868	GDLauncher.exe
5868	GDLauncher.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeIncreaseQuotaPrivilege	724	powershell.exe
Token: SeSecurityPrivilege	724	powershell.exe
Token: SeTakeOwnershipPrivilege	724	powershell.exe
Token: SeLoadDriverPrivilege	724	powershell.exe
Token: SeSystemProfilePrivilege	724	powershell.exe
Token: SeSystemtimePrivilege	724	powershell.exe
Token: SeProfSingleProcessPrivilege	724	powershell.exe
Token: SeIncBasePriorityPrivilege	724	powershell.exe
Token: SeCreatePagefilePrivilege	724	powershell.exe
Token: SeBackupPrivilege	724	powershell.exe
Token: SeRestorePrivilege	724	powershell.exe
Token: SeShutdownPrivilege	724	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeSystemEnvironmentPrivilege	724	powershell.exe
Token: SeRemoteShutdownPrivilege	724	powershell.exe
Token: SeUndockPrivilege	724	powershell.exe
Token: SeManageVolumePrivilege	724	powershell.exe
Token: 33	724	powershell.exe
Token: 34	724	powershell.exe
Token: 35	724	powershell.exe
Token: 36	724	powershell.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe
Token: SeCreatePagefilePrivilege	3724	GDLauncher.exe
Token: SeShutdownPrivilege	3724	GDLauncher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3724	GDLauncher.exe
3724	GDLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 5808	3724	GDLauncher.exe	94
PID 3724 wrote to memory of 5808	3724	GDLauncher.exe	94
PID 5808 wrote to memory of 4048	5808	cmd.exe	96
PID 5808 wrote to memory of 4048	5808	cmd.exe	96
PID 3724 wrote to memory of 2196	3724	GDLauncher.exe	97
PID 3724 wrote to memory of 2196	3724	GDLauncher.exe	97
PID 3724 wrote to memory of 1624	3724	GDLauncher.exe	98
PID 3724 wrote to memory of 1624	3724	GDLauncher.exe	98
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5336	3724	GDLauncher.exe	101
PID 3724 wrote to memory of 5336	3724	GDLauncher.exe	101
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 5384	3724	GDLauncher.exe	100
PID 3724 wrote to memory of 3500	3724	GDLauncher.exe	102
PID 3724 wrote to memory of 3500	3724	GDLauncher.exe	102
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103
PID 3724 wrote to memory of 5412	3724	GDLauncher.exe	103

C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5808
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    PID:4048
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Crashpad --url=https://f.a.k/e --annotation=_productName=GDLauncher --annotation=_version=2.0.6 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=28.2.5 --initial-client-data=0x524,0x528,0x52c,0x518,0x530,0x7ff71e81f648,0x7ff71e81f654,0x7ff71e81f660
  2⤵
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe
  C:\Users\Admin\AppData\Local\Temp\resources\binaries\core_module.exe --runtime_path C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\data
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:1592
  - - C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      4⤵
      Modifies file permissions
      PID:1500
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:6004
- - C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\java.exe
    "C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77343\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:2596
- - C:\Program Files\Java\jdk-1.8\bin\java.exe
    "C:\Program Files\Java\jdk-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:4532
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp JavaCheck
    3⤵
    PID:3476
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,13943583732712912370,4086354150899960712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe --type=cs --cs-app=GDLauncher
  2⤵
  PID:5336
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --mojo-platform-channel-handle=2308 --field-trial-handle=1848,i,13943583732712912370,4086354150899960712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:3500
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2616 --field-trial-handle=1848,i,13943583732712912370,4086354150899960712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --skip-intro-animation=false /prefetch:1
  2⤵
  - Checks computer location settings
  PID:5412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3580 --field-trial-handle=1848,i,13943583732712912370,4086354150899960712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:720
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --standard-schemes=owepm --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --streaming-schemes=owepm --app-user-model-id=GDLauncher --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --node-integration-in-worker --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1848,i,13943583732712912370,4086354150899960712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --uid=dibeihhdinofpmiennjkclnoidpjakanhclfmpmo --package-folder="C:\Users\Admin\AppData\Roaming\ow-electron" --app-root="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --muid=f5f58736-7798-afd4-93a1-afdb16c2bc11 --phase=46 --owepm-config="{\"phasing\":100}" --js-flags=--expose-gc /prefetch:1
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5300
- C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\GDLauncher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\gdlauncher_carbon" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2300 --field-trial-handle=1848,i,13943583732712912370,4086354150899960712,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
85e451c8c0d79908be704fce72dcd979

SHA1
705c8ae4fc069ecec48c5598132cd4ed12421d44

SHA256
db93527dddbf730097243826a058430e53f2d8cda25d1fc0b35f1aca288363d5

SHA512
497a47ea6ac8f1b859846efa5bfa47a528663b74f269e3b2192cb8400a5fcf3caf9d4a22bc83e061026a57fd5956236589822035378f6843fcf4a53e228d4d8b

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\905ebba3a8fc8cc.timestamp

Filesize
50B

MD5
a0c9c4cb63e4ec7eac03e5278911ae88

SHA1
6b109e5bbb0813d39450995ebdaa059e9f9272e5

SHA256
d2bfc5930c93f1fe28456de1b742ca18152db69737a296320b08e6554e0713eb

SHA512
d8af8efeb86a1b4a31ba52d25e05fd7a89c004e32f2b25371def3e01e41818a5a3aac1652bdae5e4402fbc7b8e84b6749d8d34501c78d091f8af0a9dba3f4789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
06d16fea6ab505097d16fcaa32949d47

SHA1
0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

SHA256
54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

SHA512
03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaCheck.class

Filesize
1013B

MD5
8098d31488cd52db41f95188b9daed5e

SHA1
76988b607c667c86211fe1dfe57ed4aedacc5691

SHA256
c607f5871610bf9240c75f4abe947469496570b380f670e9d8d09f9c785978b5

SHA512
e2b4c54e78daba4a04d17915eded43a3f59a744108cf28baf4c22545d807338a39de052d69243ce610981b930e49790ba8be0f7b370e042a9526ef09e2b9fb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mobt3jib.ep4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Network\Network Persistent State

Filesize
624B

MD5
0907ac58f209ba2c8ae7b87a984e2886

SHA1
0ad619c929d663cb52d454fb697aa4a177fddcf5

SHA256
0f729de2193fd27af52cccbae1c26b8937ff72230434a1fb269d797bd27642b5

SHA512
8ebaac835911ea2f93b8d22eb08bfeab53ecea858a00371eb084ef5cdc4d3973ca9c836834cfc28fab36cce4ee8730c8011485a2947853e82ad863e75b8c4c58

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\DawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Partitions\__owepm__\Network\Network Persistent State

Filesize
761B

MD5
e382e8c6631b9b0ca8361af4385a4a8f

SHA1
fdc22f301e264f7f13b4e002f6d328fef6402a4a

SHA256
b11deccbbaf05656ad591d6959a4f169ba5561f073f522cccb585a4914b4e67b

SHA512
08cf3c3a2fcec15e8cefeb65ca383b7df05283632869869e60e477954f5b953e4c92b90ce4de6ff97f9de5c105ac7c86731d59b1b8dbef4e57149f8e7affb228

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\gdlauncher_carbon\sentry\scope_v3.json

Filesize
6KB

MD5
b6f046c5ebe02cfa2de2559b5fecb802

SHA1
f9b5b6192f532f65eb9724be335fb92aed90d19f

SHA256
2c37e17c47bd83a674154f406f58684d510f0be47b7af15dba3a121b397fad9b

SHA512
9f8cb467b33bf75ab9e9670cc0e56567f376fe56194c9f9d1f50c0715a2952b852651b32764a333b17adb37d0a1a36a552be0118c2d17c005a8d25c38b2b8fd5

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\logs\utility\utility.log

Filesize
548B

MD5
5fe7f91626fbea7ffddd189b931ac204

SHA1
56a039919f8072384d9406cafcc6e8e28e155751

SHA256
88f9751196ea9950dc21e59b34815f802832aee3163bdefbdfc6e70df2166535

SHA512
11dec64f490c35ff6cb073754c243a98ed34d23145b741c2fa3595c859315bf0a5f77e78c8a6ec5510ff3ddea47e413b1b53104d63d55c4e7c69d72cb0f18010

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon.owepk

Filesize
689KB

MD5
1aa9b2344cbf42ff93609215c5504429

SHA1
2b1ee6074ee2993b6edccb6a78e5ed9a38aef662

SHA256
03f48386dd35ae74e5b1208dfc423d79f91f364b3c56e3f7fa6eb1c1da23f6f7

SHA512
3a2a12595be77db890163f387fc0f3f379c8bce3a00515fcc9426d747788dc2251233357760738745058323ae6b82a2c1869171e8db6c7259ca71560e34df468

Download Submit
C:\Users\Admin\AppData\Roaming\ow-electron\dibeihhdinofpmiennjkclnoidpjakanhclfmpmo\packages\jopghajpapbfooofklncedoalpgiaglgjaokpkon\1.0.14\ow-electron-utility-plugin.node

Filesize
607KB

MD5
1655baa81ad104125f7b67cfe727fd75

SHA1
00c56f079a9d5df4e8d26c94337382a02d971870

SHA256
4afac59e7b1e7339117ca9cff131f6c9408f739406d18343b9694e31654af589

SHA512
c29831964711df2f03645804266323ca9c06c03dadbaf0864d6c6f5b6d3661d8ad1f5d2d528e7c7808faf450a7c1fde3ed65020360fa365fda6ec83866f76d30

Download Submit
memory/724-203-0x000002127DD10000-0x000002127DD86000-memory.dmp

Filesize
472KB

Download
memory/724-196-0x000002127D770000-0x000002127D780000-memory.dmp

Filesize
64KB

Download
memory/724-223-0x000002127DC90000-0x000002127DCB4000-memory.dmp

Filesize
144KB

Download
memory/724-234-0x00007FFF72080000-0x00007FFF72B41000-memory.dmp

Filesize
10.8MB

Download
memory/724-198-0x000002127DC40000-0x000002127DC84000-memory.dmp

Filesize
272KB

Download
memory/724-229-0x000002127D770000-0x000002127D780000-memory.dmp

Filesize
64KB

Download
memory/724-149-0x000002127D740000-0x000002127D762000-memory.dmp

Filesize
136KB

Download
memory/724-195-0x00007FFF72080000-0x00007FFF72B41000-memory.dmp

Filesize
10.8MB

Download
memory/724-222-0x000002127DC90000-0x000002127DCBA000-memory.dmp

Filesize
168KB

Download
memory/1592-339-0x0000023B28970000-0x0000023B28971000-memory.dmp

Filesize
4KB

Download
memory/1592-328-0x0000023B2A2C0000-0x0000023B2B2C0000-memory.dmp

Filesize
16.0MB

Download
memory/1592-420-0x0000023B2A2C0000-0x0000023B2B2C0000-memory.dmp

Filesize
16.0MB

Download
memory/1736-197-0x000001826CE50000-0x000001826CE60000-memory.dmp

Filesize
64KB

Download
memory/1736-227-0x00007FFF72080000-0x00007FFF72B41000-memory.dmp

Filesize
10.8MB

Download
memory/1736-187-0x000001826CE50000-0x000001826CE60000-memory.dmp

Filesize
64KB

Download
memory/1736-175-0x00007FFF72080000-0x00007FFF72B41000-memory.dmp

Filesize
10.8MB

Download
memory/2596-417-0x00000193EE120000-0x00000193EE121000-memory.dmp

Filesize
4KB

Download
memory/2596-411-0x00000193EFAF0000-0x00000193F0AF0000-memory.dmp

Filesize
16.0MB

Download
memory/2596-421-0x00000193EFAF0000-0x00000193F0AF0000-memory.dmp

Filesize
16.0MB

Download
memory/4532-468-0x000002832A780000-0x000002832A781000-memory.dmp

Filesize
4KB

Download
memory/4532-466-0x000002832A7A0000-0x000002832B7A0000-memory.dmp

Filesize
16.0MB

Download
memory/5412-77-0x00007FFF92A40000-0x00007FFF92A41000-memory.dmp

Filesize
4KB

Download
memory/5412-76-0x00007FFF930B0000-0x00007FFF930B1000-memory.dmp

Filesize
4KB

Download
memory/5868-443-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-442-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-441-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-448-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-452-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-454-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-456-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-455-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-453-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/5868-449-0x000001E9C16C0000-0x000001E9C16C1000-memory.dmp

Filesize
4KB

Download
memory/6004-361-0x000001CB87D60000-0x000001CB88D60000-memory.dmp

Filesize
16.0MB

Download
memory/6004-388-0x000001CB86480000-0x000001CB86481000-memory.dmp

Filesize
4KB

Download